We got hacked :-/
- u-he
- 30222 posts since 8 Aug, 2002 from Berlin
Some of u-he's sites were hacked by some clever idiot with what appears to be an exploit for an old PhpBB tonight.
I got most of it back up and running, but Uhniverse, Vst Source Code Archive, Caugui and Scripting will be gone forever. No problem with Uhniverse, because the new website will be up in a week or so. The other stuff was rarely frequented, so not too much a big deal. (They even defaced a testing site for the new stuff, but didn't find the actual construction area)
It would be great if someone could check if the downloads and all are working and virus- free. Logfiles indicate no serious harm, but better be cautious.
I'm just too knackered after sorting things... need sleep.
Thanks,
Urs
I got most of it back up and running, but Uhniverse, Vst Source Code Archive, Caugui and Scripting will be gone forever. No problem with Uhniverse, because the new website will be up in a week or so. The other stuff was rarely frequented, so not too much a big deal. (They even defaced a testing site for the new stuff, but didn't find the actual construction area)
It would be great if someone could check if the downloads and all are working and virus- free. Logfiles indicate no serious harm, but better be cautious.
I'm just too knackered after sorting things... need sleep.
Thanks,
Urs
Last edited by Urs on Mon Jun 13, 2011 1:00 pm, edited 1 time in total.
- u-he
- Topic Starter
- 30222 posts since 8 Aug, 2002 from Berlin
-
- Skunk Mod
- 21249 posts since 10 Jun, 2004 from Pony Pasture
This machine is fairly well armored. I'll give it a shot [edit: Windows versions; I can't virus-scan Mac stuff, only have a very old Mac] and let you know what happens. Very sorry to hear this.
Last edited by Meffy on Sat Jun 04, 2011 10:54 pm, edited 1 time in total.
- KVRAF
- 3878 posts since 28 Jun, 2009 from Wherever I lay my hat
Damn, really sorry to hear that. May the culprits' nuts fall off, their crops go stale and their tongues cleave to the roof of their mouth.
- u-he
- Topic Starter
- 30222 posts since 8 Aug, 2002 from Berlin
What they didn't know is that we have friends who speak their language. We actually have friends who live in their countryariston wrote:Damn, really sorry to hear that. May the culprits' nuts fall off, their crops go stale and their tongues cleave to the roof of their mouth.
-
- Skunk Mod
- 21249 posts since 10 Jun, 2004 from Pony Pasture
I downloaded these files:
Zebra25Winstaller.zip
ACE_1_0_Win.zip
Uhbik11Win.zip
MFM201Win.zip
FilterscapeVSTWin1.1.zip
FilterscapeManual.zip
FSVA_eco_vst.zip
Microsoft Security Essentials scan with the latest malware definitions finds nothing suspicious. Same with Spybot Search and Destroy, also with the latest definitions and whatnot.
Oops, I missed that the image for Triple Cheese was a link (the name isn't). Downloaded and tested, also no thread found in either scanner.
Zebra25Winstaller.zip
ACE_1_0_Win.zip
Uhbik11Win.zip
MFM201Win.zip
FilterscapeVSTWin1.1.zip
FilterscapeManual.zip
FSVA_eco_vst.zip
Microsoft Security Essentials scan with the latest malware definitions finds nothing suspicious. Same with Spybot Search and Destroy, also with the latest definitions and whatnot.
Oops, I missed that the image for Triple Cheese was a link (the name isn't). Downloaded and tested, also no thread found in either scanner.
-
- KVRAF
- 2685 posts since 14 Jul, 2005 from Australia
Urs, I suggest MD5 checksumming all your binaries against copies on your PC, would probably be the easiest way to determine with certainty that nothing has been tampered with.
Something like this will work on the server:
Good luck mate 
Something like this will work on the server:
Code: Select all
find . -name "*.zip" | xargs md5sum
Last edited by fgimian on Sun Jun 05, 2011 12:30 am, edited 1 time in total.
