Solved Community Alert - Backdoored Script

Hydra

Hydra

Member
Joined
Sep 13, 2015
Messages
77
Reaction score
72
Points
56
Hello Guys,
I would like to warn all users which downloaded and ran one of this scripts:
https://r4p3.net/threads/script-packetlossguard-ddosguard-v1.1430
https://r4p3.net/threads/script-timerankmod.1503/
The user backdoored the script and uploaded your "config.php" to his ftp server.
Proof:
92INPkq.png

Check the file "\libraries\TeamSpeak3\Node\Abstract.php" for this lines. It opens a ftp connection to his server and upload your server query login informations which placed in the "config.php". He "only" got access to your server query nothing else. If you see connection from a portugal ip address (46.50.34.*) he already logged into your server query.

Steps you should do now:
1.) Change your Server Query Password.
2.) Limit the access to Server Query (if not done already!).

I already wrote an abuse report to his homeconnection and server hoster (myvirtualserver.de).

Greetings Hydra
 
Last edited:
0x0539

0x0539

Retired Staff
Contributor
Joined
Jan 30, 2016
Messages
1,334
Reaction score
1,146
Points
254
Hydra said:
Hello Guys,
I would like to warn all users which downloaded and ran one of this scripts:
https://r4p3.net/threads/script-packetlossguard-ddosguard-v1.1430
https://r4p3.net/threads/script-timerankmod.1503/
The user backdoored the script and uploaded your "config.php" to his ftp server.
Proof:
92INPkq.png

Check the file "\libraries\TeamSpeak3\Node\Abstract.php" for this lines. It opens a ftp connection to his server and upload your server query login informations which placed in the "config.php". He "only" got access to your server query nothing else. If you see connection from a portugal ip address (46.50.34.*) he already logged into your server query.

Steps you should do now:
1.) Change your Server Query Password.
2.) Limit the access to Server Query (if not done already!).

I already wrote an abuse report to his homeconnection and server hoster (myvirtualserver.de).

Greetings Hydra
Click to expand...
Might this explain why my whole server was fucked and had to restart all over today?

Short note what happened: Server bots (music bots etc, crashed on 5:37AM, the server crashed a couple hours after)
When restarted, I lost completely everything, no channels, permissions, nothing. --- My logs were also over 3.00GB when I tried backing the server up before.
 
Last edited:
Hydra

Hydra

Member
Joined
Sep 13, 2015
Messages
77
Reaction score
72
Points
56
0x0539 said:
Might this explain why my whole server was fucked and had to restart all over today?
Click to expand...
Check the logins and search a portugal ip. This guy dont know how to use vpn so he used his homeconnection.
 
0x0539

0x0539

Retired Staff
Contributor
Joined
Jan 30, 2016
Messages
1,334
Reaction score
1,146
Points
254
0x0539 said:
Might this explain why my whole server was fucked and had to restart all over today?
Click to expand...
I guess it doesn't matter, had to update to 3.0.12.3 anyway but was too lazy to do so.
 
0vert1m3

0vert1m3

Active Member
Joined
Oct 4, 2015
Messages
216
Reaction score
175
Points
91
LOL what a lil fucker. I thought we were normal / good people here and not such a backdoor snitch ;C
 
N

Niepowtarzalny

Member
Joined
Dec 5, 2015
Messages
25
Reaction score
2
Points
35
100% true ;) So... i mean if we delete abstract.php it's 100% working script ;) maybe send some rockets to 185.101.93.211 ;>

Edit:
Anyway... he change password to ftp acc so its safe now :D
 
Last edited:
Joxiii

Joxiii

Discord hater!
Joined
Feb 2, 2016
Messages
271
Reaction score
183
Points
92
Please spamm his fb and skype or stress his site :D
 
You must log in or register to reply here.
Top