We Have Been Hacked
I may need to reload the forums from scratch
they only barley work so i will leave them on till i find the back door and lock it

Crud! I thought somethign was up when I saw the pare error message. Good luck. Silly little blighters!

:icon31:

Good catch Ron:applause:

Good catch Ron

GOOD LUCK and GOD SPEED!!!

just imagine what people could accomplish if the little #*$&%* worked as hard at an honest job as they did trying to hack into sites and create troubles. :angryfir:

Darrell

Jerks....:angryfir:

aww man terrible news

Good thing my post count is still low. :costumes:

its going to be an all nighter
glad i refilled the nitro pills

JINX

:banghead:

R

jinx

R

I'm not sure if it's related or just a coincidence, but I tried to download a CFS3 file at about 3:38. Got a weird error. But Norton kicked in and blocked Bloodhound.Exploit.196.

http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2008-080702-2357-99&tabid=2

I'm not sure if it's related or just a coincidence, but I tried to download a CFS3 file at about 3:38. Got a weird error. But Norton kicked in and blocked Bloodhound.Exploit.196.
(http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2008-080702-2357-99&tabid=2)

Many thanks for your dedication to keeping us going Ickie!

these butt holes placed code on 3000 + pages and ck and myself had to edit it all out.
the code did not work it was in html and we use php.
but still it gave us errorssss.

I am now crosseyed from all those hours editting code.

I have a company looking into how they got in and they are plugging the hole.

thats my story and I am sticking to it.

Thanks Ickie & Co. for all the hard work. That others think it's fun to waste so much of others time is just unbelievable.

Mike

these butt holes placed code on 3000 + pages and ck and myself had to edit it all out.
the code did not work it was in html and we use php.
but still it gave us errorssss.

I am now crosseyed from all those hours editting code.

I have a company looking into how they got in and they are plugging the hole.

thats my story and I am sticking to it.

Thanks for your dedication ... :ernae:

This is a form of terrorism and I think that when these people are caught, they should be treated as terrorists.

Sorry Ickie that they keep you guys busy so much with repairing their damages. I hope they get caught big time and I hope the USA and Interpol start crushing these freaks for these terroristic attacks....


Bill

yeah right when they get caught they get a job at M$

yeah right when they get caught they get a job at M$

Or the U.S. Government

here is the IP 216.240.150.178

here is where he is from
Kansas

Thanks for all your efforts Ickie (and every one of the Admins) I can appreciate your pain, I administrate a Hard of Hearing forum and we were hit a few months ago. I do truly wish the RACK was still in use for some offenses...

Best of luck, and keep the caffeine flowing.

Thanks Ickie and others who helped clean up this latest attack on this forum. :ernae:

Public flogging should be mandatory for the little swine when they're caught.

Pete.

Results for 216.240.150.178 (http://www.216.240.150.178/):

Registrar: American Registry for Internet Numbers (ARIN)
IP Address: 216.240.150.178 (http://www.coolwhois.com/d/216.240.150.178)

Whois results from whois.arin.net:
OrgName: ATMLINK, INC.
OrgID: ATMLIN
Address: 600 W. 7th Street
Address: Suite 360
City: Los Angeles
StateProv: CA
PostalCode: 90017
Country: US

NetRange: 216.240.128.0 (http://www.coolwhois.com/d/216.240.128.0) - 216.240.159.255 (http://www.coolwhois.com/d/216.240.159.255)
CIDR: 216.240.128.0 (http://www.coolwhois.com/d/216.240.128.0)/19
NetName: C-COMMUNICATIONS
NetHandle: NET-216-240-128-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.CALPOP.COM (http://www.coolwhois.com/d/NS1.CALPOP.COM)
NameServer: NS2.CALPOP.COM (http://www.coolwhois.com/d/NS2.CALPOP.COM)
Comment:
RegDate: 1999-09-22
Updated: 2006-03-30

