202.190.180.123 anyone got any ideas?

I found one reference to it on Google. Do a search for "CyberBug Was Here" (including the quotes) and you'll see another infected website. Or maybe that's your website. Either way that's all I know or could find out about it quickly. HTH.

IP appears to belong to 'Universiti Islam Antarabangsa' according to APNIC
I'll sticky you the source information

Ok i found out how they did it.

If you run a site that uses php clssifieds then pleas ensure that you have removed your install.php file

they have been searching on google to find the page latestwap.php and then trying to access install.php they have then changed the password and altered the footer note.

It is not just me. I have ben searching for the same file on google and almost every site has had it's mysql tables emptied. I have been sending the folowing email to as many of the sites as i can find with contact info.
.............................................

Hi there.
I also run a website that runs php classifieds, Today I noticed I had been hacked and the words "cyberbug was here" where visible on my own pages. My site is www.//////////.com and if you click on my classifieds link you will see what I mean.

I manages to trace it back in my log files to a Google entry point.......


202.190.180.123 - - [18/Jan/2003:08:10:42 +0000] "GET /classified_ads/latestwap.php HTTP/1.1" 200 7854 "http://www.google.com/search?q=*/latestwap.php&hl=en&lr=&ie=UTF-8&oe=UTF-8&start=100&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

the search used was latestwap.php

I assume this is the hackers method for finding phpclassifieds websites. It appears that in both our cases we have left the install file in place and the hacker has accessed this and altered the footer file on our scripts. In my case he/she has also manages to change the admin password.

I suggest that you download the script again and upload the install file again and configure your script again to change the password back.

the following log file snippet is the hacker actually getting access to the file...

202.190.180.123 - - [18/Jan/2003:08:11:31 +0000] "GET /classified_ads/install.php?level=4 HTTP/1.1" 200 2066 "http://www.example.com/classified_ads/install.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

If I can be of any help please dont nesitate to contact me. I am working on finding a way to regain control of my classifieds script as we speak.

I sent this email as a courtasy, I followed the search query that the hacker had used and he seams to have been working his/her way through the results pages looking for open scripts.

Alistair Mcintyre
www.//////////.com

[edited by: engine at 10:49 pm (utc) on Jan. 19, 2003]
[edit reason] url generalised [/edit]

I had the same problems with my forum. It was hacked a couple of times before I bothered to look into the problem. It was the install.php file, plus there were some other fixes I was advised to make. It's been OK for a few months now (fingers crossed...).

Well I had another set back...

It was very late last night when I discovered the hack. I needed sleep for work today went on now to try and find the old version of the script to upload a fresh instal file only to find out that I now have a site full of mysql errors.

Lost my member base, all classified ads, now getting loads of 404 google refereals.

Is legal action out of the question?

Legal action is going to be quite hard. The FBI won't get normally get involved for less than $5000 worth of damages. What's worse CyberBug apparently attacked you from the Universiti Islam Antarabangsa - if he really there, than you'll have a hard time mounting an international suit, and if he is just relaying through them, you'll have to find out where he really is.

It's probably not worth it...

If you want to do something, you can try contacting Universiti Islam Antarabangsa (hopefully you share a language with them, at least enough to get by), and try figuring out what's going on (is CyberBug one of theirs, or did he hack in, or find an open relay, etc)

BTW, The type of hack would obviously indicate someone of very little skill, so I would be hesitant to assume that the Bug actually hacked the Universiti.

I have been in contact with a person claimimg to be the hacker. I also have his name and know a bit about him. He claims the uni was a proxi... but im not convinced. Why say that if it was the truth. surely if he didnt want me to find out any more he would have agreed with me and led me to think he was within the uni.

The fact that he wants me to belive he is outwith the uni makes me feel even stronger that he is within the uni. Just a gut feeling.

How did you get in contact with him? Or did he contact you?

I did a gogle search for the text he had left and it was fond on a hackers profile site.... emailed him and he replied explaining he had used a proxi.

Just thought I would keep you posted. Today I got a reply from the university thanking me for my complaint and saying they knew who it was and resat assured he will be facing diciplinary action by the university authorities. They also asked me to forward my log files etc. Woudl you say this was a sucess?