SiteSeal-Developer Posted May 29, 2011 Share Posted May 29, 2011 Dear WHMCS Users, To all of you our there be aware of this hacker group who go by the name of "unkn0wn" I mean there isn't a way of tracking a hacker really as you know they use proxy to launch their attacks. Anyhow thought i would let you know the IP they used was from 31.9.10.88, and they upload a file called "unkn0wn.txt" The content of the file is as follows; ######################## # # # hacked by unkn0wn # # # # f.k@live.com # # # ######################## I have reported it to cPanel to see if they are aware of a security floor, Once i have further info on this i will come back and post my findings. Warmest Regards 0 Quote Link to comment Share on other sites More sharing options...
Nathanael Posted May 30, 2011 Share Posted May 30, 2011 Its not a cpanel or whmcs security flaw, they used some poor coded script in your hosting to upload files. Update your hosting software(joomle,wordpress,so on) adn check apache access log files to find a clue about how they could upload files 0 Quote Link to comment Share on other sites More sharing options...
merlinpa1969 Posted May 30, 2011 Share Posted May 30, 2011 A quick Google search would show you that its a wordpress issue 0 Quote Link to comment Share on other sites More sharing options...
easyhosting Posted May 30, 2011 Share Posted May 30, 2011 Dear WHMCS Users, To all of you our there be aware of this hacker group who go by the name of "unkn0wn" I mean there isn't a way of tracking a hacker really as you know they use proxy to launch their attacks. Anyhow thought i would let you know the IP they used was from 31.9.10.88, and they upload a file called "unkn0wn.txt" The content of the file is as follows; ######################## # # # hacked by unkn0wn # # # # f.k@live.com # # # ######################## I have reported it to cPanel to see if they are aware of a security floor, Once i have further info on this i will come back and post my findings. Warmest Regards simple solution remove the file and then do a whois search of the IP http://whois.domaintools.com/31.9.10.88 which gives you this organisation: ORG-STE1-RIPE org-name: Syrian Telecommunications Establishment org-type: LIR address: Syrian Telecommunication Establishment Mezzeh Autostard Fayez Mansour St. P.O.Box: 35108 Damascus SYRIAN ARAB REPUBLIC phone: +963 11 4462560 fax-no: +963 11 373 9765 e-mail: and also NetRange: 31.0.0.0 - 31.255.255.255 CIDR: 31.0.0.0/8 so go into your server firewall and block the NetRange and CIDR 0 Quote Link to comment Share on other sites More sharing options...
SiteSeal-Developer Posted May 30, 2011 Author Share Posted May 30, 2011 simple solution remove the file and then do a whois search of the IP http://whois.domaintools.com/31.9.10.88 which gives you this organisation: ORG-STE1-RIPE org-name: Syrian Telecommunications Establishment org-type: LIR address: Syrian Telecommunication Establishment Mezzeh Autostard Fayez Mansour St. P.O.Box: 35108 Damascus SYRIAN ARAB REPUBLIC phone: +963 11 4462560 fax-no: +963 11 373 9765 e-mail: and also NetRange: 31.0.0.0 - 31.255.255.255 CIDR: 31.0.0.0/8 so go into your server firewall and block the NetRange and CIDR Thanks for this advice although i took these steps as soon as the hack attempt was identified. 0 Quote Link to comment Share on other sites More sharing options...
SiteSeal-Developer Posted May 30, 2011 Author Share Posted May 30, 2011 Its not a cpanel or whmcs security flaw, they used some poor coded script in your hosting to upload files. Update your hosting software(joomle,wordpress,so on) adn check apache access log files to find a clue about how they could upload files I have emailed my customers and asked them to check their chosen CMS software vendors website for possible security floors in their scripts. So i hope this wont happen in the future 0 Quote Link to comment Share on other sites More sharing options...
bear Posted June 2, 2011 Share Posted June 2, 2011 ...possible security floors Not "floors", but "flaws". The two are quite different. 0 Quote Link to comment Share on other sites More sharing options...
nexthost Posted June 7, 2011 Share Posted June 7, 2011 (edited) I know this group, they copied there entire forum from my own, I got there website shut down a few months ago. It's, http://unkn0wn.eu and they used to own http://unkn0wn.ws They are a bunch of script kiddies, that do SQL Injection. They didn't hack your site just in general, they did a massive SQLI on thousands of other sites.. Most likely a 0day exploit for WP. Edited June 7, 2011 by nexthost 0 Quote Link to comment Share on other sites More sharing options...
easyhosting Posted June 7, 2011 Share Posted June 7, 2011 I know this group, they copied there entire forum from my own, I got there website shut down a few months ago. It's, http://unkn0wn.eu and they used to own http://unkn0wn.ws They are a bunch of script kiddies, that do SQL Injection. They didn't hack your site just in general, they did a massive SQLI on thousands of other sites.. Most likely a 0day exploit for WP. http://unkn0wn.ws/ is currently parked with http://www.dynadot.com 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.