OrgAbuseHandle: NOC1610-ARIN
OrgAbuseName: Network Operations Center
OrgAbusePhone: chrome://skype_ff_toolbar_win/content/cb_transparent_l.gifchrome://skype_ff_toolbar_win/content/famfamfam/us.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/arrow.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gif+1-213-627-1937chrome://skype_ff_toolbar_win/content/cb_transparent_r.gif
OrgAbuseEmail: noc@atmlinkinc.com

OrgNOCHandle: KJO26-ARIN
OrgNOCName: Joostens, Ken
OrgNOCPhone: chrome://skype_ff_toolbar_win/content/cb_transparent_l.gifchrome://skype_ff_toolbar_win/content/famfamfam/us.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/arrow.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gif+1-213-627-1937chrome://skype_ff_toolbar_win/content/cb_transparent_r.gif
OrgNOCEmail: ken@calpop.com

OrgTechHandle: NOC1610-ARIN
OrgTechName: Network Operations Center
OrgTechPhone: chrome://skype_ff_toolbar_win/content/cb_transparent_l.gifchrome://skype_ff_toolbar_win/content/famfamfam/us.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/arrow.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gifchrome://skype_ff_toolbar_win/content/space.gif+1-213-627-1937chrome://skype_ff_toolbar_win/content/cb_transparent_r.gif
OrgTechEmail: noc@atmlinkinc.com

# ARIN WHOIS database, last updated 2008-10-19 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
URL to this Cached Result: http://coolwhois.com/d/216.240.150.178/20081020101753

Is there anywy we can get his address and pay him a visit with a 357.:rocket:

Assuming his (her, their) info was real, right?

So sorry --
lots of trash on the web lately.
A real shame.

Thank you for your dedication indeed!

Good catch Ickie! Hope he didn't do to much damage.

Maybe as someone else suggested here at SOH we tie wire around his family jewels as he is standing on a block of ice in a warm room . Maybe I would add alittle "Water Boarding " after that. I hope the legal system quits slapping these litle bast--ds hands and start getting tougher . It makes no sense whatsover ,:banghead::banghead:what they hope to accomplish other than pure mischief and create alot of hardwork for others .

Great work catching this Ickie!!

Think a "lynch mob" is in order for this little :censored:!!

Folks try to remember that History repeats its self....

With that in mind does anyone Remember Kansas Bloody Kansas :d

Kansas is close to Oklahoma which is right on the Border of Texas. The place where the "He needed Killin Law" still is in place.

To temper things (this kind of talk)

Actions of these types are best left to the Authorities. No good can come of taking the law into your own hands.

...The way I see it, unfortunately,....it's the sign of our times. Some knucklehead wants to get his jollies by messing with something he can't even relate to. But it makes him satisfied he's brought grief to the SOH web sight.

For the life of me I don't understand why any hacker would attack a public supported site that is FREE. A site who without volunteers and contributors would not exsist and never made a penny in it's history.
:isadizzy:

CK it is very obvious why they would want to attack this type of site. Look at the traffic here. They stand a great chance of spreading their code (that was whatever to do whatever). If not for the diligence of the security staff they could have infected hundreds of people in a short amount of time.

El dorado CO?

It was a winders server code, we are linux, so the big bang didn't happen. It just made our pages not work at all.
It was in html and when a person clicks on the page it suppose to take them to a website where a trogan will get them.

Ickie
You have all the information you need to turn over to the FBI, If you do
not call them, he may be back with something even WORSE and be doing it to others. MAKE the call.ckissling

Hi Folks

It's probably not as simple as that,
as they're not that dumb.

The IP most likely only indicates the last hop in the route.
i.e.
either part of a botnet
or through a compromised server.

From the access logs I see,
within in the space of a couple of seconds,
they access from multiple IPs
located all over the world.



The website hosting the trojan
wouldn't even be aware it was there.



