Ztikdialers.com.. A HACKER exposed. [Archive]

View Full Version : Ztikdialers.com.. A HACKER exposed.

DialerNET

03-26-2002, 05:24 AM

Tim gave me permission to post this on the main forum. It was brought to my attention recently by one of my dialer webmasters "Rage", that his trade script was hacked by another webmaster using the same dialers. "Rage" supplied us with the account name of the offending dialer, and it appeared to be a webmaster that Ztik was using to test the performance of the new dialers before going live with them. "Rage" then supplied me with entries from his apache logfile that showed an unknown IP address accessing his trade script setup and admin functions. This section of his log is supplied below. I've edited out his domain, and the name of the script files for security reasons. <blockquote>code:<hr /><pre style="font-size:x-small; font-family: fixed;">65.31.229.170 - - [25/Mar/2002:09:22:09 -0800] "GET /*******.*** HTTP/1.1" 200 1078 "http://www.google.com/search?q=*******.***+trade+traffic&hl=en&start=70& sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)" 65.31.229.170 - - [25/Mar/2002:09:22:15 -0800] "GET /*******.*** HTTP/1.1" 200 1098 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)" 65.31.229.170 - - [25/Mar/2002:09:24:22 -0800] "POST /*******.*** HTTP/1.1" 200 552 "http://www.xxxxxxxx.net/*******.***" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)" 65.31.229.170 - - [25/Mar/2002:09:24:59 -0800] "GET /*******.*** HTTP/1.1" 200 1078 "http://www.google.com/search?q=*******.***+trade+traffic&hl=en&start=70& sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)" 65.31.229.170 - - [25/Mar/2002:09:25:07 -0800] "GET /*******.*** HTTP/1.1" 200 1098 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)" 65.31.229.170 - - [25/Mar/2002:09:25:26 -0800] "POST /*******.*** HTTP/1.1" 200 236 "http://www.xxxxxxxx.net/*******.***" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)" 65.31.229.170 - - [25/Mar/2002:09:25:31 -0800] "GET /*******.*** HTTP/1.1" 200 673 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)" 65.31.229.170 - - [25/Mar/2002:09:25:37 -0800] "POST /*******.*** HTTP/1.1" 200 2269 "http://www.xxxxxxxx.net/*******.***" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)" 65.31.229.170 - - [25/Mar/2002:09:25:41 -0800] "POST /*******.*** HTTP/1.1" 200 1118 "http://www.xxxxxxxx.net/*******.***" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)" 65.31.229.170 - - [25/Mar/2002:09:25:49 -0800] "POST /*******.*** HTTP/1.1" 200 625 "http://www.xxxxxxxx.net/*******.***" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)" 65.31.229.170 - - [25/Mar/2002:09:25:52 -0800] "POST /*******.*** HTTP/1.1" 200 2266 "http://www.xxxxxxxx.net/*******.***" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)" 65.31.229.170 - - [25/Mar/2002:09:25:57 -0800] "POST /*******.*** HTTP/1.1" 200 1045 "http://www.xxxxxxxx.net/*******.***" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)"</pre><hr /></blockquote>The offending IP is of course, 65.31.229.170 While continuing to investigate, my own partner in my TGP side of things, reported that his TGP trade script had also been hacked. I also had him supply the offending section out of his logfile. This is below, also with the domain and script files edited out; <blockquote>code:<hr /><pre style="font-size:x-small; font-family: fixed;">65.31.229.170 - - [24/Mar/2002:19:31:05 -0600] "GET /*******.*** HTTP/1.1" 200 5230 www.xxxxxxxx.com "http://www.google.com/search?q=*******.***+trade+traffic&hl=en&start=10& sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)" 65.31.229.170 - - [24/Mar/2002:19:31:14 -0600] "GET /*******.*** HTTP/1.1" 200 5103 www.xxxxxxxx.com "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)" 65.31.229.170 - - [24/Mar/2002:19:31:29 -0600] "POST /*******.*** HTTP/1.1" 200 1167 www.xxxxxxxx.com "http://www.xxxxxxxx.com/*******.***" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)" 65.31.229.170 - - [24/Mar/2002:19:31:38 -0600] "POST /*******.