Hacked Twice!

Ok iam hacked again! I provokes again for this of course


and also check nikos.no-ip.org

Plz give us Comodo v2.4 as soon as possible because this CGI attacks really mess my system up.

Atatacker also uplaoded trojans on my comp which i removes with housecall of trend micro.

Hi, well this isn’t good that’s for sure. I would like a bit more information on what you are running, settings etc…If you are getting hacked that often, typically the CGIpm must be reading off the attackers posting. Without knowing anything about what you are running , etc…have you tried to set a memory limit, cpu, hard disk space limit that CGI can use?


this is most likely a BO (Buffer overflow) attack.
can u pls confirm this.
if so, CPF will be the only (personal firewall, afaik) with BO protection with 2.4.


                       • [b]IMPORTANT CLARIFICATION[/b]

This is not a hack of CPF. Nikos is offering up his Apache web server to be hacked by a group called RC. The original post with all the details is here.

                       • [b]IMPORTANT CLARIFICATION[/b]

sorry 'bout that… :-[

But, they don’t do any actual harm right? I mean they did tell you what they did, what it did, how they did it & how to recover? Right? :-\

BTW Did they detail what they did last time? I assume you closed the previous hole they found… or is it just open season on Nikos now?


No, not at all. It’s a friendly hack, no damages or harm done inhere.

BTW Did they detail what they did last time? I assume you closed the previous hole they found.. or is it just open season on Nikos now?

We were about to submit a detained report to Nikos on our sucessfull 1st hack to his box, while rapidly we found out that Nikos was already aware of this flaws and has closed those holes, making him involunarable(as he thought?) and also inviting us by giving us a 2nd attempt hack on his box and making it harder for us.

= Nikos on 23 Sep : 11:12 from RC chat-box
Yes plz do your best to re-hack me, i did an extra thing in security!

And again…he was hacked for the 2nd time(request).

 Moreover, we'd like everyone to know that this is a very friendly hack with full user(owner) cencept and we always leave "tracks/traits" on users boxes as a sign from RC.


Thanks for this rki.

was it buffer overflow that u used?
if so u have the script pls?
I would like to test it against BO protection in CPF 2.4 :slight_smile:


Wow this got confusing. Ok, if the CGI.pm is reading from a large post\upload from attacker, which exceeds the memory, which is why you would want to set memory limits, is this on the order of a BO attack? Or is this more of a controlled situation? I admit i am a bit confused as to what’s going on here with the whole scenario. Either way, i’ll leave it to Melih.


Was this a buffer overflow in a browser, or do you have to execute a .exe?

(I too would be interested in the Script, but i doubt that is gunna happen LOL )

cheers, rotty

Well from what I gather and not being a security expert, if the CGI.pm is taking in a malicious upload of large proportions, and a sort of stop to it is to limit the memory amount\space amount, so it can’t overload or finish uploading I should say, it does seem like a BO scenario. I think I missed much of the issue to begin with along the forum but i’ll just wait to see how this unfolds. This is egemen, Melih, and Ewen territory I think,lol. If I learn a quarter of what they know…


Yes, i have missed something here.

Buffer-overflows are a very simple beast the only tricky bit is writing the code that executes, i think this would need to be written in assembly or does the browser execute it in this case it could be written in javascript, but if it is windows handling it, assembly would be it.

cheers, rotty

I’m not sure how it’s written precisely to be honest. But I think the CGI.pm in most cases reads the script\file automatically. Unless you disable it, block it, or limit the amount of memory upload, it will keep coming back to haunt you.


Who knows, i thought a bufferoverflow was used in websites to get the browser to execute code ot compromise the computer. IF a user was to use an .exe, a rootkit would be ALOT more effective when a noticeable crash.

cheers, rotty

A rootkit was found in my comp in the 2 times hacked.
Nod32 didnt see anything but hosuecall.trendmciro.com did and i removed it.
It also found keylogger installed that the rootkit was hiding from Nod32 Ewido, Spinach Antispyware and Comodo.

Can rootkits avoid comodo’s detection?!

