The Story of Totse

DfgDfg Admin
edited March 2011 in Help and Suggestions
If you are living under a rock or where killing babies you might have not noticed but Totse just barely escaped from a shit storm. If you read my Totse Status update file you would know our old host was hacked and the new host we went to was hacked as well.

The hackers used a script called r57shell to exploit Totse. Once they raped joomla they got control over the server and used that script to access to Totse. Now, for some reason I couldn't figure out how the fuck they did it. Mainly because those script files were removed by the attackers leaving me clueless.

So, after giving up on the new server we moved back and hellish kindly gave me access to the server. When I checked the directories it was a mess, [it still is]. But there were some pages missing here as well. So, when I uploaded the faq.php I saw the r57shell script. I showed it to everyone in IRC. So, like always I deleted the file and uploaded again.

The script came back again, so I just deleted it and went on to clean the server and start organizing stuff. The DB and Totse started fucking up again and at this moment I was [still am] in contact with the host. I told them about this exploit and they offered a complete restore. I told them to hold it until we have no option left.

I then talked to oddballz194 via IRC and asked them about this exploit. oddballz194 being my dear friend helped me out, we talked about certain methods in which an attacker would exploit Totse and the most obvious was via CMS. And the second one was via DB. In short the attacker used the script thanks to Joomla and then uploaded the code in base64 into Vbulletin DB. And it gave the execution path of faq.php. Meaning whenever faq.php was called the exploit would get executed. So no matter how many servers we switch the exploit will remain there.

I found the exploit after some queries in DB and finally fixed the problem. Now, we're not done yet but at least it's a good fucking start. I am going to delay the restore option and work on securing the server more.

Again, thanks for sticking around and big thanks to oddballz194 for helping out. He truly is a gem IMO.

[sorry for typos/errors it's 5:10 AM]

Comments

  • MayberryMayberry Regular
    edited November 2010
    Thanks for the hard work and persistence. I'm guessing that was the last straw for Joomla then?
  • KatzenklavierKatzenklavier Regular
    edited November 2010
    Can I see the script? I have a site I'd like to rape. (no it's not zoklet)

    Nvmd I found it on google.
    http://www.google.com/search?hl=en&safe=off&client=firefox-a&hs=rht&rls=org.mozilla%3Aen-US%3Aofficial&q=r57shell+joomla&aq=0&aqi=g1&aql=&oq=r57shell+j&gs_rfai=
    It looks like a common problem. We need better security.
  • DfgDfg Admin
    edited November 2010
    Found the script. It was saved under icons. File name dmar.jpg
  • KatzenklavierKatzenklavier Regular
    edited November 2010
    Can I get the old totse logo DFG? The normal one, not the Halloween one.
  • StaplesStaples Regular
    edited November 2010
    I was wondering what was going on. Thanks once again for keeping things going. What a story totse has been.

    if totse was pubic hair, it would always grow back
  • bornkillerbornkiller Administrator In your girlfriends snatch
    edited November 2010
    Good to see it back anyways.....5CHAR!
  • DfgDfg Admin
    edited November 2010
    Oh btw I changed the logo thanks to Bornkiller :D
  • LuxJigabooLuxJigaboo Regular
    edited November 2010
    Mayberry wrote: »
    I'm guessing that was the last straw for Joomla then?

    To put it into terms that Dfg can understand, you could say that it was the straw that broke the camel's back.
  • DfgDfg Admin
    edited November 2010
    vozhde wrote: »
    To put it into terms that Dfg can understand, you could say that it was the straw that broke the camel's back.

    Dammit, you guys know me too well :p
  • blindbatblindbat Regular
    edited November 2010
    Dfg wrote: »
    Oh btw I changed the logo thanks to Bornkiller :D

    Lol that's funny :D
  • DirtySanchezDirtySanchez Regular
    edited November 2010
    Dfg wrote: »
    Oh btw I changed the logo thanks to Bornkiller :D

    Lol Goatse:hai:
  • MayberryMayberry Regular
    edited November 2010
    Awesome logo. Needs a little red though :o
  • skyclaw441skyclaw441 Regular
    edited November 2010
    Oh fucking nice. Thanks for all of your work. Is there really any way we can improve security? I know next to nothing about this kinda thing (servers, etc.), but just a question.
  • DfgDfg Admin
    edited November 2010
    skyclaw441 wrote: »
    Oh fucking nice. Thanks for all of your work. Is there really any way we can improve security? I know next to nothing about this kinda thing (servers, etc.), but just a question.

    There are tons of way to improve security and hopefully I might implement some of them in future or in few weeks :D.
  • bornkillerbornkiller Administrator In your girlfriends snatch
    edited November 2010
    Dfg wrote: »
    Oh btw I changed the logo thanks to Bornkiller :D
    lol! didn't notice it.
    Nothing says totse more than a goatse...That's the way I saw it anyways :D
  • AmieAmie Regular
    edited November 2010
    This sucks. We're lucky you guys can sort this mess out. I'd love to help out, but I know nothing (and I mean NOTHING) about coding / websites / networking / security so I'm affraid I can't be of much help.

    Good work so far, and keep going at ti! We appreciate it.
  • DfgDfg Admin
    edited November 2010
    Amie wrote: »
    This sucks. We're lucky you guys can sort this mess out. I'd love to help out, but I know nothing (and I mean NOTHING) about coding / websites / networking / security so I'm affraid I can't be of much help.

    Good work so far, and keep going at ti! We appreciate it.

    Thanks :).

    Btw if you think you're not capable of doing something or you're not doing much, trust me just by posting here you're contributing way more. So, just don't give up hope. It's thanks to you guys we can survive these problems.

    Oh btw, I am not giving up on Totse.info. Whatever the challenges we face in future I am not backing away because I believe in this community and its potential to move mountains and hearts of everyone.
  • DirtySanchezDirtySanchez Regular
    edited November 2010
    ^^ You better not give up on this place paki:) I've spent to much time spreading the word of this plae and posting here for all to be for nothing. Stability issues aside this is a great site and has huge potential.
  • bornkillerbornkiller Administrator In your girlfriends snatch
    edited November 2010
    Amie wrote: »
    This sucks. We're lucky you guys can sort this mess out. I'd love to help out, but I know nothing (and I mean NOTHING) about coding / websites / networking / security so I'm affraid I can't be of much help.

    Good work so far, and keep going at ti! We appreciate it.

    What Df said, you are helping out by posting.:thumbsup:
  • DfgDfg Admin
    edited November 2010
    Read this : http://www.totse.info/bbs/showthread.php?t=6996

    It's in M&A for now. Mainly for security reasons [Mods do not post it outside please].

    But long story short we got hacked today but this we were prepared. Thanks to that idiot I found more loop holes and quickly plugged them.

    Site downtime = 12 secs.
  • blindbatblindbat Regular
    edited November 2010
    Lol .... page suspended?
  • DfgDfg Admin
    edited November 2010
    blindbat wrote: »
    Lol .... page suspended?

    Reason: Payment overdue. We got hacked by the host lol.

    It's back now but I don't have the details regarding this.
  • starfox223starfox223 Regular
    edited March 2011
    I'm glad you guys pulled through.
Sign In or Register to comment.