Solved Community Alert - Backdoored Script

Hydra

Hydra

Member
Sep 13, 2015
77
72
56
Hello Guys,
I would like to warn all users which downloaded and ran one of this scripts:
https://r4p3.net/threads/script-packetlossguard-ddosguard-v1.1430
https://r4p3.net/threads/script-timerankmod.1503/
The user backdoored the script and uploaded your "config.php" to his ftp server.
Proof:
92INPkq.png

Check the file "\libraries\TeamSpeak3\Node\Abstract.php" for this lines. It opens a ftp connection to his server and upload your server query login informations which placed in the "config.php". He "only" got access to your server query nothing else. If you see connection from a portugal ip address (46.50.34.*) he already logged into your server query.

Steps you should do now:
1.) Change your Server Query Password.
2.) Limit the access to Server Query (if not done already!).

I already wrote an abuse report to his homeconnection and server hoster (myvirtualserver.de).

Greetings Hydra
 
Last edited:
0x0539

0x0539

Retired Staff
Contributor
Jan 30, 2016
1,334
1,214
254
Hydra said:
Hello Guys,
I would like to warn all users which downloaded and ran one of this scripts:
https://r4p3.net/threads/script-packetlossguard-ddosguard-v1.1430
https://r4p3.net/threads/script-timerankmod.1503/
The user backdoored the script and uploaded your "config.php" to his ftp server.
Proof:
92INPkq.png

Check the file "\libraries\TeamSpeak3\Node\Abstract.php" for this lines. It opens a ftp connection to his server and upload your server query login informations which placed in the "config.php". He "only" got access to your server query nothing else. If you see connection from a portugal ip address (46.50.34.*) he already logged into your server query.

Steps you should do now:
1.) Change your Server Query Password.
2.) Limit the access to Server Query (if not done already!).

I already wrote an abuse report to his homeconnection and server hoster (myvirtualserver.de).

Greetings Hydra
Click to expand...
Might this explain why my whole server was fucked and had to restart all over today?

Short note what happened: Server bots (music bots etc, crashed on 5:37AM, the server crashed a couple hours after)
When restarted, I lost completely everything, no channels, permissions, nothing. --- My logs were also over 3.00GB when I tried backing the server up before.
 
Last edited:
Hydra

Hydra

Member
Sep 13, 2015
77
72
56
0x0539 said:
Might this explain why my whole server was fucked and had to restart all over today?
Click to expand...
Check the logins and search a portugal ip. This guy dont know how to use vpn so he used his homeconnection.
 
0vert1m3

0vert1m3

Active Member
Oct 4, 2015
216
175
91
LOL what a lil fucker. I thought we were normal / good people here and not such a backdoor snitch ;C
 
N

Niepowtarzalny

Member
Dec 5, 2015
25
2
35
100% true ;) So... i mean if we delete abstract.php it's 100% working script ;) maybe send some rockets to 185.101.93.211 ;>

Edit:
Anyway... he change password to ftp acc so its safe now :D
 
Last edited:
You must log in or register to reply here.
Top