[Resolved]01micko.com compromised
Everyone 01Micko is sharing an understanding of what is hacked. The various "whats" has been discussed in open forums on the internet for years. And this specific "what" is the topic of discussion that has raged for all too many years. In years pasts, it was blamed first on kids, then on hackers, then on the mob, then on the Russians, then African nations, now its the Chinese.
I offer that we use this thread to take focus for our purposes a manner of managing how we can exercise this event to our advantage.
Let's step back for a moment to look at some of the problems like this:
What happens when secondary/third-level DNS is poisoned such that a sitename is redirected to another host's IP? How is it repaired? (I maintain, as 01Micko does) that ISPs have dealt with this type of problem for years and are uniquely positioned to deal with this. In the past, I have always steered my customers (especially first-timers who lack staff to support website "Management" to use NSI (the strongest of the worlds's ISP) or Yahoo or Google and most recently had good results from GoDaddy for site management and issues resolution.
Reason: Years of experience and 24hour assistance from those I mentioned. They have seen many-most every website problem in existence and have solid manners for addressing such, directly and quickly.
This kind of problem, in the past, too, has resulted in a customer/ISP have its domain-name expire where "there is a business" of persons/companies circling-the internet waiting for domain-name expiration and seizing the name because of the number of hits. They then sell service on a their own webpage or they offer the name for purchase to the highest bidder (Again, this is a KNOWN business element of buying and selling expired domain-names). In this case, usually, the company which bought the name sells it back at a premium to the company or person who wants their old domain-name back.
Also, along the same lines, an ISP can be working over a weekend on updates and do get things screwed up in internet domain-name resolution issues. This, they usually fixed by a refreshed DNS blast for its domains at the end of their updates.
If it is clear which path was used to hijack the domain-name, we can turn this thread into a "Howto..." for addressing domain-name issues. Advantage: Puppyland Domain-name holders
As I mentioned before, there appears to be a similar domain-name issue with Smokey01.com where the sites files are there but to get there thru top-level sitename is gone. To better explain this to those who dont understand, http:/smokey01.com is gone from resolution, but, http:/smokey01.com/01micko is still there.
Anyone see my points??? Other ideas of how this problem can be our advantage?
I offer that we use this thread to take focus for our purposes a manner of managing how we can exercise this event to our advantage.
Let's step back for a moment to look at some of the problems like this:
What happens when secondary/third-level DNS is poisoned such that a sitename is redirected to another host's IP? How is it repaired? (I maintain, as 01Micko does) that ISPs have dealt with this type of problem for years and are uniquely positioned to deal with this. In the past, I have always steered my customers (especially first-timers who lack staff to support website "Management" to use NSI (the strongest of the worlds's ISP) or Yahoo or Google and most recently had good results from GoDaddy for site management and issues resolution.
Reason: Years of experience and 24hour assistance from those I mentioned. They have seen many-most every website problem in existence and have solid manners for addressing such, directly and quickly.
This kind of problem, in the past, too, has resulted in a customer/ISP have its domain-name expire where "there is a business" of persons/companies circling-the internet waiting for domain-name expiration and seizing the name because of the number of hits. They then sell service on a their own webpage or they offer the name for purchase to the highest bidder (Again, this is a KNOWN business element of buying and selling expired domain-names). In this case, usually, the company which bought the name sells it back at a premium to the company or person who wants their old domain-name back.
Also, along the same lines, an ISP can be working over a weekend on updates and do get things screwed up in internet domain-name resolution issues. This, they usually fixed by a refreshed DNS blast for its domains at the end of their updates.
If it is clear which path was used to hijack the domain-name, we can turn this thread into a "Howto..." for addressing domain-name issues. Advantage: Puppyland Domain-name holders
As I mentioned before, there appears to be a similar domain-name issue with Smokey01.com where the sites files are there but to get there thru top-level sitename is gone. To better explain this to those who dont understand, http:/smokey01.com is gone from resolution, but, http:/smokey01.com/01micko is still there.
