OVH Community, your new community space.

Hacked OVH Servers


*Mikee*
26-01-2009, 14:24
As i told mr nice guy kvirc is a irc based chatclient and iroffer is a irc based file server -- Then he comes out if he says the server has bn hacked it's been hacked !!! 12years in I.T my ass !!! OVH is the best company i've bn with so far! I Hope you read this part mr nice guy!

Quote Originally Posted by punipuni
You Mr nice guy, is an *****. I manage a few OVH boxes running iroffer + other IRC bots so that would mean I rootkit'ed myself? Unless you have proof (scanning IPs for open ports isn't proof BTW), do not assume boxes have been rooted. If you show perhaps iroffer running as nobody or as webserver user, which makes your claims MUCH more credible, you are only making yourself look like a tool with "12 years" of "web security" experience.


By the way, can you tell me why hackers would need a GUI IRC client? So they hacked, installed X, a window manager, VNC or NX to remote in (instead of just SSHing) just so they can IRC? Impressive. Makes other practical CLI IRC clients/BNC daemons obsolete!

punipuni
26-01-2009, 06:12
You Mr nice guy, is an *****. I manage a few OVH boxes running iroffer + other IRC bots so that would mean I rootkit'ed myself? Unless you have proof (scanning IPs for open ports isn't proof BTW), do not assume boxes have been rooted. If you show perhaps iroffer running as nobody or as webserver user, which makes your claims MUCH more credible, you are only making yourself look like a tool with "12 years" of "web security" experience.


By the way, can you tell me why hackers would need a GUI IRC client? So they hacked, installed X, a window manager, VNC or NX to remote in (instead of just SSHing) just so they can IRC? Impressive. Makes other practical CLI IRC clients/BNC daemons obsolete!

MrNiceGuy
26-01-2009, 02:23
I've already forwarded the information to abuse@ovh.net and nothing has happened. Considering there might be a problem speaking English, as many of the servers appear French, I decided to post it up on this forum. The 10 I gave were just a sample, there's quite a bit more. I'm just submitting the 10 to see what happens, and if it is worth reporting to OVH. So far, I think i'm wasting my time.

oles@ovh.net
26-01-2009, 01:32
MrNiceGuy a écrit:

1.) the public forum not the place to post this kind of information
abuse@ovh.net
2.) you write there is 10 servers with a backdoor on our network.
thanks to thin we have only 10 servers with backdoor I think
it's about 1%/3% of server. we have 50000 servers running ...
3.) your are right there is a backdoor on the servers connected to
an irc not standard (not 6667 port) server.
4.) your information are wrong: it's not a root exploit. it's an easy
web backdoor exploit: you have a php scrpt with a security bug ?
you have a backdoor
5.) there right problem are not really the backdoors. the problem
are the irc servers that manage all backdoored servers. it
allows the hacks to sell the services like spam, hacking, etc
we are working on a "automatic' blacklisting of the "managing"
with NASK that propose a live list of the 800-1000 IP that
manage >20'000'000 or more hacked IP (windows, servers) in the
world

please read again n°1


rickyday
25-01-2009, 22:18
Quote Originally Posted by MrNiceGuy
Well, there you have it folks. OVH will find out that you have a hacked system, will not repair it, and will only explain that "they are not responsible."

Good Luck Customers of OVH.
Good luck to you to, and thank you for your concern.

Andy
25-01-2009, 19:28
Quote Originally Posted by MrNiceGuy
Well, there you have it folks. OVH will find out that you have a hacked system, will not repair it, and will only explain that "they are not responsible."

Good Luck Customers of OVH.
I'm sorry but I think you'll find that because of the data protection act, OVH are not allowed to intervene on your server without your permission. The most they are allowed to do is disconnect the server from the network and issue a notice telling you why. To fix it is out of their hands as they are all unmanaged servers.

If OVH servers are causing you so much hassle, block the IP range 91.121.*.* from your server, or wait until Monday and contact OVH directly by phone or e-mail abuse@ovh.net and customersupport@ovh.co.uk.

MrNiceGuy
25-01-2009, 19:19
Well, there you have it folks. OVH will find out that you have a hacked system, will not repair it, and will only explain that "they are not responsible."

