OOTP Developments Forums - View Single Post - Hacker possibly targetting OOTP online leagues

f.montoya · 11-15-2008, 08:53 PM

Four sites that I host were hit this past week, including vMLB. We use the CMS Mambo along with phpbb2 or phpbb3, depending on how long the league has been around. Actually, on a few of the upgraded sites, the malicious code actually failed in it's purpose. That is to say, instead of the cross site scripting sending you to a different site to download a file, Mambo and phpbb actually quit and displayed an error. But a few other sites were running older versions of Mambo and phpbb. These sites would actually do what the script wanted and a pdf file would open after a few seconds and a browser redirect.

The location of the pdf file was at fany008.net(this is the domain and I don't want to post the whole url to the pdf file here) which I later tracked to a Mr John Mohov. While I don't think this guy would actually be attacking sites himself, he is listed as the owner of fany008.net and has a responsibility to remove the infected pdf file from his server and take appropriate preventative security action.

I am listing what is already publicly available on Mr. Mohov here:

john mohov
Email: bryanlink AT live.com (I will do him the courtesy of protecting his emal address from bots)
Organization: mohov ltd
Address: 2198 Bernard rd
City: New Vienna
State: oh
ZIP: 45159
Country: US
Phone: +7.4955123458
Fax:

Usually, these attacks are done via an html web form by wrapping malicious code in php tags in the text fields. Quite simple really. And php code can be used to overwrite append and create files, which is what happened in this case. The script was used to create and overwrite the index.html files in about 50+ locations within Mambo an phpbb and it appended the index.php file to include the redirect command. Easy to find but a major pain to clean out.

11-15-2008, 08:53 PM	#9
f.montoya Hall Of Famer Join Date: Nov 2004 Posts: 6,077	Four sites that I host were hit this past week, including vMLB. We use the CMS Mambo along with phpbb2 or phpbb3, depending on how long the league has been around. Actually, on a few of the upgraded sites, the malicious code actually failed in it's purpose. That is to say, instead of the cross site scripting sending you to a different site to download a file, Mambo and phpbb actually quit and displayed an error. But a few other sites were running older versions of Mambo and phpbb. These sites would actually do what the script wanted and a pdf file would open after a few seconds and a browser redirect. The location of the pdf file was at fany008.net(this is the domain and I don't want to post the whole url to the pdf file here) which I later tracked to a Mr John Mohov. While I don't think this guy would actually be attacking sites himself, he is listed as the owner of fany008.net and has a responsibility to remove the infected pdf file from his server and take appropriate preventative security action. I am listing what is already publicly available on Mr. Mohov here: john mohov Email: bryanlink AT live.com (I will do him the courtesy of protecting his emal address from bots) Organization: mohov ltd Address: 2198 Bernard rd City: New Vienna State: oh ZIP: 45159 Country: US Phone: +7.4955123458 Fax: Usually, these attacks are done via an html web form by wrapping malicious code in php tags in the text fields. Quite simple really. And php code can be used to overwrite append and create files, which is what happened in this case. The script was used to create and overwrite the index.html files in about 50+ locations within Mambo an phpbb and it appended the index.php file to include the redirect command. Easy to find but a major pain to clean out. __________________ Fidel Montoya Asahi2 Baseball League ex-Commissioner(Historical League Since 2004) Ex-Web Host Current Mod Maker??