Anyone see my points??? Other ideas of how this problem can be our advantage?
One thing that bothers me is this the start of a systematic attack of Puppy Domains? How many developers have files stored on those domains that they do not have backups of?
Imagine if this progressed to the point of this thread and also this forum suddenly getting directed to some other site as well as the backup forum.
I am hoping that the content of 01micko.com is still ok and the attack on his site is just a redirection to another site as well as preserving contents of other puppy domains.
Imagine if this progressed to the point of this thread and also this forum suddenly getting directed to some other site as well as the backup forum.
I am hoping that the content of 01micko.com is still ok and the attack on his site is just a redirection to another site as well as preserving contents of other puppy domains.
What irritates me further is , that 01micko.com still shows in the location bar in firefox .
When re-direction occurs, my experience was with phishing ,
that not xyz_bank.com is showing anymore in the location bar ,
but the real address of the page , in my cases mainly somewhere in Mexico .
Perhaps all of Mick's .html pages are replaced ?
Or the server at crazy domains.com presents a set of wrong index.html
that are located on the server partition ?
Or could there be any .php or .js scripts in Mick's index.html be injected ?
When Mick is capable of logging in , is it possible for him to view the .html files -- like `# less index.html' ?
What confuses me also , is the firefox view source shows
lines with " http://1.2.3.12/bmi/01micko.com " together with <a href="http://www.68ecshop.com">
--
while `# wget http://01micko.com'' shows no http://1.2.3.12/bmi/01micko.com -- only http://www.68ecshop.com
...
When re-direction occurs, my experience was with phishing ,
that not xyz_bank.com is showing anymore in the location bar ,
but the real address of the page , in my cases mainly somewhere in Mexico .
Perhaps all of Mick's .html pages are replaced ?
Or the server at crazy domains.com presents a set of wrong index.html
that are located on the server partition ?
Or could there be any .php or .js scripts in Mick's index.html be injected ?
When Mick is capable of logging in , is it possible for him to view the .html files -- like `# less index.html' ?
What confuses me also , is the firefox view source shows
Code: Select all
<div class="goodsbox1">
<div class="imgbox1"><a href="goods.php?id=8"><img src="http://1.2.3.12/bmi/01micko.com/images/200905/thumb_img/8_thumb_G_1241425513488.jpg"
--
while `# wget http://01micko.com'' shows no http://1.2.3.12/bmi/01micko.com -- only http://www.68ecshop.com
...
Yup ..SFR wrote:This one?Karl Godt wrote:both haveascii code sign ... #another project for me to display all special characters in the terminal , and not only bin squares and diamond question marksCode: Select all
# echo -e '\0190'
.Greetings!Code: Select all
# echo -e '\xc2\xa5' ¥ #
Code: Select all
#!/bin/ash
A='0 1 2 3 4 5 6 7 8 9 a b c d e f'
for i in $A
do
for j in $A
do
for k in $A
do
for l in $A
do
case $i in
[0]) case $j in
[0-9]|[b-f]) case $k in
8) case $l in
[0-9]|[a-d]) continue;;
esac
;;
9|[a-f]) continue;;
esac
;;
esac
;;
[1-7]) case $j in
[0-9]|[a-f]) case $k in
8) case $l in
[0-9]|[a-d]) continue;;
esac
;;
9|[a-f]) continue;;
esac
;;
esac
;;
[8-9]|[a-b]|[e-f]) continue
;;
c|d) case $j in
[0-1]|3) continue;;
2) case $k in
[0-9]|[c-f]) continue;;
esac
;;
[4-9]|[a-f]) case $k in
[0-7]|[c-f]) continue;;
esac
;;
esac
;;
esac
echo -e "$i $j $k $l:"'"'"\\x$i$j\\x$k$l"'"''\n' >> ascii.hex.tab
done
done
done
done
Code: Select all
strings ascii.hex.tab >ascii.hex.tab.2
c 8 b f:"ȿ"
or
c 6 9 c:"Ɯ"
or
c 5 a 6:"Ŧ"
or
c 2 a 5:"¥"
Share what your PC sees relating 01Micko's problem, to help
To begin to see the DNS issue I speak of, do this from a terminal Window:
If this is done from every continent we begin to see what the DNS resolutions are telling your browsers. The above is from a North-Western Hemisphere PC.
