Possible hack warning via Admin pages/console...
Posted: 06 Jun 2007, 01:00
My website got hacked and it seems as if it started where m0rtix.c was uploaded via the admin console/supporting pages of the Imagevuex 1.6x (the last update before 1.7) on a Linux server.
The m0rtix.c hack was downloaded in that area where they could have dropped other php files that allowed for perusal of my share as well as other locations which led to multiple .htaccess files being written down as well all of the index.php files overwritten.
It seems as if the the hack started by sites looking for inurl:imagevuex via google search, mostly google.es searches - the hacks were done by a spanish speaking group, but seemed to have IP addresses stemming from Spain and Peru. This was May 31st. By June 1st, they had defaced the sites, created a sbin/syslogd process, and had started to redirect traffic via the htaccess to a scotiabank.com.pe (peru) address that was a spoof of the Scotia Bank (Canada) website.
After tracing down the problems, it seems as if it started with the admin portion of the Imagevuex app. I can - if contacted directly - supply even more information; however I've taken this route to hopefully alert you all of some possible openings.
They placed alongside the admin pages: c99.php, m0rtix.c, xx.php, xo.php, uselib24 (uselib24.c), s.jpg, nphp.php as well as altered my .htaccess in the root of the website as well.
Just a heads up. I had the last version of 1.6 installed, had yet to utilize 1.7 - still trying to recover and locate my order details so I could download 1.7.
The m0rtix.c hack was downloaded in that area where they could have dropped other php files that allowed for perusal of my share as well as other locations which led to multiple .htaccess files being written down as well all of the index.php files overwritten.
It seems as if the the hack started by sites looking for inurl:imagevuex via google search, mostly google.es searches - the hacks were done by a spanish speaking group, but seemed to have IP addresses stemming from Spain and Peru. This was May 31st. By June 1st, they had defaced the sites, created a sbin/syslogd process, and had started to redirect traffic via the htaccess to a scotiabank.com.pe (peru) address that was a spoof of the Scotia Bank (Canada) website.
After tracing down the problems, it seems as if it started with the admin portion of the Imagevuex app. I can - if contacted directly - supply even more information; however I've taken this route to hopefully alert you all of some possible openings.
They placed alongside the admin pages: c99.php, m0rtix.c, xx.php, xo.php, uselib24 (uselib24.c), s.jpg, nphp.php as well as altered my .htaccess in the root of the website as well.
Just a heads up. I had the last version of 1.6 installed, had yet to utilize 1.7 - still trying to recover and locate my order details so I could download 1.7.