The Story of Totse
Dfg
Admin
If you are living under a rock or where killing babies you might have not noticed but Totse just barely escaped from a shit storm. If you read my Totse Status update file you would know our old host was hacked and the new host we went to was hacked as well.
The hackers used a script called r57shell to exploit Totse. Once they raped joomla they got control over the server and used that script to access to Totse. Now, for some reason I couldn't figure out how the fuck they did it. Mainly because those script files were removed by the attackers leaving me clueless.
So, after giving up on the new server we moved back and hellish kindly gave me access to the server. When I checked the directories it was a mess, [it still is]. But there were some pages missing here as well. So, when I uploaded the faq.php I saw the r57shell script. I showed it to everyone in IRC. So, like always I deleted the file and uploaded again.
The script came back again, so I just deleted it and went on to clean the server and start organizing stuff. The DB and Totse started fucking up again and at this moment I was [still am] in contact with the host. I told them about this exploit and they offered a complete restore. I told them to hold it until we have no option left.
I then talked to oddballz194 via IRC and asked them about this exploit. oddballz194 being my dear friend helped me out, we talked about certain methods in which an attacker would exploit Totse and the most obvious was via CMS. And the second one was via DB. In short the attacker used the script thanks to Joomla and then uploaded the code in base64 into Vbulletin DB. And it gave the execution path of faq.php. Meaning whenever faq.php was called the exploit would get executed. So no matter how many servers we switch the exploit will remain there.
I found the exploit after some queries in DB and finally fixed the problem. Now, we're not done yet but at least it's a good fucking start. I am going to delay the restore option and work on securing the server more.
Again, thanks for sticking around and big thanks to oddballz194 for helping out. He truly is a gem IMO.
[sorry for typos/errors it's 5:10 AM]
The hackers used a script called r57shell to exploit Totse. Once they raped joomla they got control over the server and used that script to access to Totse. Now, for some reason I couldn't figure out how the fuck they did it. Mainly because those script files were removed by the attackers leaving me clueless.
So, after giving up on the new server we moved back and hellish kindly gave me access to the server. When I checked the directories it was a mess, [it still is]. But there were some pages missing here as well. So, when I uploaded the faq.php I saw the r57shell script. I showed it to everyone in IRC. So, like always I deleted the file and uploaded again.
The script came back again, so I just deleted it and went on to clean the server and start organizing stuff. The DB and Totse started fucking up again and at this moment I was [still am] in contact with the host. I told them about this exploit and they offered a complete restore. I told them to hold it until we have no option left.
I then talked to oddballz194 via IRC and asked them about this exploit. oddballz194 being my dear friend helped me out, we talked about certain methods in which an attacker would exploit Totse and the most obvious was via CMS. And the second one was via DB. In short the attacker used the script thanks to Joomla and then uploaded the code in base64 into Vbulletin DB. And it gave the execution path of faq.php. Meaning whenever faq.php was called the exploit would get executed. So no matter how many servers we switch the exploit will remain there.
I found the exploit after some queries in DB and finally fixed the problem. Now, we're not done yet but at least it's a good fucking start. I am going to delay the restore option and work on securing the server more.
Again, thanks for sticking around and big thanks to oddballz194 for helping out. He truly is a gem IMO.
[sorry for typos/errors it's 5:10 AM]
Comments
Nvmd I found it on google.
http://www.google.com/search?hl=en&safe=off&client=firefox-a&hs=rht&rls=org.mozilla%3Aen-US%3Aofficial&q=r57shell+joomla&aq=0&aqi=g1&aql=&oq=r57shell+j&gs_rfai=
It looks like a common problem. We need better security.
if totse was pubic hair, it would always grow back
To put it into terms that Dfg can understand, you could say that it was the straw that broke the camel's back.
Dammit, you guys know me too well
Lol that's funny
Lol Goatse:hai:
There are tons of way to improve security and hopefully I might implement some of them in future or in few weeks
Nothing says totse more than a goatse...That's the way I saw it anyways
Good work so far, and keep going at ti! We appreciate it.
Thanks
Btw if you think you're not capable of doing something or you're not doing much, trust me just by posting here you're contributing way more. So, just don't give up hope. It's thanks to you guys we can survive these problems.
Oh btw, I am not giving up on Totse.info. Whatever the challenges we face in future I am not backing away because I believe in this community and its potential to move mountains and hearts of everyone.
What Df said, you are helping out by posting.:thumbsup:
It's in M&A for now. Mainly for security reasons [Mods do not post it outside please].
But long story short we got hacked today but this we were prepared. Thanks to that idiot I found more loop holes and quickly plugged them.
Site downtime = 12 secs.
Reason: Payment overdue. We got hacked by the host lol.
It's back now but I don't have the details regarding this.