2007-08-12

Code Red Alert

A little story that happened to me as a hobbyist webmaster of www.ipttc.org

In previous months, I have seen our network bandwidth consumption increasing, 2 months ago I found that there was a lot of traffic coming from servers in Vietnam where our sport is not very developed but at this was at the end of the month I did not pay too much attention.

On June, 13th, I noted a major traffic increase, I looked at the most downloaded pages and was surprised to find audio files (.wma) while we don't distribute music of course.

Then, I found that there were about 1500 such files in one directory which was the upload directory of forum for attachments. So, everything indicated that a hacker did exploit a vulnerability in the file upload module of the forum.
I decided to remove the files but it was not possible, so I renamed the directory and I logged a support ticket to get administrators to do the job.
I un-installed the file upload module and updated the forum software to most recent version.

I sent a mail to my committee qnnouncing that our web site would probably get unavailable because our network bandwidth for the month could be exceeded within next hours or days and that the downtime could last until end of the month.

Next morning, I got a mail from support saying that they deleted the files.

Unfortunately, our bandwidth got exceeded during the night and so our site was down.

I decided to look carefully at the web server log files and I found that all requests for music files came from one site www.muzic9.com. In fact, this site proposes "free" music, you choose an album and then click on a song, it then redirects transparently to an external site. So it means that when clicking on some songs you actually downloaded them from www.ipttc.org! I sent an email to the webmaster asking him to delete all links pointing to our site get and that he no longer accepts such links.

I did a "whois" query to find the site owner:


TUAN
TUAN TUAN (tuan.maxviet@gmail.com)
1.8633630
Fax: 1.8633630
Some where in VN
address
HCM, HCM 70000
VN


So the owner was from Vietnam, same country that consumed our bandwidth last month.
I did send same email to this address. No need to say, I never got any reply.

I put some additional protections in place and now monitor more seriously my bandwidth consumption report and web log files.

Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)