{"id":8305,"date":"2006-07-08T16:17:00","date_gmt":"2006-07-08T20:17:00","guid":{"rendered":"https:\/\/nuxx.net\/blog\/2006\/07\/08\/rez-nuxx-net-hull-breech\/"},"modified":"2026-07-01T11:34:34","modified_gmt":"2026-07-01T15:34:34","slug":"rez-nuxx-net-hull-breech","status":"publish","type":"post","link":"https:\/\/nuxx.net\/blog\/2006\/07\/08\/rez-nuxx-net-hull-breech\/","title":{"rendered":"rez.nuxx.net hull breech"},"content":{"rendered":"<p>Well, I&#8217;m pretty certain I know how the attack was done.<\/p>\n<p>It appears to have been a phpBB exploit targeted at <tt>crisishour.com<\/tt> launched from <tt>213.219.122.11<\/tt>.<\/p>\n<p>Within the course of ~30 minutes that IP hit every single vhost I&#8217;ve got, and on crisishour.com it actively went and &#8216;did things&#8217; in phpBB. Looks like via whatever hole in phpBB it deleted the contents of every vhost it could find and tossed an index.html or index.php in the root, as appropriate. I believe it also may have parsed the config files for Apache, because it seems like a pretty intelligent script. It also deleted all files and directories that <tt>www:www<\/tt> had access to in those subdirectories.<\/p>\n<p>Fortunately things in the database and Gallery data directory are intact. I just need to move all of that over to <a href=\"http:\/\/www.dreamhost.com\">Dreamhost<\/a> one site at a time. This will take a while.<\/p>\n<p>For what it&#8217;s worth, that IP is <a href=\"http:\/\/www.zone-h.org\">zone-h.org<\/a>, which appears to be a shady &#8216;security&#8217; site and the IP is owned by people in Estonia.<\/p>\n<p>So, lessons learned?<\/p>\n<p>1) Separate privileges based on site.<br \/>\n2) Don&#8217;t host domains for people who won&#8217;t keep their shit reasonably up to date and won&#8217;t stay in touch with me.<br \/>\n3) Don&#8217;t run phpBB until it&#8217;s been secure for a while.<\/p>\n<p><!--more Click for log info...--><br \/>\nroot@rez:\/var\/data\/wwwlogs# grep -Rne &#8220;213.219.122.11&#8221; *<br \/>\n5thelement.com\/2006\/07\/2006-07-08-access.log:106:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:07:53:01 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\nabrazos.net\/2006\/07\/2006-07-08-access.log:92:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:07:57:43 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\natomicsatchel.com\/2006\/07\/2006-07-08-access.log:22:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:07:53:01 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\nbaycitybootymafia.com\/2006\/07\/2006-07-08-access.log:590:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:07:53:01 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\nbriansphotos.nuxx.net\/2006\/07\/2006-07-08-access.log:56:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:07:53:01 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\nbunjamin.net\/2006\/07\/2006-07-08-access.log:123:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:07:53:01 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\ncrisishour.com\/2006\/05\/2006-05-16-access.log:384:213.219.122.11 &#8211; &#8211; [16\/May\/2006:07:09:31 -0400] &#8220;GET \/forum HTTP\/1.0&#8221; 301 240 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\ncrisishour.com\/2006\/05\/2006-05-16-access.log:386:213.219.122.11 &#8211; &#8211; [16\/May\/2006:07:09:31 -0400] &#8220;GET \/forum\/ HTTP\/1.0&#8221; 200 37323 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\ncrisishour.com\/2006\/05\/2006-05-16-access.log:387:213.219.122.11 &#8211; &#8211; [16\/May\/2006:07:09:34 -0400] &#8220;GET \/robots.txt HTTP\/1.0&#8221; 404 208 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\ncrisishour.com\/2006\/05\/2006-05-16-access.log:388:213.219.122.11 &#8211; &#8211; [16\/May\/2006:07:09:34 -0400] &#8220;GET \/forum\/templates\/AdInfinitum\/images\/folder_big.gif HTTP\/1.0&#8221; 200 73 &#8220;http:\/\/www.crisishour.com\/forum\/&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\ncrisishour.com\/2006\/05\/2006-05-16-access.log:389:213.219.122.11 &#8211; &#8211; [16\/May\/2006:07:09:34 -0400] &#8220;GET \/forum\/templates\/AdInfinitum\/images\/icon_latest_reply.gif HTTP\/1.0&#8221; 200 169 &#8220;http:\/\/www.crisishour.com\/forum\/&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\ncrisishour.com\/2006\/05\/2006-05-16-access.log:390:213.219.122.11 &#8211; &#8211; [16\/May\/2006:07:09:35 -0400] &#8220;GET \/forum\/templates\/AdInfinitum\/images\/whosonline.gif HTTP\/1.0&#8221; 200 205 &#8220;http:\/\/www.crisishour.com\/forum\/&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\ncrisishour.com\/2006\/05\/2006-05-16-access.log:391:213.219.122.11 &#8211; &#8211; [16\/May\/2006:07:09:35 -0400] &#8220;GET \/forum\/templates\/AdInfinitum\/images\/folder_new_big.gif HTTP\/1.0&#8221; 200 414 &#8220;http:\/\/www.crisishour.com\/forum\/&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\ncrisishour.com\/2006\/05\/2006-05-16-access.log:392:213.219.122.11 &#8211; &#8211; [16\/May\/2006:07:09:36 -0400] &#8220;GET \/forum\/templates\/AdInfinitum\/images\/folder_locked_big.gif HTTP\/1.0&#8221; 200 133 &#8220;http:\/\/www.crisishour.com\/forum\/&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\ncrisishour.com\/2006\/05\/2006-05-16-errors.log:145:[Tue May 16 07:09:34 2006] [error] [client 213.219.122.11] File does not exist: \/var\/data\/www\/crisishour.com\/robots.txt<br \/>\ndansphotos.nuxx.net\/2006\/07\/2006-07-08-access.log:3:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:07:53:12 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\ndefault\/2006\/05\/2006-05-16-access.log:50:213.219.122.11 &#8211; &#8211; [16\/May\/2006:07:09:38 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:9:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:07:53:01 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:10:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:07:53:02 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:11:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:07:53:02 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:12:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:07:53:02 