Wednesday, October 22, 2008

linuXploit_crew attacked my WEB Server using FrontPage Extensions

My test WWW site (hosted on Windows XP) recently had the start page replaced by a page that includes the following text in the first line:

[linuXploit_crew]

The full HTML of this file is included at the bottom of this post.

The offending files were written on 17-Oct-2008 [UTC +11]

image

Examination of the IIS log file (ex011016.log) shows that the files were put in place (POSTed) via author.dll which is part of the FrontPage extensions.

image

I have uninstalled FrontPage extensions using

Control Panel -> Add Remove Programs -> Windows Components ->
   IIS -> Details ->
image

I suggest you do the same.

The offending HTML

<html>
<head>
<title>linuXploit_crew</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#FFFFFF">
<div align="center">
<p>[linuXploit_crew]</p>
<p>O grupo linuXploit_crew foi criado em 05/04/2007. </p>
<p>Os membros da época Hualdo / c0d3_bl4ck_ninja / _seri4l_kill3r_ /
lordx / derf-</p>

<p>Atualmente ano de 2008 tem Hualdo / derf- e o lordx que voltou ao grupo e
_Seri4l_Kill3r_ esta off</p>
<p>O nome você criado meio na loucura e sem frescuras</p>
<p>Na época foi criado devido a revolta contra o grupo core-project um
membro antigo do grupo core-project se achou o grande hacker so porque catavamos
maquinas windows e disse que não aceitava isso porém estranhamente
eles mesmos criarão 1 ferramenta para catar pdw</p>
<p>Um dos motivos de aparacer mais um grupo brasileiro defacers é não
aceitar postar subdir em nome do grupo ou seja somente página principal
alterada ou seja a index</p>

<p>Sempre acreditei que deface é a pagina principal alterada e não
www.site.com/blablabla.htm lembro do site alldas somente index alteradas porém
um dia acabou o alldas</p>
<p>Entrava em cena o site zoneh muito bom no começo depois de um tempo
começou aparecer grupos postando /subdir na grande maioria turcos e
chineses postando para crescer no hank</p>
<p> linuXploit_crew não é o melhor ou pior somente tentando fazer
a diferença nos defacers</p>

<p>-----------------------------------------------------------------------------------------------------------------</p>
<p>The group was created linuXploit_crew on 05/04/2007. </p>
<p>Members of the season Hualdo / c0d3_bl4ck_ninja / _seri4l_kill3r_ / lordx
/ derf - </p>
<p>Currently year 2008 has Hualdo / derf-lordx and he has returned to the group
and _Seri4l_Kill3r_ This off </p>
<p>The name was created in madness and a half without fanciness </p>
<p>At the time it was created due to revolt against a group core-project former
member of the core group-project found the hacker so great because windows
machines and said it did not accept it but strangely themselves create 1 tool
to attract PDW </p>

<p>One of the reasons come from another group Brazilian defacers is not post
SUBDIR accept on behalf of the group or whether only main page changed ie
the index I have always believed that deface and the main page changed and
not www.site.com / blablabla.htm remember the site alldas index only changed
but a day just to alldas</p>
<p> Entered the scene at the site zoneh very good start after a while groups
began appearing posting / SUBDIR mostly Turkish and Chinese posting to grow
in the Hank </p>
<p>linuXploit_crew is not better or worse just trying to do the difference in
defacers</p>
<p>:: Membros:: </p>
<p>Hualdo - _Seri4l_Kill3r_ - DeRf- - LordX </p>
<p>Greetz Elite Top Team - OutLaw - Spykids - Red Eye - H4ckersBr </p>

<p> </p>
<p> </p>
</div>
</body>
</html>


2 comments:

Peter said...

Eu me livrei do LINUXPLOIT_CREW hacked abrindo o arquivo \windows\system32\drives\etc\hosts e apaguei os acessos redirecionados que foram criados por LINUXPLOIT.
USE QQ EDITOR DE TEXTO (NOTEPAD por exemplo)

John said...

Translation: Portuguese (automatically detected) » English


I hacked LINUXPLOIT_CREW rid of opening the file \ windows \ system32 \ drivers \ etc \ hosts, and erased the redirected hits that were created by LINUXPLOIT.
USE OF TEXT EDITOR QQ (eg NOTEPAD)