HomeBlogsEaston's blog

Macedonia Elite Hackers

 My web hoster got hacked last night, not something to be proud of, by Macedonia Elite Hackers.  Taking from my post here, they certainly did not cover their tracks:

[start]

Alright, here's my findings:

They uploaded da.php [file here] to the server, which had a lot of base64 encoded strings. I decoded the strings into files, which are downloadable here: [zip files]
http://www.hotlinkfiles.com/files/27...eyub/files.z_p
http://www.hotlinkfiles.com/files/27...yty/files2.z_p

pwdump2 and clearlogs are win32 executables, while phpproxy (php;which is Surrogafier), back_connect (perl) and fi (perl) are scripts. The rest are Linux executables, raptorchown is made by Marco Ivaldi. None of the code which they uploaded is theirs, and da.php is horribly inefficient.

When you encode stuff with base64, it's going to be 30% larger. Instead of having the base64 strings in da.php, they could of uploaded the strings to remote text files, and called them when necessary.

Zlatko_su_91's email address is zlatko.1991@gmail.com making him 18 (17?) by todays date. Also Serbian.

Mark023's ICQ address is 45448499. More here.

Most of the 'hackers' are from Serbia, even though they call themselves 'Macedonia Elite Hackers' (then again, the countries are right next to each other).

Another defaced site here, looking at the source again not their code :/

They also tried to steal 200$ [link here].

From other posts as well, looks like they started their adventure on Feb 17, 2009. [link1] [link2]
More to come...

[end]

 

Yes, by doing a simple Google search I uncovered that much and there's quite more out there. Nonetheless, they're all script kiddies with obviously no experience whatsoever and take other peoples code. I thought I'd make a post for people wanting to know more about this 'group'. My web hoster also has their IP, though an IP identifies a computer not person which contradicts this.

All in all, this is just some somewhat new script kiddie group, attempting to gain notoriety. Doesn't script kiddies know that they're despised by having no skill? Apparently not.

When I first started coding PHP scripts and such, I began with the basics; maybe even pseudocode, security later. Now, security is number one above all. On the web, you can't trust anyone, that's why sanitizing inputs are so important. The same may not apply to a software application. 

Some great links below.

http://www.addedbytes.com/php/writing-secure-php/

http://www.cgisecurity.com/lib/php-secure-coding.html

http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/index.html

 

In other non-related news..
I received a new server, AMD Athlon 2200 which outperforms my other server (you can guess what my other servers are like then). At first, I was going to do a load balancing setup, but instead I converted my last webserver, leprechaun, to a database server now. I'll have to get another NIC from somewhere to add to leprechaun to NIC team together.

Redundancy is a huge problem for my NFS server, kraken. Since it has no RAID whatsoever, if a harddrive fails, I'm fucked.

Posted by Easton on Thu, 08/27/2009 - 17:53

Powered by Drupal, an open source content management system