What continent and what does your resolution show? This helps in that we can get a worldly picture of what the browsers are being told. And, to how far the problem has cascaded.
Code: Select all
# ping -c 5 01micko.com
PING 01micko.com (27.124.113.33): 56 data bytes
64 bytes from 27.124.113.33: seq=1 ttl=44 time=275.179 ms
64 bytes from 27.124.113.33: seq=2 ttl=43 time=278.243 ms
64 bytes from 27.124.113.33: seq=3 ttl=43 time=273.757 ms
64 bytes from 27.124.113.33: seq=4 ttl=43 time=274.601 ms
--- 01micko.com ping statistics ---
5 packets transmitted, 4 packets received, 20% packet loss
round-trip min/avg/max = 273.757/275.445/278.243 ms
What continent and what does your resolution show? This helps in that we can get a worldly picture of what the browsers are being told. And, to how far the problem has cascaded.
Last edited by gcmartin on Sun 15 Jun 2014, 18:50, edited 4 times in total.
This is probably the single most stupid question here, but both 01Micko.com and 68ecshop.com start with a numerical expression, does that have any significance?
Pinged from Oslo, Norway:(wifi)
tallboy
Pinged from Oslo, Norway:(wifi)
Code: Select all
# ping -c5 01micko.com
PING 01micko.com (27.124.113.33): 56 data bytes
64 bytes from 27.124.113.33: seq=0 ttl=45 time=1399.818 ms
64 bytes from 27.124.113.33: seq=1 ttl=45 time=887.716 ms
64 bytes from 27.124.113.33: seq=2 ttl=45 time=799.641 ms
64 bytes from 27.124.113.33: seq=3 ttl=45 time=839.573 ms
64 bytes from 27.124.113.33: seq=4 ttl=45 time=1007.489 ms
--- 01micko.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 799.641/986.847/1399.818 ms
True freedom is a live Puppy on a multisession CD/DVD.
Code: Select all
# ping -c 5 01micko.com
PING 01micko.com (27.124.113.33) 56(84) bytes of data.
64 bytes from 01micko.com (27.124.113.33): icmp_req=1 ttl=43 time=254 ms
64 bytes from 01micko.com (27.124.113.33): icmp_req=2 ttl=43 time=254 ms
64 bytes from 01micko.com (27.124.113.33): icmp_req=3 ttl=43 time=261 ms
64 bytes from 01micko.com (27.124.113.33): icmp_req=4 ttl=43 time=255 ms
64 bytes from 01micko.com (27.124.113.33): icmp_req=5 ttl=43 time=259 ms
--- 01micko.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 254.296/256.978/261.635/2.956 ms
What I could think of that someone has copied a limited set of 6-12 .html from 68ecshop.com and placed them on Mick's server , since only the :80 port seems affected .
Reason would be to get people entering shopping ec-card information .
Reason would be to get people entering shopping ec-card information .