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:13:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:07:53:02 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:14:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:07:53:12 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:15:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:07:53:12 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:16:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:07:53:13 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:17:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:07:57:44 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:18:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:07:57:55 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:19:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:09:34 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:20:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:13:08 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:21:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:13:08 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:22:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:13:08 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:23:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:13:09 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:24:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:13:16 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:25:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:13:19 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:26:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:13:19 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:27:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:13:19 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:28:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:13:21 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:29:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:15:57 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndefault\/2006\/07\/2006-07-08-access.log:30:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:21:07 -0400] &#8220;HEAD \/ HTTP\/1.0&#8221; 200 &#8211; &#8220;-&#8221; &#8220;Sprint (safemode.org)&#8221;<br \/>\ndianeanddon.us\/2006\/07\/2006-07-08-access.log:10:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:07:57:54 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\ndingleberrypie.com\/2006\/07\/2006-07-08-access.log:158:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:07:53:12 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\nfuturearchive.net\/2006\/07\/2006-07-08-access.log:18:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:07:53:11 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\nmidlandmassage.com\/2006\/07\/2006-07-08-access.log:6:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:13:08 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 2267 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\nnuxx.net\/2006\/07\/2006-07-08-access.log:5445:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:09:33 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\nnythia.com\/2006\/07\/2006-07-08-access.log:10:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:13:08 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\npics.joythemonster.com\/2006\/07\/2006-07-08-access.log:240:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:13:19 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\npink-envy.com\/2006\/07\/2006-07-08-access.log:2548:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:13:19 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\nrealdolltimeshare.com\/2006\/07\/2006-07-08-access.log:11:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:13:18 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\nrewiredbg.com\/2006\/07\/2006-07-08-access.log:292:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:13:19 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\nsayyestolibraries.org\/2006\/07\/2006-07-08-access.log:7:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:13:15 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\nsithspawn.net\/2006\/07\/2006-07-08-access.log:74:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:21:06 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\nthefest.org\/2006\/07\/2006-07-08-access.log:6:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:13:08 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\ntrasenstine.com\/2006\/07\/2006-07-08-access.log:263:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:15:56 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<br \/>\ntydeus.nuxx.net\/2006\/07\/2006-07-08-access.log:26:213.219.122.11 &#8211; &#8211; [08\/Jul\/2006:08:13:08 -0400] &#8220;GET \/ HTTP\/1.0&#8221; 200 1842 &#8220;-&#8221; &#8220;Wget\/1.9.1&#8221;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Well, I&#8217;m pretty certain I know how the attack was done. It appears to have been a phpBB exploit targeted at crisishour.com launched from 213.219.122.11. Within the course of ~30 minutes that IP hit every single vhost I&#8217;ve got, and on crisishour.com it actively went and &#8216;did things&#8217; in phpBB. Looks like via whatever hole\u2026<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,34,4],"tags":[],"class_list":["post-8305","post","type-post","status-publish","format-standard","hentry","category-computers","category-moved-from-livejournal","category-nuxxnet"],"_links":{"self":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/8305","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/comments?post=8305"}],"version-history":[{"count":1,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/8305\/revisions"}],"predecessor-version":[{"id":13324,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/8305\/revisions\/13324"}],"wp:attachment":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/media?parent=8305"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/categories?post=8305"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/tags?post=8305"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}