Cukurova'li

Posted: Mon Jul 03, 2006 4:32 pm

I would like to advise all NS Users to tighten the security add the referrer tc-thc.org and maybe do like I did and block out the complete Turkish IP block. Not only did I had a lot of hack attempts originated from Turkey but there is also a person or a group going around calling himself or themselfes Cukurova'li Hacking for Turkey and the Islam.
He/They are targeting almost only PHP sites

I use NS 2.4.2pl9 on PHPNuke 7.6 (platinum) but besides my mainsite I also had HelpCenterLive installed in a subdirectory and I found out that this directory has been hacked by those f*****s They did not defaced this module but managed to installed a subdirectory called /.s with a file called linuxhak.php together with the files dc.pl, kral-imt.html and an altered index.html in the main directory.

Curious as i am i searched around and found out that now almost 16000 hits on google are found with this name and i lot of sites have been defaced. the google search is
http://www.google.com/search?hl=en&q=cukurOva%27li&btnG=Google+Search

Only one question for the pro's, I managed to delete al the files except the linuxhak.php file. i chmodded it to all kind of combinations but it wont allow me to delete it. i tried it with ftp and thru cpanel-file manager but till now no luck.
Has anyone a idea how to do this
(i did manage to rename the directory names so that they are not easy to be found for the hackers but rather have the file deleted because when I downloaded it to my pc my virusscanner caught it as a backdoor trojan)

Rene

p.s.

some other related referrers;
BLue-Security.NeT
trgala.net
imhatimi.com
imhatimliyiz.biz

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

Did you try deleting it through your control panel's file manager?

Posted: Mon Jul 03, 2006 5:18 pm

Yes, CPanel File Manager and several kinds of FTP Programms.
I dont have ssh access.

Rene

Posted: Mon Jul 03, 2006 5:49 pm

You are not the owner of this file and the ftp user doesn´t have that right. Sorry, that s hard to explain but I can easily change this trough my account at my webhoster.
Maybe this helps don´t know:

http://de3.php.net/chown

There is another turkish hacker group they did a similar thing on another german website. Search for: d3ngsz

Posted: Mon Jul 03, 2006 6:21 pm

No I understand what you say. I used to rent a dedicated linux box and know a bit (but not that much) but have forgotten about the chown stuff.
as i do not have ssh access i should ask the hoster to chown this file for me.
Thnaks for pointing me in the right direction.

Rene

registered · Posted: Thu Jul 06, 2006 10:12 pm

Quote:

as i do not have ssh access i should ask the hoster to chown this file for me.
Thnaks for pointing me in the right direction.

Ask them to look into what user "owns" the file as they might be interested to know that as well and ask them to remove it.