Good Luck Customers of OVH.

derchris
25-01-2009, 19:06
Ok, this will be my last post in this thread.
Again, kvirc and iroffer are NO rootkits.
Running them on a customer system without customers permission is a totaly different issue.
As you already said, it was more likely a SQL injections bug in one of the PHP scripts.

And there is only one word I have for you for your 12 years expirience and comments:

LOL

And btw, it is the customer who is responsible for their servers, not OVH.

MrNiceGuy
25-01-2009, 18:59
One of them just loaded this file: underworld.3.cam-clerks.avi which is: Underworld 3 Rise Of The Lycans CAM XviD cLeRKs (on one of the OVH I posted)

Imagine how much bandwidth is going to be lost. This is a hot new movie and has hardly even had time to hit the internet. Chances are, that OVH is going to be in some seriously bent up shape sometime soon.

v1.3.b11 is what you are looking for.

Update: None of these lines are down, all are up and serving viciously. (It has been 20 hours since these have been reported)

In my opinion, too many administrators have been aware of this, and the action taken was zero in 20 hours.

If I was a customer, I would be quite pissed off right now.

I posted 10 OVH lines, so this is what I am looking at:

Score:

Hackers - 10
OVH - 0

And, OVH has home field advantage due to the fact that the hackers attacked remotely, and OVH has local access.

What kind of a company are you guys running?

MrNiceGuy
25-01-2009, 17:58
As a response to "how do I get the IP" think about it, ok. If a "fileserver" is sharing a "file" and I join a network and channel where I can access it via a transfer (dcc session). What does that spell? It spells: I am sharing a connection with the server at that point in time and I can use tools to verify where the connection is coming from. When I say "NETSTAT" that is what I am referring to. Net Statistics. For Windows users: Share a connection of some kind with someone, and go to START : RUN : (TYPE) CMD : (TYPE) NETSTAT

Boom, all of the connections are right there. I use tools in order to identify which is which, and by watching the traffic, and comparing it to the traffic I am receiving in netstat, I can determine where it's coming from.

Read the previous post, other admins know I'm well aware of what I am doing.

MrNiceGuy
25-01-2009, 17:41
If you think that's the case, you know absolutely nothing about security. This is the stuff I've been doing for 12 years that you don't learn in school.

When I say it's hacked, it's hacked.

This team is a hacking group that mostly specializes in PHP exploitation. Let me give you an answer from an admin that I worked with on helping him remove the infections. This is how an admin SHOULD respond.

Email From Me:

Hello,

It appears you have a server that has been compromised. 66.230.133.134
Port: 3076

Files On System:
[714M] The.Haunting.Of.Molly.Hartley.R5.LINE.XViD-mVs.TAR
[729M] Prisoner.2007.DVDRip.XviD-VoMiT.tar
[705M] The.Bilbee.Boys.2007.DVDRip.XviD-VoMiT.tar
[724M] White.Light.Black.Rain.2007.DVDRip.XviD-VoMiT.tar

I hope you take a look into this matter, it could be important.

Response:
Thanks for the response. Do you have an example of the running bot? I killed off a few bots myself - thought I got them all :/

Thanks again for the heads up

Please let me know if I can be of further assistance.

ISPrime Support
support@isprime.com
ICQ: 136633378
You might want to note that IRC servers by default connect via ports
6667-7000 and there are SSL ports as well, around +7001-+7010 or so.
The exploitation was more than likely done via PHP, so i'd check the
PHP code (but do that last) the root of the machine was snagged, so
it's in there. Try looking for the iroffer, and DCC ports are at times
1024 and 5000. If you contact abuse@abjects.net they might possibly be
able to assist you as well. The nickname of the bot is Beast-V-Nemesis
and an Abjects administrator owns the channel that your server was
attacked in.

Share These Logs With Abjects.Net

Bo0oM^ is ~gal@staff.shelter.abjects.net * gal
Bo0oM^ has identified for this nick
Bo0oM^ on !@#beast-chat
Bo0oM^ using shelter.abjects.net Abjects IRC Hub
Bo0oM^ is a IRC Operator

[11:26] -ChanServ- Information for channel #beast-xdcc :
-
[11:26] -ChanServ- Founder: Bo0oM^

If you need more help, contact me again.
Response:

Hello,

Yes, there were multiple running bots. Still cleaning up the system. Thanks again.