HTH
ATB
Paul

<table align="center" bgcolor="#ffffdd" border="1" cellpadding="3" cellspacing="0" width="450"><tbody><tr> <td align="right">IP Address</td> <td>216.240.150.178</td></tr> <tr> <td align="right">City</td> <td>LOS ANGELES</td></tr> <tr> <td align="right">State or Region</td> <td>CALIFORNIA</td></tr> <tr> <td align="right">Country</td> <td>UNITED STATES</td></tr> <tr> <td align="right">ISP</td> <td>ATMLINK INC. </td></tr></tbody></table>

<table><tbody><tr> <td align="right">Country Code</td> <td align="right"><input readonly="readonly" value="US" name="ro-no_bots_pls12"></td> <td align="right">Country</td> <td align="right"><input readonly="readonly" value="United States" name="ro-no_bots_pls13"></td> <td align="left"> <table border="0" cellpadding="0" cellspacing="0"> <tbody> <tr> <td valign="bottom"> Distance to Nearby Cities
</td></tr></tbody></table></td></tr> <tr> <td align="right">Region Code</td> <td align="right"><input readonly="readonly" value="USCA" name="ro-no_bots_pls14"></td> <td align="right">Region</td> <td align="right"><input readonly="readonly" value="California" name="ro-no_bots_pls15"></td> <td align="right" valign="top">
km, mi, City, Region, Country
</td></tr> <tr> <td align="right">City Code</td> <td align="right"><input readonly="readonly" value="USCALANG" name="ro-no_bots_pls16"></td> <td align="right">City</td> <td align="right"><input readonly="readonly" value="Los Angeles" name="ro-no_bots_pls17"></td> <td rowspan="8" align="right" valign="top">
<textarea name="ro" rows="16" readonly="readonly" cols="41">0 0 Los Angeles, CA, US 9 5 Florence, CA, US 10 6 Huntington Park, CA, US 11 6 West Hollywood, CA, US 11 6 Culver City, CA, US 11 6 Maywood, CA, US 12 7 Inglewood, CA, US 12 7 Beverly Hills, CA, US 13 8 Bell, CA, US 13 8 Glendale, CA, US 14 8 South Gate, CA, US 15 9 South Pasadena, CA, US 15 9 Monterey Park, CA, US 15 9 Alhambra, CA, US 16 10 Bell Gardens, CA, US 16 10 Burbank, CA, US 16 10 Hawthorne, CA, US 16 10 Lynwood, CA, US 16 10 Willow Brook, CA, US 16 10 Studio City, CA, US 16 10 City of Industry, CA, US 17 10 Toluca Lake, CA, US 17 10 Valley Village, CA, US 17 10 Marina Del Rey, CA, US 17 10 Universal City, CA, US 17 10 La Crescenta, CA, US 17 10 North Hollywood, CA, US 17 10 Montebello, CA, US 18 11 Pasadena, CA, US 18 11 Compton, CA, US 18 11 Gardena, CA, US 18 11 El Segundo, CA, US 18 11 San Marino, CA, US 18 11 Venice, CA, US 19 11 Playa del Rey, CA, US 19 11 Montrose, CA, US 19 11 Sherman Oaks, CA, US 19 11 Verdugo City, CA, US 19 11 Downey, CA, US 19 11 Pico Rivera, CA, US 19 11 Rosemead, CA, US 19 11 San Gabriel, CA, US 19 11 Lawndale, CA, US 20 12 Paramount, CA, US 20 12 Santa Monica, CA, US 20 12 North Hills, CA, US 21 13 Manhattan Beach, CA, US 22 13 Altadena, CA, US 22 13 Sun Valley, CA, US 22 13 Temple City, CA, US 22 13 South El Monte, CA, US 23 14 Van Nuys, CA, US 23 14 Santa Fe Springs, CA, US 23 14 Pacific Palasaides, CA, US 23 14 Hermosa Beach, CA, US 23 14 La Canada Flintridge, CA, US 24 15 Encino, CA, US 24 15 Torrance, CA, US 24 15 Carson, CA, US 24 15 Bellflower, CA, US 24 15 Redondo Beach, CA, US 25 15 Norwalk, CA, US 25 15 Arcadia, CA, US 25 15 El Monte, CA, US 25 15 Panorama City, CA, US 25 15 Whittier, CA, US 25 15 Pacoima, CA, US 25 15 Pacific Palisades, CA, US 25 15 Sunland, CA, US 26 16 Sierra Madre, CA, US 27 16 Tujunga, CA, US 27 16 Lakewood, CA, US 28 17 Artesia, CA, US 28 17 Harbor City, CA, US 29 18 Tarzana, CA, US 29 18 Hacienda Heights, CA, US 29 18 Lomita, CA, US 29 18 Mount Wilson, CA, US 29 18 Cerritos, CA, US 30 18 Baldwin Park, CA, US 30 18 Monrovia, CA, US 30 18 La Mirada, CA, US 30 18 Mission Hills, CA, US 30 18 Wilmington, CA, US 30 18 Reseda, CA, US 31 19 San Fernando, CA, US 31 19 