Just an FYI.
I hope to have it fixed tonight.
Thanks -
Matt
The Other Matt
We are back up and running.
The Other Matt
Nice job - too bad we have a$$holes who need to be destructive to try to inflate their ego with their peers.
Think of all the great stuff they could do if they just put their efforts in the right direction.[:(!]
looks not ok to me
-Wis
_/ if it isn’t broken, don’t fix it! _
Ah… Houston? I’m afraid we still have a problem.
Muzza
with hope he left his IP somewhere…then trace him…
hmm…not much there…but I guess as an Admin you could see who/when logged or come in
“<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<HTML><HEAD>
<TITLE>This site is defaced!!!</TITLE>
</HEAD><BODY bgcolor=”#000000" text="#FF0000">
<H1>This site is defaced!!!</H1>
<HR>
<ADDRESS><b>NeverEverNoSanity WebWorm generation 14.</b></ADDRESS>
</BODY></HTML>"
-Wis
_/ if it isn’t broken, don’t fix it! _
Yup - got Matt again. Thanks Wis - this one must know the exact web configuration - I doubt it is a virus infection.
Matt - if you need some help, let me know - we have a forensic specialist at work who gets to grapple with the demons - as well as the pervert’s hard drives, along with about a dozen or so I.T. PC support people. Will be happy to put you in contact with them if this gets out of hand.
Just let me know if I can help in any way.
no way its a virus…a bit hard to believe! just a 12 yo pimple hacker…as most of them are…not from me, some very clever ppl made some researches
anyway, bad, bad bad
-Wis
_/ if it isn’t broken, don’t fix it! _
Its kind of embarrassing when they have to attack radio controlled sailing sites… (feel free to post any new info/updates here)
I feel for ya
Chad
P.S.
here is some info I found searching on it:
<blockquote id=“quote”><font size=“1” face=“Verdana, Arial, Helvetica” id=“quote”>quote:<hr height=“1” noshade id=“quote”>It means that you have been p0wned. Someone has gained root access
to your box and obviously defaced your website. Since they had root
access, there is no telling what other damage they may have done.
You will need to wipe the machine clean and start with a fresh install.
-Roberto Sanchez <hr height=“1” noshade id=“quote”></blockquote id=“quote”></font id=“quote”>
<blockquote id=“quote”><font size=“1” face=“Verdana, Arial, Helvetica” id=“quote”>quote:<hr height=“1” noshade id=“quote”>
Chris Moates Dec 20, 8:55 pm show options
Newsgroups: rec.games.pinball
From: Chris Moates <s...@mox.net> - Find messages by this author
Date: Mon, 20 Dec 2004 23:55:22 -0500
Local: Mon, Dec 20 2004 8:55 pm
Subject: Re: Balls of Steel Web Site Infected???
Reply | Reply to Author | Forward | Print | Individual Message | Show original | Report Abuse
Since there seems to be a lot of speculation running around regarding
this hack:
It is indeed a webworm, targetting the most recent vulnerabilities
announced this past Friday in PHP. While I do automatic nightly updates
of certain key components of my systems, this update was not yet
released from my publisher. I misread their announcement, and so it is
entirely my fault. If I had noticed they didn’t intend to patch within
24 hours, I’d have hand-patched.
The primary purpose of this worm is to set up some sort of spam-gizmo. I
have not yet completed analysis of the code, but it is Brazilian in
origin and at initial glance seems to be trying to test email addresses
for validity, keeping a list of good and bad email addresses. It then
reported them back through IRC to someone who I assume is collecting the
data in their master database to spam away using other (or possibly the
same) drones. Though it would seem the folks who run Windows on their
desktops are the most prone to the spam-sleepers. I guess that will
teach them to trust Ol’ Bill. 
Back on topic, I’ve cleaned up the system in question that hosted
ballsofsteel.net. The scans are indeed intact. Any file ending in .php
or .html that the webserver had access to write to was overwritten with
the now-famous message discussed above.
I have not yet had time to look for a backup of my code that ran the
ballsofsteel.net site, however, I was already in the process of
contemplating a complete rewrite anyhow. As such, I will probably begin
that shortly. As a workaround, sometime in the near future I will make
the scans available via anonymous FTP.
So, short story, blame the Brazilian spammers. 
Chris Moates
http://www.ballsofsteel.net
<hr height=“1” noshade id=“quote”></blockquote id=“quote”></font id=“quote”>
(as I assume you probably have) I would make sure that you are updated to the newest version of php due to the flaws just recently discovered.
http://www.php.net
so it is a virus…
Does that mean that the members of Windpower will get even more spam?
The other question is then?..is there a backup?
Hacking a rc sailing forum…what a shame! I would understand someone hacking SA, specially the Politic one (no comment)…
Anyway, Matt, I (we?) are all with you…do not hesitate to ask for help…
Good luck
-Wis
_/ if it isn’t broken, don’t fix it! _
Argh.
Restore in progress. Thanks for the link to the info, guys. This had to happen during a period where I had little access to the net (which is rare).
The Other Matt
An update:
WindPower remains down while fixs to the site are being applied. This attack is happening worldwide and is an exploit of pre-2.0.11 versions of phpBB.
WindPower should return at some point today, but will have at least temporary loss of the “attachment” feature.
Thanks for listening, and thanks to Chad for allowing me to post these updates here!
(If anyone is in contact with the IOM guys - please relay this version info to them (Lester, and the US guys) - they are running phpBB as well).
The Other Matt
I did just send a note out to Lester Gilbert and Rob Davis. I know that the IOMICA forum is running version 2.0.6
The Other Matt
good luck matt
i hope you fixes come quick. not too good with computers , but if you need anything just ask
cougar
long live the cup and cris dickson
http://news.com.com/Net+worm+using+Google+to+spread/2100-7349_3-5499725.html?tag=nefd.pop
-Wis
_/ if it isn’t broken, don’t fix it! _
The info Wis posted is what hit us. WindPower is running PHP 4.3.10, and is now running phpBB 2.0.11, so THIS issue should go away. We’ve been running for 2 days now,and the attacks hit every 20 minutes and fail (now).
Thanks for the help and kind words, guys!
The Other Matt