Code: Select all
# ping -c 5 01micko.com
PING 01micko.com (27.124.113.33): 56 data bytes
64 bytes from 27.124.113.33: seq=1 ttl=41 time=499.208 ms
64 bytes from 27.124.113.33: seq=2 ttl=41 time=549.060 ms
64 bytes from 27.124.113.33: seq=3 ttl=41 time=508.912 ms
64 bytes from 27.124.113.33: seq=4 ttl=41 time=508.801 ms
--- 01micko.com ping statistics ---
5 packets transmitted, 4 packets received, 20% packet loss
round-trip min/avg/max = 499.208/516.495/549.060 ms
# ping -c 5 01micko.com
PING 01micko.com (27.124.113.33): 56 data bytes
64 bytes from 27.124.113.33: seq=0 ttl=41 time=729.947 ms
64 bytes from 27.124.113.33: seq=1 ttl=41 time=509.697 ms
64 bytes from 27.124.113.33: seq=2 ttl=41 time=519.725 ms
64 bytes from 27.124.113.33: seq=3 ttl=41 time=490.085 ms
64 bytes from 27.124.113.33: seq=4 ttl=41 time=489.466 ms
--- 01micko.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 489.466/547.784/729.947 ms
Code: Select all
sh-4.1# ping -c 5 01micko.com
PING 01micko.com (27.124.113.33): 56 data bytes
64 bytes from 27.124.113.33: seq=0 ttl=45 time=396.678 ms
64 bytes from 27.124.113.33: seq=1 ttl=45 time=392.599 ms
64 bytes from 27.124.113.33: seq=2 ttl=45 time=408.535 ms
64 bytes from 27.124.113.33: seq=3 ttl=45 time=395.692 ms
64 bytes from 27.124.113.33: seq=4 ttl=45 time=402.718 ms
--- 01micko.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 392.599/399.244/408.535 ms
My host is allocated 27.124.111.0 to 27.124.118.255
My actual IP address is in the range 203.170.80.0 to 203.170.87.255. I can log on to that one with FTP. (Also allocated to my host)
Ping this domain; computerfairy.net, browse the site if you wish, it's a drupal install on my host, same root directory as 01micko.com. I own the domain. That's my real IP address.
Karl, see if you can log in through a browser once you have my real IP. The root folder is public_html, however you may only be able to get to public_html/KRG with your permissions.
In the browser bar
Happy hunting.
By the way, I've renamed my word press folder and removed any js from my index.html. I have removed a couple of perl scripts too. I don't expect to see an improvement based on the above info.
My actual IP address is in the range 203.170.80.0 to 203.170.87.255. I can log on to that one with FTP. (Also allocated to my host)
Ping this domain; computerfairy.net, browse the site if you wish, it's a drupal install on my host, same root directory as 01micko.com. I own the domain. That's my real IP address.
Karl, see if you can log in through a browser once you have my real IP. The root folder is public_html, however you may only be able to get to public_html/KRG with your permissions.
In the browser bar
Code: Select all
ftp://$REAL_IP_ADDRESS/public_html/
By the way, I've renamed my word press folder and removed any js from my index.html. I have removed a couple of perl scripts too. I don't expect to see an improvement based on the above info.
Puppy Linux Blog - contact me for access
Code: Select all
james@mx1:~
$ ping -c5 01micko.com
PING 01micko.com (27.124.113.33) 56(84) bytes of data.
64 bytes from server-x-r6.ipv4.au.syrahost.com (27.124.113.33): icmp_req=1 ttl=42 time=313 ms
64 bytes from server-x-r6.ipv4.au.syrahost.com (27.124.113.33): icmp_req=2 ttl=42 time=314 ms
64 bytes from server-x-r6.ipv4.au.syrahost.com (27.124.113.33): icmp_req=3 ttl=42 time=321 ms
64 bytes from server-x-r6.ipv4.au.syrahost.com (27.124.113.33): icmp_req=4 ttl=42 time=321 ms
64 bytes from server-x-r6.ipv4.au.syrahost.com (27.124.113.33): icmp_req=5 ttl=42 time=318 ms
--- 01micko.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 313.394/318.055/321.856/3.529 ms
james@mx1:~
- Attachments
-
- computerfairy.net.jpg
- (67.53 KiB) Downloaded 511 times
This ping request is from southern Oregon, USA.
It seems to read about the same as others have got.
But the only information it gives is that the domain exists and gives the IP address found if I am correct in this.