-
- Skunk Mod
- 21249 posts since 10 Jun, 2004 from Pony Pasture
Good thought, that. Fortunately I haven't deleted the downloads yet. Here are their MD5 checksums:
Code: Select all
16f4ffba9e8fba5fffd2dba3872ebbb6 *Zebra25Winstaller.zip
83cc0a6b24786de83a4ca16b77dfcf83 *ACE_1_0_Win.zip
e34ba037292ee07b9d151e4c30b71653 *Uhbik11Win.zip
a94b9aa33b12cb291678359b4dfbb2be *MFM201Win.zip
f8896f73cc522d8e09bb4385bcdd29e9 *FilterscapeVSTWin1.1.zip
6e338e78fdca991a18e687ea2bda6733 *FilterscapeManual.zip
cca5c775c56d54b975038f2bda5b1228 *FSVA_eco_vst.zip
706880d2ac71d0506454f25f496bcf92 *TripleCheeseWin.zip- u-he
- Topic Starter
- 30222 posts since 8 Aug, 2002 from Berlin
I'm pretty sure we're fine. They guy just collects defaced websites as trophys. He wouldn't dare anything more serious because his address is easily traced. You'd wonder why he even bothers to launch his attacks from different ip addresses when you can simply google his website and get a proper Whois. Call it FAIL I guess.
Goes to show though. Forgot to update one phpBB to 3.0.8 (or so) and *plop* there they go. The future website will have only 1 phpBB, and it'll be up to date at any time.
I'll try to check the checksums anyway. Tomorrow.
Thanks,
Urs
Goes to show though. Forgot to update one phpBB to 3.0.8 (or so) and *plop* there they go. The future website will have only 1 phpBB, and it'll be up to date at any time.
I'll try to check the checksums anyway. Tomorrow.
Thanks,
Urs
-
- KVRAF
- 2685 posts since 14 Jul, 2005 from Australia
Thanks Meffy 
I can at least confirm the 2 products I own which I downloaded a long time ago:
Unfortunately I never downloaded all the other binaries in the past 
Another idea is to check if any file has recently been modified on your server (especially PHP scripts .etc)
This will show you all files that have been modified in the last five days.
I can at least confirm the 2 products I own which I downloaded a long time ago:
Code: Select all
e34ba037292ee07b9d151e4c30b71653 *u-he Uhbik 1.1/Uhbik11Win.zip
16f4ffba9e8fba5fffd2dba3872ebbb6 *u-he Zebra 2.5/Zebra25Winstaller.zipAnother idea is to check if any file has recently been modified on your server (especially PHP scripts .etc)
Code: Select all
find . -type f -mtime -5- Banned
- 6129 posts since 9 Oct, 2007 from an inharmonious society
Sorry to hear about the hacking thing.
Makes me wanna learn how to protect against such things from happening.
I'm in the process of building a website now, and I'm contemplating getting the extra security features, which add a lot to the cost...unfortunately.
Makes me wanna learn how to protect against such things from happening.
I'm in the process of building a website now, and I'm contemplating getting the extra security features, which add a lot to the cost...unfortunately.
- KVRAF
- 4141 posts since 11 Aug, 2006 from Texas
Yep, verified I can't login to the PatchLib. Let me know when it's back up. Feel free to send me a new password and I'll use that too.Urs wrote:@Brian - ftp accounts will be back next week.
- u-he
- Topic Starter
- 30222 posts since 8 Aug, 2002 from Berlin
So after checking it out a bit further it seems they installed a little script that would let them replace index.html files with their "modified" version. It doesn't seem like they had any other intentions. Just collecting defacement trophys 
- KVRAF
- 37483 posts since 14 Sep, 2002 from In teh net
Go on WHOIS it then? Might as well out the twat - he doesn't deserve protectionUrs wrote:I'm pretty sure we're fine. They guy just collects defaced websites as trophys. He wouldn't dare anything more serious because his address is easily traced. You'd wonder why he even bothers to launch his attacks from different ip addresses when you can simply google his website and get a proper Whois. Call it FAIL I guess.
- u-he
- Topic Starter
- 30222 posts since 8 Aug, 2002 from Berlin
The guys have a radical and obviously antisemitic background. Just outing them might not be the right answer. I need to sleep over this, and I first need to sit down with a person who speaks their language and see what they are about.aMUSEd wrote:Go on WHOIS it then? Might as well out the twat - he doesn't deserve protection
