This is an archived Usenet post from DejaNews/Google
From: Gary S. Callison (email snipped)
Sarah (email snipped) wrote:
: Someone in the UK _really_ doesn't like being repeatedly
: spammed by these assholes.
: http://www.web-bizonline.com/
I was working on a meta-lart for highway235.com, and went looking at
webpages for contact addresses and other misc incriminating info, and
discovered this as well.
C&C warning. Those of you who laughed yourselves stupid after Rodonagate
may wish to go to the bathroom now as well.
Here's a lynx-dump, for those who are understandably chicken enough not
to let hacked websites load on their machine:
__________________WEBSITE LYNX-DUMP BEGINS_______________________
[spacer.gif]
Cracked by Vortex
[1]Say no to Spam! Cartoon from glasbergen.com
Spam Spam Spam Spam, Spam Spam Spam Spam, Wonderful Spam, Lovely
Spam...
[ [2]What, [3]Where, [4]When, [5]Why, [6]Who, [7]How, [8]More
Gibberish ]
What
Another (lame) web defacement. This is the second time I've defaced
these domains, and the fifth time I've recieved their spam crap.
Where
* [9]63.104.128.[68-72]
* [10]aaasearchenginetechniques.com
* [11]gordonpgill.com
* [12]otcstockletter.com
* [13]thesolidusgroup.com
* [14]successtopia.com
* [15]syberschool.org
* [16]web-bizonline.com
* [17]myonlineincome.com
When
Shortly after being spammed from the same fucking system I was last
time. For those who didn't see my last little note, I was pissed off
after recieving a pile of junk mail sent from highway235.com's inept
management, who quite obviously wouldn't know responsible online
marketing if it bit them in the arse.
Why
I recieved [18]this spam for dodgy aphrodisiacs the other day, and
left a [19]nice note to the site's owners about responsible online
marketing practices. Now I recieve [20]more spam from them? WTF. Damn
spammers.
So here I am again.
Useful Links
* [21]Info on Spam: Boycotting spam e-mail promotes responsible
online commerce.
* [22]CAUCE: Join the fight against spam.
These guys would love to hear from you
* H.A. Hunter, owner of otcstockletter.com, can be contacted on
+1-713-227-5455. He'd love to know how his product is being
represented online
* Tommy Brock, administrative contact for highway235.com would
appreciate feedback on the flaws in his marketing campaigns on
+1-513-743-6185
Who
I'm Vortex, a minor who is not interested in [23]making the little guy
stand to attention with dodgy pills, nor am I interested in being
[24]told which penny shares to buy. I don't have a credit card, I'm
not old enough to buy half this crap, and it's irrelevant to me as I'd
trade stocks and shares in my home country if I was going to do it at
all.
How
Last time it was through the BIND < 8.2.2-P5 buffer overflow exploit
(detailed at [25]CERT), which I patched after exploiting, upgrading
their nameservers to a secure release. The admin was informed of the
remaining ways I had to access the system, and I requested that they
refrain from using bulk mail to market their products. This time, I
noticed my backdoor was still in place (!!).
Again, I haven't damaged anything (despite making threats about "if it
happened again...", I'm not going to rm -rf anything because that
would make me worse than the spammers. Plus, I don't think the system
admin is such a bad guy, he appears not to have any part in the
spamming. Personally I reckon he should find a job at a company with
ethics...)
OK admin guy, here's how to close my holes (Oooh yeah baby! ;) ). Look
in /tmp/.b/, these are your original binaries (ps, netstat, etc). Copy
them over the ones reported by which [binary], as the ones in place
are trojaned to hide my bindshell backdoor. Remove /usr/bin/prnmon
(Sorry, I said this was /usr/bin/sh2 in my mail, I forgot I renamed
it!). Edit /etc/rc.d/init.d/crond and remove the line that starts up
/usr/bin/prnmon. Remove my SUID shell in /tmp/.X11. Check /etc/shadow
and remove the password hashes for the accounts near the top which
shouldn't have passwords. Oh, and please talk to the management about
marketing online properly, and get them to read the spam.abuse.net URL
for information on what they're doing wrong. Oh, and [26]buy the
latest copy of Redhat, if you must use it, rather than leave an old
pile of crap online.