Please let me know if I can be of further assistance.

ISPrime Support
support@isprime.com
ICQ: 136633378
His follow up to me:

I personally do not know anyone over there, sorry. We do mainly Adult hosting, ThePlanet is too mainstream :P

I can inform you that this was uploaded via Comus Thumbs "Tradescript". This is a common TGP script used (and always exploited) by cheap webmasters. So if you run into any other Adult sites that are running this exploit - it will either be from CT (comus thumbs - php) or ATX (arrow trade script - perl/c).

Hope that helps . My name is Jayme if you need to contact me directly.

Please let me know if I can be of further assistance.

ISPrime Support
support@isprime.com
ICQ: 136633378

So, for all of you that are shaking your head.. that's an example of me (a professional) working with him (a professional)

Your abuse department and admins are just slacking off and making up excuses. If they took the time to look (like this admin of a different hosting company did) then it would be gone in 1hr, as his was.

Do your homework. Take your tip. Do your job. Or you can alternatively have several terabytes of missing data and stolen personal information of your customers' clients.

I would be happy to have me doing this, as I do not have to. But, please note, this is an example of why you all get hacked in the first place. Not paying attention to fundamentals when configuring your boxes, and when someone assists you with an intrusion, they do not take action.

Until you guys shape yourselves up, I truly fear for your customers safety and your own liability.

*Mikee*
25-01-2009, 17:18
Thats what i was thinking to !
Quote Originally Posted by derchris
Ever thought that the customer is running these programs on their own?

derchris
25-01-2009, 16:56
I don't get it how you are connected with the IPs of OVH servers you just posted.
Are they your servers?
Ever thought that the customer is running these programs on their own?

MrNiceGuy
25-01-2009, 16:16
Let's break it down:

The topic of the irc channel is: [11:10] * Topic is '4#14BEAST-XDCC The dogs Bollox of IRC 15FASTER BOTS 4 YOU.. SEARCH6/15LATEST6/15CHAT6/15PARKiNG6/15THANKS ? 4#14BEAST-CHAT - 4exploiter needed [linux only] pm Bo0oM^'


Did you catch the part about "exploiter needed." Well, that's because this channel is full of hacked dedicated servers.

this is:
Beast-V-amateur is ~root@189efabc.bf6674e.ovh.net * pwnz
Beast-V-amateur on +#BEAST-XDCC
Beast-V-amateur using daemon.fl.us.abjects.net Abjects IRC Server
Beast-V-amateur End of /WHOIS list.

It joined that channel. In the channel, this is the iroffer letting users know what's going on:

[11:00] ** 6 packs ** 0 of 20 slots open, Queue: 5/1337, Record: 3673.8KB/s
[11:00] ** Bandwidth Usage ** Current: 2060.9KB/s, Record: 6780.0KB/s
[11:00] ** To request a file, type "/msg Beast-V-amateur xdcc send #x" **
[11:00] ** To request details, type "/msg Beast-V-amateur xdcc info #x" **
[11:00] #1  168x [714M] 18.Year.Old.Virgin.2009.DVDRip.XviD-VoMiT.tar
[11:00] #2  213x [1.4G] W.DVDRip.XviD-NeDiVx.tar
[11:00] #3  146x [1.4G] Frost.Nixon.LiMiTED.DVDSCR.XviD-DoNE.tar
[11:00] #4  332x [715M] Madagascar.Escape.2.Africa.DVDRip.XviD-Larceny.tar
[11:00] #5  65x [723M] Lake.City.LIMITED.DVDScr.XViD-BaLD.tar
[11:00] #6  74x [1.4G] The.Hurt.Locker.2008.DVDRip.XviD-CiRCLE.tar
[11:00] Total Offered: 6422.0 MB Total Transferred: 1.35 TB

In translation? This hacker successfully exploited an OVH server, posted nearly 6.5gb of pirated files, and pushed 1.35TB of unwanted transfers and OVH still has not found the problem.