Hawaiian Gardens, CA, US 31 19 Topanga, CA, US 31 19 Palos Verdes Peninsula, CA, US 31 19 La Puente, CA, US 31 19 Long Beach, CA, US 32 20 Duarte, CA, US 32 20 La Palma, CA, US 33 20 Woodland Hills, CA, US 33 20 Winnetka, CA, US 33 20 Sylmar, CA, US 33 20 Northridge, CA, US 34 21 Rancho Palos Verdes, CA, US 34 21 La Habra, CA, US 34 21 Buena Park, CA, US 34 21 Cypress, CA, US 34 21 West Covina, CA, US 34 21 Granada Hills, CA, US 34 21 Los Alamitos, CA, US 35 21 San Pedro, CA, US 35 21 Canoga Park, CA, US 36 22 Azusa, CA, US 36 22 Rowland Heights, CA, US 37 23 Calabasas, CA, US 38 23 Seal Beach, CA, US 38 23 Stanton, CA, US 38 23 West Hills, CA, US 38 23 Covina, CA, US 39 24 Fullerton, CA, US 39 24 Chatsworth, CA, US 39 24 Malibu, CA, US 39 24 Walnut, CA, US 40 25 Surfside, CA, US 41 25 Glendora, CA, US 42 26 Brea, CA, US 42 26 Sunset Beach, CA, US 42 26 Westminster, CA, US 43 26 Valencia, CA, US 43 26 Newhall, CA, US 43 26 Anaheim, CA, US 43 26 Garden Grove, CA, US 44 27 Diamond Bar, CA, US 44 27 Placentia, CA, US 44 27 Midway City, CA, US 45 28 Valyermo, CA, US 45 28 San Dimas, CA, US 46 28 Stevenson Ranch, CA, US 46 28 Agoura Hills, CA, US 47 29 Atwood, CA, US 47 29 Canyon Country, CA, US 48 30 Oak Park, CA, US 48 30 Acton, CA, US 48 30 Huntington Beach, CA, US 49 30 Fountain Valley, CA, US 49 30 Pomona, CA, US 49 30 Santa Clarita, CA, US 50 31 Orange, CA, US 51 31 Simi Valley, CA, US 51 31 Yorba Linda, CA, US 51 31 Villa Park, CA, US 52 32 Westlake Village, CA, US 52 32 Chino Hills, CA, US 52 32 Santa Ana, CA, US 53 33 La Verne, CA, US 54 33 Claremont, CA, US 55 34 Montclair, CA, US 55 34 Thousand Oaks, CA, US 55 34 Littlerock, CA, US 56 35 Tustin, CA, US 56 35 Costa Mesa, CA, US 57 35 Chino, CA, US 59 36 Upland, CA, US 60 37 Pearblossom, CA, US 60 37 Newport Beach, CA, US </textarea>
</td></tr> <tr> <td align="right">CityId</td> <td align="right"><input readonly="readonly" value="7275" name="ro-no_bots_pls5"></td> <td align="right">Certainty</td> <td align="right"><input readonly="readonly" value="93" name="ro-no_bots_pls18"></td></tr> <tr> <td align="right">Latitude</td> <td align="right"><input readonly="readonly" value="34.0452" name="ro-no_bots_pls10"></td> <td align="right">Longitude</td> <td align="right"><input readonly="readonly" value="-118.2840" name="ro-no_bots_pls19"></td></tr> <tr> <td align="right">Capital City</td> <td align="right"><input readonly="readonly" value="Washington, DC " name="ro-no_bots_pls8"></td> <td align="right">TimeZone</td> <td align="right"><input readonly="readonly" value="-08:00" name="ro-no_bots_pls9"></td></tr> <tr> <td align="right">Nationality Singular</td> <td align="right"><input readonly="readonly" value="American" name="ro-no_bots_pls7"></td> <td align="right">Population</td> <td align="right"><input readonly="readonly" value="278058881" name="ro-no_bots_pls3"></td></tr> <tr> <td align="right">Nationality Plural </td> <td align="right"><input readonly="readonly" value="Americans" name="ro-no_bots_pls2"></td> <td align="right">Is proxy</td> <td align="right"><input readonly="readonly" value="false" name="ro-no_bots_pls11"></td></tr> <tr> <td align="right">CIA Map Reference</td> <td align="right"><input readonly="readonly" value="North America " name="ro-no_bots_pls4"></td> <td align="right">Currency</td> <td align="right"><input readonly="readonly" value="US Dollar" name="ro-no_bots_pls1"></td></tr> <tr> <td align="right">MapBytes (http://www.sim-outhouse.com/sohforums/FAQ.htm#Mapbytes) Remaining</td> <td align="right"><input readonly="readonly" value="Free" name="ro-no_bots_pls6"></td> <td align="right">Currency Code </td> <td align="right"><input readonly="readonly" value="USD" name="ro-no_bots_pls"></td></tr></tbody></table>

