And I don’t have much clue how it happened.
A shell (GNY.Shell – findex.php) and a proxy (proxy.php) was uploaded, but where the weakness was (is?) is not known to me.
I would not be very much surprised if this turned out to be a part of the christmas hacking at evilzone.org.
In that aspect it fits in with the previous posting here.
If you can read Norwegian, there is also something here:
hxxp://skriblerier. adesign. no/index.php?q=node/63 (not alive anymore, shut down in 2014)
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nb-NO; rv:22.214.171.124) Gecko/20091201 Firefox/3.5.6 (.NET CLR 3.5.30729)
I think I got mail set up right.
And the redirect to this one on wordpress.com.
Update some hours later
The shell that was uploaded:
Goes by various names: Backdoor.PHP.C99Shell.y, probably a variant of PHP/Rst.S, PHP.ShellBot.K, Trojan.Script.212277.
“Score” at virustotal is 16/41.
Update December 25, 2009
A few other interesting IPs:
126.96.36.199 <—– “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html”?
Umm, don’t think so. More likely a pimplefaced teenager from Trondheim in Norway. Seen on at least three of my domains.
Also using the UA string “Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:188.8.131.52) Gecko/20091102 Firefox/3.5.5”.
184.108.40.206 <—– Telenor in Norway. I have seen one very close one earlier, 220.127.116.11 (and 18.104.22.168, perhaps 22.214.171.124 too).
Now, how many Telenor users are skiddies? Quite a lot probably. But I’ll bet my money on that this is the one who used 126.96.36.199 to log in to h4cky0u as Volume earlier this year. Now admin at evilzone.org and nationalhacker.org. If anyone is interested, they can check out how the Christmas hacking over at evilzone.org is going. I have not registered to have a look. But I trust that Andreas Ringstad Hansen, phone 470 42 073, is doing a good job in herding his “crew”.
Also admin at the former 1nj3ct.org. Which went down when he got a bit nervous after a little slap on the wrist from the police. nordicws.org is another one of his “masterpieces”. Oh, he changed that one. I can throw up a screenshot or two. Or five. When I figure out how to do it here on wordpress.com.
I’ll give it a try, it is supposed to be below this text:
188.8.131.52 <—- Right now I have forgotten why this one is interesting.
184.108.40.206. Hits in logs at atleast two of my domains. 220.127.116.11 is also hosting nordicws.org.
Lots of coincidences here.