*** HTTP/1.1" 200 1167 www.xxxxxxxx.com "http://www.xxxxxxxx.com/*******.***" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)" 65.31.229.170 - - [24/Mar/2002:19:32:43 -0600] "POST /*******.*** HTTP/1.1" 200 1205 www.xxxxxxxx.com "http://www.xxxxxxxx.com/*******.***" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)" 65.31.229.170 - - [24/Mar/2002:19:32:46 -0600] "GET /*******.*** HTTP/1.1" 200 5103 www.xxxxxxxx.com "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)" 65.31.229.170 - - [24/Mar/2002:19:32:52 -0600] "POST /*******.*** HTTP/1.1" 200 1167 www.xxxxxxxx.com "http://www.xxxxxxxx.com/*******.***" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)" 65.31.229.170 - - [24/Mar/2002:19:34:58 -0600] "POST /*******.*** HTTP/1.1" 200 1158 www.xxxxxxxx.com "http://www.xxxxxxxx.com/*******.***" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)" 65.31.229.170 - - [24/Mar/2002:19:35:47 -0600] "POST /*******.*** HTTP/1.1" 200 1158 www.xxxxxxxx.com "http://www.xxxxxxxx.com/*******.***" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)" 65.31.229.170 - - [24/Mar/2002:19:35:49 -0600] "POST /*******.*** HTTP/1.1" 200 1171 www.xxxxxxxx.com "http://www.xxxxxxxx.com/*******.***" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; T312461)"</pre><hr /></blockquote>As you can see, the same IP appears accessing his files. 65.31.229.170 In both cases, the scripts were modified to redirect to the following URL ultrateenporn.com At this point, "Rage" contacted me again to tell me that he had done a search on AWI for the offending URL, and it turned up the following thread. <a href="http://bbs.adultwebmasterinfo.com/ubb/ultimatebb.php?ubb=get_topic;f=1;t=012151" target="_blank">http://bbs.adultwebmasterinfo.com/ubb/ultimatebb.php?ubb=get_topic;f=1;t=012151</a> Near the bottom of the thread, Ztik posts the following message - check his email address: <blockquote>quote:<hr /> I would also like details on expected traffic + pricing if you have any spots left. will@ultrateenporn.com -------------------- ZtikDialers <hr /></blockquote>As we had already narrowed down the dialer account to being under Ztik, this started ringing some alarm bells. So we contacted Tim at AWI, and had him send us Ztik's IP address as recorded on this forum. You guessed it 65.31.229.170 As a final check, I did two whois checks. This is the info on the URL that traffic was being sent to: <blockquote>code:<hr /><pre style="font-size:x-small; font-family: fixed;"> Domain Name: ULTRATEENPORN.COM Created on..............: Sun, Nov 18, 2001 Expires on..............: Mon, Nov 18, 2002 Record last updated on..: Mon, Mar 25, 2002 Administrative Contact: Ztik Inc William Range 112 SanteFe Tr. Lincoln, NE 68621 US Phone: 1231231231 Email: will@ztik.com Technical Contact, Zone Contact: Register.Com Domain Registrar 575 8th Avenue - 11th Floor New York, NY 10018 US Phone: 902-749-2701 Fax..: 902-749-5429 Email: domain-registrar@register.com</pre><hr /></blockquote>And this is the whois on the domain ztikdialers.com <blockquote>code:<hr /><pre style="font-size:x-small; font-family: fixed;"> Domain Name: ZTIKDIALERS.COM Created on..............: Sun, Sep 23, 2001 Expires on..............: Mon, Sep 23, 2002 Record last updated on..: Sun, Mar 03, 2002 Administrative Contact: Ztik Media Ztik Media 112 SanteFe Tr. Lincoln, NE 68506 US Phone: 4024751327 Email: emps@afr0.zzn.com Technical Contact: Ztik Media Ztik Media 112 SanteFe Tr. Lincoln, NE 68506 US Phone: 4024751327 Email: emps@afr0.zzn.com</pre><hr /></blockquote>I am also awaiting replies from several other webmasters who's domains appear to have been hacked, and hopefully will be able to supply several other logfiles exposing this IP too. I'll let you all decide how you want to use and process this info. Suffice to say, his account has been deactivated, and I would suggest whoever else is supplying ztickdialers with his reseller accounts, does the same. Jason.