<table border="0" cellpadding="0" cellspacing="0"> <tbody> <tr> <td colspan="3">216.240.150.178</td></tr> <tr> <td valign="top" nowrap="nowrap">Record Type:</td> <td width="5"> </td> <td valign="top">IP Address</td></tr> <tr> <td colspan="3">
</td></tr> <tr> <td colspan="3" valign="top">
OrgName: ATMLINK, INC.
OrgID: ATMLIN
Address: 600 W. 7th Street
Address: Suite 360
City: Los Angeles
StateProv: CA
PostalCode: 90017
Country: US

NetRange: 216.240.128.0 - 216.240.159.255
CIDR: 216.240.128.0/19
NetName: C-COMMUNICATIONS
NetHandle: NET-216-240-128-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.CALPOP.COM
NameServer: NS2.CALPOP.COM
Comment:
RegDate: 1999-09-22
Updated: 2006-03-30

OrgAbuseHandle: NOC1610-ARIN
OrgAbuseName: Network Operations Center
OrgAbusePhone: +1-213-627-1937
OrgAbuseEmail: noc@atmlinkinc.com

OrgNOCHandle: KJO26-ARIN
OrgNOCName: Joostens, Ken
OrgNOCPhone: +1-213-627-1937
OrgNOCEmail: ken@calpop.com

OrgTechHandle: NOC1610-ARIN
OrgTechName: Network Operations Center
OrgTechPhone: +1-213-627-1937
OrgTechEmail: noc@atmlinkinc.com
</pre></td></tr></tbody></table>

Before you all go and lynch the wrong person, make sure that you understand the results of the information from ARIN. This Ken Joostens is the network operations contact for ATMLINK Inc., and they have an extensive range of IP addresses of which the one listed in the thread happens to be in.

You therefore need to send email to noc@atmlinkinc.com identifying the IP address from which the attack originated, details of the logs to identify dates/times and any more details (down to a protocol level if possible), and then let them do their job.

Also, do not be quick to believe that it was necessarily a targeted attack. Many of the exploits out there are just scripts which copy themselves around to vulnerable sites which they find at random by picking IP addresses. The machines which sometimes run the attacks were themselves exploited by a virus/malware, and the users are totally unaware that their machine has been compromised and is doing work for the virus/malware developer.

Jeff

I'm tempted to send ken@calpop.com a e-mail.