Also as rki said it was a freindly attck not hurm intented but rootkits were also uploaded( iam not sure though if they came from the RC attacker but before the attacks trendmicro didnt came up with something).

Also i idid an extra thing in security as long as it concertn my index.pl cg- perl script not in defaults Apache v2.2.3 configuration. These change concernts validations of remote input.

I can psate my index.pl script if someone want to take a loot at it.

@rki I wait anxious to see how DarkCoder succeded hacking me twice!

look what i found as program to be downloaded from my vault.pl script.


Looks like to me as Backwards Directory Traversal Attacks.

Also they manages to read my passwd.txt htaccess authentication file and also uploaded one of their liking.

this dude that did this(DarkCoder), must be really good.


2 different hacks - 2 different people. (You weren’t hacked twice by the same person)

A brief note
Hack #1

  • “0-day” exploit used(user wants to be anonymous!)

Hack #2

  • You have apache poorly configured(buggy)
  • pl-programing mistake
  • nullbyteinjection was possible in index.pl
  • and uploading files on upload.pl
  • view source , reading files was possible
  • just needed to change the path of the file
  • mysql-pwd copied (plain-text)
  • passwd.txt copied(plain-text)


Oh, boy! So many problems…and i didnt had a clue.

2 different people hacked me easily…

You guys are good! Good job!

I cant wait to ehar the FULL detailed report by both attackers!

Yes, a rootkit can hide traffic from COMODO, this is possible by interfering with the TCP/IP stack, or the Kernal or API hooking i think, a hacker will also open backdoors/ports, implant rootkit or non-rootkit protected server apps (IRC etc), add new users to the user text files, hide their tracks in general (Often done by a rootkit). Also changing a rookit slightly renders most scanner unable to detect them, since your running a server and decent hacker would have a custom rootkit so that antivirus programs do not detect it.

(I have never touched Apache configurations so these are pretty much guesses.)

By the sounds of it, the hacks they are using are quite simple maybe except the 0-day exploit, but the following are fairly easy to execute in my limited knowledge:

  • pl-programing mistake (who knows, would need more detail)
  • nullbyteinjection was possible in index.pl (Filtering user input?)
  • and uploading files on upload.pl (Directory not secured properly, permissions?)
  • view source , reading files was possible (Direct connection(read) to important files, permissions again)
  • just needed to change the path of the file (Permissions?
  • mysql-pwd copied (plain-text) (Permisions)
  • passwd.txt copied(plain-text) - (Permisions, correct me if i am wrong but i recall something about changing the name and place of this file to make it harder, is this effective?, permissions again though)

cheers, rotty

  • passwd.txt is in a htaccess protected directory.

  • in order for someone to access my upload.pl, that is a script that a guest can use to upload files to my comp that later vault.pl will generate a full listing of those progs with the new one added, that also is password protected by htaccess.

  • Also i do validate/filter user input in all of my scripts(i dotn know what null byte injection is but one can just hit enter in my form and store null values in my database). Values are checked/validating before they enter the database.

  • I beleive that who ever did this must did something with htaccess that i saw inside a direcorty that i knew i didnt create one. my htaccess is only embedded insed httpd.conf no inside my dirs. Darkcoder must have manages to override it or made apacher used hiw own, as well as he must managed to get his hands on passwd.txt.

I will put passwd.txt in a safer place and try to reissue a 3rd hack attempt, but now that i think of it he will still e his CGI techniques to do the same thing…■■■■.

I hope the new Comodo will put an end to this cgi attacks and also manage to reveal hidden rootkits, cause no Nos , no Kapsersky and no antivir and NO all antispywares helped me in anything these days…

ps. When will v2.4 will be out?!

Try this site: http://www.securityfocus.com/

Filter the exploits by your version of apache, see if their are exploits and how to stop them.

Yes, i think i am somewhat out of my depth, but i sort of expected that because i haven’t touched Apache LOL, one of the things i will do at some point.

Cheers, rotty

Believe it or not(you choise), I have seen the name DarkCoder once in a while in forums while I was searching stuff, I think his name has something to do with Valve’s Steam, maybe I remember it wrong.