Brian911

03-26-2002, 06:03 AM

dont we all want back the dialer forum where the hacker kids could play, spam, flame etc. it was such a good time when we had the dialer kindergarten wasnt it? ah the good old times , but Im just dreaming again <img border="0" alt="[Sleeping]" title="" src="graemlins/sleeping.gif" /> ok now nail that guy and go to bed <img border="0" title="" alt="[Smile]" src="smile.gif" /> PS. this proves my point: not every hacker and cheater is a russian.. Im making very good money with russian resellers, just btw

Tam

03-26-2002, 07:22 AM

Well hot damn........... How long have I been saying this? LOL

Rage

03-26-2002, 11:06 AM

Yeah, I tracked this guy down and caught him <img border="0" title="" alt="[Big Grin]" src="biggrin.gif" /> Its nice to expose another cheater/hacker.. <img border="0" alt="[Finger]" title="" src="graemlins/finger.gif" />

DialerEntertainment

03-26-2002, 11:27 AM

Thx Rage for saving my site. <img border="0" title="" alt="[Smile]" src="smile.gif" />

RaiDeN

03-26-2002, 11:52 AM

contact me on wich script it is. i have an idea wich script it is, but i want to make sure so i dont give any script false blame. One of my webmasters got his admin cracked the last couple of days also, and traffic was redirected. if the scripts match that would be be BAD icq: 56186922

DialerNET

03-26-2002, 11:56 AM

Raiden, I'll let you know privately, but we want to keep the script name off this forum for now. We don't want all the wannabe hackers snooping around. All those that were hacked by this guy, please do NOT mention the script. Jason.

Thor

03-26-2002, 04:13 PM

that stupid motherfucker also hacked one of my sites 2 days ago, somebody should shoot that lowlife son of a bitch in the head.

ShadowHawk

03-26-2002, 04:53 PM

Not on your life... Don't shoot a damn thing. Smack him in the nuts a few times and then bash 'em with a baseball bat. I think this loser ought to feel the pain. <img border="0" alt="[Ouch]" title="" src="graemlins/ouch.gif" />

Foots

03-26-2002, 06:56 PM

Well you have his address...I don't see you making any moves on him...or are you? Sound like DK with the threats but no action <img border="0" title="" alt="[Wink]" src="wink.gif" />

SexySites

03-26-2002, 10:45 PM

doesnt really say much for the security of the scripts your using does it <img border="0" title="" alt="[Wink]" src="wink.gif" /> laters, Chris

toker

03-27-2002, 01:33 AM

Well you can always add a pass protected htaccess in front of you admin for added security. Its in most cases the passwords people use that makes them easy to break into not the script itself. Any idiot even a retarded moron can take a dictonary file and crack a form or htaccess protected files with simple logins. Never use a password like "apples" instead use "apples047" or "AppLEs047" mixed case it more secure with linux. <img border="0" title="" alt="[Smile]" src="smile.gif" />

ShadowHawk

03-27-2002, 01:38 AM

Could be that it wasn't the fault of the script... Could have been webmaster error. Either way, it still occurs to me that it would never have happened if 65.31.229.170 hadn't been looking for it to happen. Doesn't take a genius to know that doing that kind of thing just isn't acceptable.

Klaus...

03-28-2002, 03:45 AM

<img border="0" alt="[No No]" title="" src="graemlins/nono.gif" /> <img border="0" alt="[No No]" title="" src="graemlins/nono.gif" /> <img border="0" alt="[No No]" title="" src="graemlins/nono.gif" /> ____________________ <a href="http://www.dialerconnection.com/" target="_blank"> <img src="http://www.dialerconnection.com/img/a_banner_230x29_1.gif" alt="" /> Simply Better.</a>

SexySites

03-28-2002, 09:33 AM

<blockquote>quote:<hr />Originally posted by ShadowHawk: Could be that it wasn't the fault of the script... Could have been webmaster error. Either way, it still occurs to me that it would never have happened if 65.31.229.170 hadn't been looking for it to happen. Doesn't take a genius to know that doing that kind of thing just isn't acceptable.<hr /></blockquote>i know its not acceptable but if you dont have the according securities protecting your software/website then you can moan that much <img border="0" title="" alt="[Wink]" src="wink.gif" /> Unfortuneately in this world protecting yourself against these idiots is always a prime concern <img border="0" title="" alt="[Frown]" src="frown.gif" /> laters, Chris