Code: Select all
# ping -c5 01micko.com
PING 01micko.com (27.124.113.33): 56 data bytes
64 bytes from 27.124.113.33: seq=0 ttl=50 time=241.197 ms
64 bytes from 27.124.113.33: seq=1 ttl=50 time=240.690 ms
64 bytes from 27.124.113.33: seq=2 ttl=50 time=239.967 ms
64 bytes from 27.124.113.33: seq=3 ttl=50 time=241.003 ms
64 bytes from 27.124.113.33: seq=4 ttl=50 time=240.462 ms
--- 01micko.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 239.967/240.663/241.197 ms
But the only information it gives is that the domain exists and gives the IP address found if I am correct in this.
This is what I get using firefox and gftp :01micko wrote:My host is allocated 27.124.111.0 to 27.124.118.255
My actual IP address is in the range 203.170.80.0 to 203.170.87.255. I can log on to that one with FTP. (Also allocated to my host)
Ping this domain; computerfairy.net, browse the site if you wish, it's a drupal install on my host, same root directory as 01micko.com. I own the domain. That's my real IP address.
Karl, see if you can log in through a browser once you have my real IP. The root folder is public_html, however you may only be able to get to public_html/KRG with your permissions.
In the browser barHappy hunting.Code: Select all
ftp://$REAL_IP_ADDRESS/public_html/
By the way, I've renamed my word press folder and removed any js from my index.html. I have removed a couple of perl scripts too. I don't expect to see an improvement based on the above info.
Looking up ftp.01micko.com
Trying 01micko.com:21
Connected to 01micko.com:21
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 07:35. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
USER KRG@01micko.com
331 User KRG@01micko.com OK. Password required
PASS xxxx
530 Login authentication failed
Disconnecting from site ftp.01micko.com
Micko, you gave me such a great password with a ']' in it .
Had already tried using
wget --ftp-user=USER --ftp-password=PASS
Code: Select all
wget --ftp-user=KRG@01micko.com --ftp-password='VERY]GOODpassword' ftp://01micko.com
--01:41:27-- ftp://01micko.com/
=> `.listing'
Resolving 01micko.com... 27.124.113.33
Connecting to 01micko.com|27.124.113.33|:21... connected.
Logging in as KRG@01micko.com ...
Login incorrect.
( Linux is very secure .. )
Karl,
You are responsible for your password and you can change it to whatever you want
Try logging in with the IP. The real IP is 203.170.81.33. You should be able to just fine in gftp or filezilla. It works in browser too, ftp only.
Meanwhile I redirected my home page to micko.computerfairy.net and reinstated the javascript. If that is the cause (which I think not) then that address will succumb to the predator as well.
You are responsible for your password and you can change it to whatever you want
Try logging in with the IP. The real IP is 203.170.81.33. You should be able to just fine in gftp or filezilla. It works in browser too, ftp only.
Meanwhile I redirected my home page to micko.computerfairy.net and reinstated the javascript. If that is the cause (which I think not) then that address will succumb to the predator as well.
Puppy Linux Blog - contact me for access
Re: Share what your PC sees relating 01Micko's problem, to help
Hello, gcmartin.gcmartin wrote:To begin to see the DNS issue I speak of, do this from a terminal Window:If this is done from every continent we begin to see what the DNS resolutions are telling your browsers. The above is from a North-Western Hemisphere PC.Code: Select all
# ping -c 5 01micko.com PING 01micko.com (27.124.113.33): 56 data bytes 64 bytes from 27.124.113.33: seq=1 ttl=44 time=275.179 ms 64 bytes from 27.124.113.33: seq=2 ttl=43 time=278.243 ms 64 bytes from 27.124.113.33: seq=3 ttl=43 time=273.757 ms 64 bytes from 27.124.113.33: seq=4 ttl=43 time=274.601 ms --- 01micko.com ping statistics --- 5 packets transmitted, 4 packets received, 20% packet loss round-trip min/avg/max = 273.757/275.445/278.243 ms
What continent and what does your resolution show? This helps in that we can get a worldly picture of what the browsers are being told. And, to how far the problem has cascaded.
