pouët.net

untergrund.net temporarily down

category: general [glöplog]
the elevated rights indeed is the 'ouch'. i've seen some defacements and trojans and shit over the years, but this is mean shit :)
On abandoned/no longer updated wordpress sites with potential historical interest:
Maybe it would be an idea to just do a recursive wget of sites no longer updated, and leave the flattened plain HTML site for archive purposes?

Do some kind of monthly scan and send out a "I see you haven't interacted with your account for x months now, so unless you do something about that we'll just flatten your site and keep it around as a relic" mail, and then just "auto-archive" it if no reply is sent within y days?
added on the 2014-03-01 11:08:10 by lug00ber lug00ber
You know a tool to do that ?
Yep, the abandoned accounts that still have useful historical content sure are a problem. The most extreme example for example is Crest's website - a really nice site, but he surely won't return from his grave to update it.

Also, as we are talking about 500+ accounts here I won't have the time to manually check each and every of them - only things that I can automate will be an option.

But first of all we need to find the privilege escalation problem and fix it.
added on the 2014-03-01 13:12:06 by scamp scamp
To scamp:

In addition to what I have said in the personal conversation, here is some additional information that might be useful.

I have installed the Wordpress at summer last year. At Sept 21 I've gotten 3 strange comments from simulated facebook users:

Author : Santhosh (IP: 94.23.238.222 , ns308698.ovh.net)
E-mail : sk**[email protected]
URL : http://www.facebook.com/profile.php?id=100003444657***
Whois : http://whois.arin.net/rest/ip/94.23.238.222
Comment:
Hi, this is a comment.To detele a comment, just log in and view the post's comments. There you will have the option to edit or detele them.VA:F [1.9.12_1141]please wait...VA:F [1.9.12_1141](from 0 votes)

Author : Anamarija (IP: 146.228.112.136 , 146.228.112.136)
E-mail : p**[email protected]
URL : http://www.facebook.com/profile.php?id=100003444596***
Whois : http://whois.arin.net/rest/ip/146.228.112.136
Comment:
This is exactly what I was looking for. Thanks for wrntgii!

Author : Suzane (IP: 76.74.157.22 , utility1.gpshopper.com)
E-mail : q.le**[email protected]
URL : http://www.facebook.com/profile.php?id=100003445045***
Whois : http://whois.arin.net/rest/ip/76.74.157.22
Comment:
Why would I want to delete such a great coemmnt. This coemmnt really adds value to the blog which shows you how little value you can find here

I have hidden some personal details, because all of the facebook profiles are real and the author's names correspond to the names in fb's accounts.
Obviousely, this were not "commercial" bot posts.
Very looked to me like some "crackers" were trying something. I forgot about this accident already and today recognized it and thought of letting you know.

Hope to see the site back live soon and hear that you figured out all the intrusion process.
added on the 2014-03-01 16:37:58 by b0tm1nd b0tm1nd
there are tons of spam comment like that on WP. as if it was up to date. As Akismet and anti-spam plugins sometime let it forget some false positif :(

Anyway, as i've probably managed 15 Wordpress website on different servers, i could have reported a huge of spam and attack since october. and the most attacked are the most used and not the older one. Spam comment are more intersting on often use website, and hack like what we have here are spotting whole to exploit.

Anyway, updating a WP instance was not easy. in one year WP passed from 3.3 to 3.8 and each version was diffrents and non always compatible with theme or plugins used. So it was always possible to update a WP wihtout losing some stuff...

i'm waitin' news about all of that ; )
We have found the WP installation all this has started from.

All outdated WP installations will be converted into static HTML, afterwards the outdated WP will be deleted.
added on the 2014-03-01 22:13:44 by scamp scamp
ETA from now is about 18 hours. So untergrund.net should be back tomorrow evening.
added on the 2014-03-01 22:14:37 by scamp scamp
One again, thanks for your free scene service, and I while it would be easy to provide the service and then forget about it, you guys pro-actively maintain it and offer fast fixes when there are any problems. You guys are admirable and you have my full respect and thanks. Thank you.
added on the 2014-03-01 22:49:06 by keito keito
BB Image

What keito said.
added on the 2014-03-01 23:45:40 by ham ham
"You guys are admirable and you have my full respect and thanks. Thank you."

+1 !! I never be able to share my music so easily without that help ;)
these are pretty bad news to hear but also it is really good to know that you guys have found out and fixed the issue :) also what keito said.
added on the 2014-03-02 11:17:13 by Defiance Defiance
thank you :)
added on the 2014-03-02 12:27:26 by scamp scamp
good news :)
effing spammer scum
added on the 2014-03-02 12:52:57 by laz33rr laz33rr
Nice to hear that untergrund.net is getting fixed and will be available again. I really appreciate the effort.

Since free webspace without any ads is rare - is there some way to support with donations?
added on the 2014-03-02 17:15:01 by kwe kwe
Thank you, no need for donations. untergrund.net is MY donation to the demoscene ;)
added on the 2014-03-02 18:46:23 by scamp scamp
BB Image

And what Keito said! :)
added on the 2014-03-02 18:50:57 by StingRay StingRay
The best way to support is to make a demo about it!
rofl. where to put demo?
added on the 2014-03-02 18:59:20 by g0blinish g0blinish
Hi,

it took us 2 days, but now the system is fully cleaned up. The following
changes have been made:

- Some infected and abandonded accounts have been removed

- In some cases, we were able to convert infected wordpress
installations to plan HTML. In many cases, we had to completele
delete the installation.

If your WP installation is still there, update it NOW and keep
it updated in future. In future all outdated WP installations will
be deleted on sight.

- Some users had adminer installed, which is exploitable. Please do
not upload adminer or comperable tools. Use
https://phpmyadmin.untergrund.net instead.

- Some users had PHP shells, exploit tools etc installed. Any kind
of such tool on your account will get your account nuked.

We have also tightened security in a lot of areas. This may cause
certain PHP scripts to no longer run. We therefore recommend all users
to check if their websites are still working properly.

A big thank you to masta for his assistance in cleaning up the
system.

Cheers,

scamp
added on the 2014-03-02 20:45:31 by scamp scamp
Hurrah! Thanks again for all the great work. You're awesome.
added on the 2014-03-02 20:54:35 by ham ham
THANK YOU! ;o)
added on the 2014-03-02 20:56:29 by jack-3d jack-3d
Thank you very much Scamp.

I am glad Luis moved our site onto untergrund.

login