From: zhortrox (zhortrox@gmail.com)
To: jericho@forced.attrition.org
Date: Tue, 13 Jan 2009 18:58:30 +0100
Subject: Defaced?


Hi Jericho,

I'm not too sure what happened, but I found the text 7744 at the start of my
index.php on my toyserver. I googled deface 7744 and apart from it being an
awesome result of maths I also ran into attrition defacements, but I
doubt such a tiny box could be any target for respectable hax0rs like you
guys unless you're just bored and stumbled across it. It's a slackware
machine, near to basic install, not redhat(e)... I'm a real newbie kid
though so if it actually were any of you I hope you could give me some
pointers or hints so I can solve this.

If you have no idea what I'm talking about then I apologize for this dumb
email and it could all be a coincident, I just doubt I typo'd 7744 into the
start of my index.php. The url is

http://saikosoft.ath.cx

-Cesco




From: security curmudgeon (jericho@attrition.org)
To: zhortrox (zhortrox@gmail.com)
Date: Wed, 14 Jan 2009 00:04:17 +0000 (UTC)
Subject: Re: Defaced?


Hello,

: I'm not too sure what happened, but I found the text 7744 at the start
: of my index.php on my toyserver. I googled deface 7744 and apart from it
: being an awesome result of maths I also ran into attrition defacements,
: but I doubt such a tiny box could be any target for respectable hax0rs
: like you guys unless you're just bored and stumbled across it. It's a

Are you saying that you read our mirror, and made some wild assumption
that *we* defaced those pages? Do you realize how absurd that is in every
way imagineable?

: slackware machine, near to basic install, not redhat(e)... I'm a real
: newbie kid though so if it actually were any of you I hope you could
: give me some pointers or hints so I can solve this.

Not with the sparse details you gave. The fact you run PHP is a good
first step, as you are likely running a vulnerable PHP application.

: If you have no idea what I'm talking about then I apologize for this
: dumb email and it could all be a coincident, I just doubt I typo'd 7744
: into the start of my index.php. The url is

I have an idea and it's still a dumb email actually. Suggesting that we
defaced thousands of web servers and then likely did it to yours is
fucking ridiculous.

Given your install is on Slackware, adding "7744" into the page on
accident isn't really that far out of the picture, considering it is also
valid argument to 'chmod'.

Jericho




From: zhortrox (zhortrox@gmail.com)
To: security curmudgeon (jericho@attrition.org)
Date: Wed, 14 Jan 2009 02:21:26 +0100
Subject: Re: Defaced?


Alright, sorry for the ignorant assumption. I realized it was a dumb mail
when I sent it and read the site better. I'm not sure what got into my
head, a lot of shit anyway, sorry. Thanks for the pointers and its most
likely chmod indeed. I'll open a book next time before I start spamming the
internet. Sorry again, thanks and all the best

Cesco



main page ATTRITION feedback