More Gibberish
[27]userfriendly.org
* [28]"How ironic!": The next userfriendly.org cartoon in the
series. Wonder if I'll get to post an entire week's worth of
these?
* This is not [29]hacking, it's [30]cracking. [31]Hacking is legal,
fun and productive. [32]Cracking isn't.
* The RIP Bill was passed in the United Kingdom recently, this is a
sickening attack against the privacy of it's citizens, allowing
the state to silently intercept electronic communications in a
manner much akin to that of Orwell's 1984. The only other
countries with similar laws are Russia, Singapore and Malaysia...
mmm, love those human rights records over there... [33]Protest
RIP!
* Once again my mates get to see their names in lights, as I do the
usual script kiddie thing of shouting out to everyone I've ever
met... Actually, here's a select few. Annepie, Andy, LabSix, #pde
crew (as in most of the people I know IRL these days... But
Astraea, Squinky, Hypo, Raven, Charlotte, Tub n'Astro in
particular), Proteus, Mel, Rune, Sarah, Cube, Digital Blasphemy
and that lot. 'Specially "m4d gr33tzzz" to Squinky and Astraea...
who're quite obviously made for each other <grin>
Well that's enough lameness for now. Later. Hopefully it won't be a
hat trick ;). V.
References
1. http://spam.abuse.net/
2. http://www.otcstockletter.com/#what
3. http://www.otcstockletter.com/#where
4. http://www.otcstockletter.com/#when
5. http://www.otcstockletter.com/#why
6. http://www.otcstockletter.com/#who
7. http://www.otcstockletter.com/#how
8. http://www.otcstockletter.com/#gibberish
9. http://63.104.128.72/
10. http://aaasearchenginetechniques.com/
11. http://gordonpgill.com/
12. http://otcstockletter.com/
13. http://thesolidusgroup.com/
14. http://successtopia.com/
15. http://syberschool.org/
16. http://web-bizonline.com/
17. http://myonlineincome.com/
18. http://www.otcstockletter.com/spamold.txt
19. http://www.otcstockletter.com/oldsite/
20. http://www.otcstockletter.com/spam.txt
21. http://spam.abuse.net/
22. http://www.cauce.org/
23. http://www.otcstockletter.com/spamold.txt
24. http://www.otcstockletter.com/spam.txt
25. http://www.cert.org/advisories/CA-99-14-bind.html
26. http://www.cheepbytes.com/
27. http://www.userfriendly.org/
28. http://ars.userfriendly.org/cartoons/?id=20000729&mode=classic
29. http://www.eps.mcgill.ca/jargon/html/entry/hacker.html
30. http://www.eps.mcgill.ca/jargon/html/entry/cracking.html
31. http://www.eps.mcgill.ca/jargon/html/entry/hacker.html
32. http://www.eps.mcgill.ca/jargon/html/entry/cracking.html
33. http://www.stand.org.uk/
__________________WEBSITE LYNX-DUMP ENDS_______________________
Also of particular humorness (well, to me anyways) were the META-tags in
the header, which were as follows:
<html>
<head>
<meta name="GENERATOR" content="VIM - Vi IMproved 5.6">
<meta name="AUTHOR" content="Vortex">
<meta name="MOOD" content="Very pissed off, spammed again">
<title>Promote Responsible E-Commerce: Fight Spam! (Cracked
*again* by Vortex)</title>
</head>
Very pissed off, indeed.
Vortex, dude- Anger leads only to hate; hate leads only to the dark
side. Turn away from the dark side my son; twist you it will.
This Is Not The Way.
--
Huey
...although it _is_ nuttier than a rat in a coffee can, and funnier than
a fart in a spacesuit...