[Coco] To everyone concerning CoCo3.com damage

CoCo Tower cocotower at yahoo.com
Thu Nov 22 22:19:26 EST 2007

Read on... some strange things were found.

--- Torsten Dittel <Torsten at Dittel.info> wrote:

> I recently noticed 2 strange "users" on your site,
> one of them storing a 
> lot of evil scripts containing the words "Balkan
> Crew", the other one 
> posting some files of type ".gif.exe" and so on...

Ok I just looked and "anncy" definately uploaded some
Windows executables into their Uploads folder.  I
don't think Linux will execute them, but they also
uploaded a .php.gif file which may or may not have
been called on by my server.  The contents are a huge
string of encoded characters preceded by:
eval(gzinflate(base64_decode(  ...so I can't read it
at the moment to see what it does.

WAIT.  Ok, now the user "testing" appears to have
uploaded the PHP/C99shell.B backdoor script as
reported by Microsoft OneCare.  How in the heck do the
powers that be let this stuff happen.  The authors of
PHP and MySQL have got to get their stuff together.

Also in one of these .php files is the word
"balcanCrew" in at least one place.  I have no clue
why that sticks out as something that means anything,
but it's there as you said.  It's a very long PHP
script that appears to attempt to probe and scan the
entire server or my hosting space for all sorts of

AND... the backdoor "Perl/Shellbot.S" was also just
detected in the same user's folder.  Alert level:

So I think it is clear that my choice to add the
Upload feature to the site via someone else's
supposedly secure module for PHP-Nuke was a bad idea.

The user "Greg" also uploaded a backdoor script.

Ok, I'm digging while I type, and Here is the odd

3 different user's folders (the last 3 users to signup
and/or access their Uploads folder) were either
created OR last accessed at 2:05am (server time) Nov
20.  They are "testing", "Randy", and "Greg", in order
of date/time.  The first and third users have
malicious scripts uploaded in their folders. The 2nd
user "Randy" has some CoCo Logo files in it... a dsk
image, etc.  Under WS_FTP95, a dir sorting by date of
Users shows 2:05am for the 3 users above.  I'm not
sure if this time means a last "touch" or "write" or a
"read".  Maybe a Linux expert can tell me what causes
an update of a directory date/time.

Under "Randy", one logo .zip file full of Windows .rtf
document files was uploaded at 13:31am, and the user
"testing" uploaded or called a malicious backdoor Perl
script at 13:33am, both on Nov 19.

Things that match are 1) The date, 2) the time of
folder access, 3) 2 seconds separating the time of
file access for the backdoor script and the Logo zip

If the IP addresses match for these 3 users either at
file access time or account creation, I'm not sure
what I'll do after that.  I pray that they do not.  It
*could* possibly mean that someone's computer is
infected?  Please at least let THIS be the case and
not something else?

Meanwhile, my family Thanksgiving was without one
person (me) because I had to drive all the way back to
Texas and stay indoors all day in a very quiet office
room trying to repair the damage done.  I've lost all
of my websites, all of my pending e-mail from Nov 20
to the minute the accounts were deleted, and now I've
got to find time to restore thousands of scripts,
several large databases that were backed up maybe a
month ago, over a weekend that was supposed to be
reserved for time off to spend with the family.

Be a better pen pal. 
Text or chat with friends inside Yahoo! Mail. See how.  http://overview.mail.yahoo.com/

More information about the Coco mailing list