I type /msg Beast-V-amateur xdcc send #1 and what do my netstat tools tell me?

91.121.118.159 port: 53396 host: ns201328.ovh.net

When I use other methods to determine what kind of fileservers it is using, I find something that might be essential for OVH to use to find the problem.

MrNiceGuy
25-01-2009, 15:20
Correct. The server is compromised (exploited) then root access is gained. The file server portion should be self explanatory. Once the file serving program is uploaded, a directory will be created and filled with pirated software. Iroffer will instruct the server to post an advertisement (as seen on www.packetnews.com) making users aware of the files being available. At this point, users will input a command into irc, and the server will distribute these files to the user. This is constant bandwidth loss, and due to root access being obtained, can cause the client to lose information regarding the server. Often times it only begins with bandwidth loss, and databases are saved (that could contain personal data, and other such things) for the hacker to use.

*Mikee*
25-01-2009, 15:13
kvirc is a irc based chatclient and iroffer is a irc based file server --

MrNiceGuy
25-01-2009, 15:03
I can give more information, yes. Why not take a look within these boxes and see the details first. The ircbot programs are part of a rootkit. I provided the iroffer you are looking for, so you can look at where it is coming from and find the rootkit. I was considering making a video on youtube showing the hacked servers and that it took OVH over a week to remove the attacks when I contacted abuse@ovh.com. (They are still on the boxes) If you find one, you will find the rest, it's whether or not a security professional is willing to make the effort. Feel free to contact me by PM if you want, and I can provide whatever details you want. 1.34 TB (bandwidth) has been removed from one of the servers, and some are worse.

-MrNiceGuy

rickyday
25-01-2009, 14:18
kvirc and iroffer are not rootkits they are IRC related programs.

On what basis are you assuming these servers are "hacked" ?
Can you provide more information?

Welcome to the forum

MrNiceGuy
24-01-2009, 22:37
Hello,

I've been noticing a great deal of internet traffic that has been partially due to OVH dedicated servers being compromised. It seems that over a period of a week of sending the information to the abuse department, they have done nothing in regard of removing the infections and securing these boxes. I am not an OVH customer, but I do believe with the pricing and bandwidth being better than anywhere else, I still wonder.. if I was a customer, how do I feel about security not being a top priority?

Here are some details of some compromised servers.. maybe they can be helpful.

91.121.204.61 port: 2001 host: rps2949.ovh.net
rootkit: iroffer-dinoex 3.9

91.121.88.139 port: 3512 host: ns27787.ovh.net
rootkit: kvirc v3.1b

91.121.5.88 port: 3650 host: ns22539.ovh.net
rootkit: kvirc v3.1b

91.121.24.155 port: 3624 host: ns39659.ovh.net
rootkit: kvirc v3.1b

91.121.17.174 port: 2277 host: ns38862.ovh.net
rootkit: kvirc v3.1b

91.121.2.160 port: 53875 host: ns37060.ovh.net
rootkit: iroffer v1.3.b11

91.121.110.99 port: 4561 host: ns354601.ovh.net
rootkit: kvirc v3.1b

91.121.118.159 port: 50292 host: ns201328.ovh.net
rootkit: iroffer v1.3.b11 [20051213023024], http://iroffer.org/ - Linux 2.6.24.2-xxxx-std-ipv4-32

87.98.132.23 port: 60501 host: 87-98-132-23.ovh.net
rootkit: iroffer v1.3.b11 [20051213023024], http://iroffer.org/ - Linux 2.6.24.5-grsec-xxxx-grs-ipv4-32

91.121.78.22 port: 3184 host: ks26461.kimsufi.com
rootkit: kvirc v3.1b

(France Based, maybe you can help your buddies)
host: s15326865.domainepardefaut.fr
87.106.146.18 port: 2311
rootkit: kvirc v3.1b

87.106.96.95 port: 1353
host: s15235642.domainepardefaut.fr
rootkit: kvirc v3.1b


This is just a handful, there's more. I'm watching them stay compromised going into week #2. Instead of anybody from OVH telling me anything, don't feel it's necessary. I'll tell the forum when they are secured because I can see them while OVH cannot.