Silent Noise hacked

And I don’t have much clue how it happened.
A shell (GNY.Shell – findex.php) and a proxy (proxy.php) was uploaded, but where the weakness was (is?) is not known to me.
I would not be very much surprised if this turned out to be a part of the christmas hacking at
In that aspect it fits in with the previous posting here.

If you can read Norwegian, there is also something here:
hxxp://skriblerier. adesign. no/index.php?q=node/63 (not alive anymore, shut down in 2014)

User Agent:
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nb-NO; rv: Gecko/20091201 Firefox/3.5.6 (.NET CLR 3.5.30729)

I think I got mail set up right.
And the redirect to this one on

Update some hours later

The shell that was uploaded:

Goes by various names: Backdoor.PHP.C99Shell.y, probably a variant of PHP/Rst.S, PHP.ShellBot.K, Trojan.Script.212277.

“Score” at virustotal is 16/41.

Update December 25, 2009

A few other interesting IPs: <—–  “Mozilla/5.0 (compatible; Googlebot/2.1; +”?
Umm, don’t think so. More likely a pimplefaced teenager from Trondheim in Norway. Seen on at least three of my domains.
Also using the UA string “Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv: Gecko/20091102 Firefox/3.5.5”. <—– Telenor in Norway. I have seen one very close one earlier, (and, perhaps too).
Now, how many Telenor users are skiddies? Quite a lot probably. But I’ll bet my money on that this is the one who used to log in to h4cky0u as []Volume earlier this year. Now admin at and If anyone is interested, they can check out how the Christmas hacking over at is going. I have not registered to have a look. But I trust that Andreas Ringstad Hansen, phone 470 42 073, is doing a good job in herding his “crew”.
Also admin at the former Which went down when he got a bit nervous after a little slap on the wrist from the police. is another one of his “masterpieces”. Oh, he changed that one. I can throw up a screenshot or two. Or five. When I figure out how to do it here on
I’ll give it a try, it is supposed to be below this text:

screenshot from <—-  Right now I have forgotten why this one is interesting. Hits in logs at atleast two of my domains. is also hosting
Lots of coincidences here.

Posted in hackers. Comments Off on Silent Noise hacked