These are the results from my position:
I hope this helps. BFN.ping -c 5 01micko.com
PING 01micko.com (203.170.81.33): 56 data bytes
64 bytes from 203.170.81.33: seq=0 ttl=49 time=307.073 ms
64 bytes from 203.170.81.33: seq=1 ttl=49 time=300.629 ms
64 bytes from 203.170.81.33: seq=2 ttl=49 time=301.088 ms
64 bytes from 203.170.81.33: seq=3 ttl=49 time=302.288 ms
64 bytes from 203.170.81.33: seq=4 ttl=49 time=281.223 ms
--- 01micko.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 281.223/298.460/307.073 ms
Chris
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)
Hey Musher0, that is the right address. Did 01micko.com work in a browser?musher0 wrote:ping -c 5 01micko.com
PING 01micko.com (203.170.81.33): 56 data bytes
64 bytes from 203.170.81.33: seq=0 ttl=49 time=307.073 ms
I just got word back from the host:
See what happens after 3:30 my time I guess.Paul A (Customer Care Agent)
Jun 16 08:50 AM
Hello Michael,
Thank you for your email.
We do apologize for the inconvenience, Michael. Upon checking into the account and the settings, we found out that there were 2 hosting account on different server and unfortunately the inactive one was on the server with higher dns priority. We have already shut down that account and now there is only one hosting account. Please do consider waiting within 2 to 4 hours since changes have been applied and there is a downtime for 2 to 4 hours. After that it will be up and running.
Thank you
Paul A
Crazy Domains
Customer Support
www.CrazyDomains.com
Domains, Hosting & more...
Domain Names | Web Hosting | Email Hosting | Build your Site | Promote your Site
DISCLAIMER: This e-mail and/or attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose the contents to other persons or use it for any purpose or store or copy the information in any medium. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Crazy Domains.
Puppy Linux Blog - contact me for access
I couldnt get the -c option to work - probably because I am on Windows at the moment, so I diid the following:
http://www.01micko.com in the browser gives me your normal site so all good here at the moment.
Code: Select all
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
H:\>ping -c 5 01micko.com
Bad option -c.
Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]
[-r count] [-s count] [[-j host-list] | [-k host-list]]
[-w timeout] target_name
Options:
-t Ping the specified host until stopped.
To see statistics and continue - type Control-Break;
To stop - type Control-C.
-a Resolve addresses to hostnames.
-n count Number of echo requests to send.
-l size Send buffer size.
-f Set Don't Fragment flag in packet.
-i TTL Time To Live.
-v TOS Type Of Service.
-r count Record route for count hops.
-s count Timestamp for count hops.
-j host-list Loose source route along host-list.
-k host-list Strict source route along host-list.
-w timeout Timeout in milliseconds to wait for each reply.
H:\>ping -n 5 01micko.com
Pinging 01micko.com [203.170.81.33] with 32 bytes of data:
Reply from 203.170.81.33: bytes=32 time=426ms TTL=44
Reply from 203.170.81.33: bytes=32 time=80ms TTL=44
Reply from 203.170.81.33: bytes=32 time=80ms TTL=44
Reply from 203.170.81.33: bytes=32 time=80ms TTL=44
Reply from 203.170.81.33: bytes=32 time=81ms TTL=44
Ping statistics for 203.170.81.33:
Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 80ms, Maximum = 426ms, Average = 149ms
H:\>
Thanks Greengeek, looks like it's fixed.. but Google is still crawling the Chinese site - lol.. probably pissing them off too.
Too early to call "resolved" but looks like it is.
Too early to call "resolved" but looks like it is.
- Attachments
-
- 01micko.jpg
- (81.13 KiB) Downloaded 372 times
Puppy Linux Blog - contact me for access
Hi, micko.
Is this how it's supposed to look?
musher0
Is this how it's supposed to look?
musher0
- Attachments
-
- micko's_site.jpg
- Reduced to 640x512 pixels
- (35.1 KiB) Downloaded 345 times
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)