I don't want to screw a russian chick today

[Snake-Aes]

Care to explain why failsafedesign.com was redirecting to http://russiangirs2.tkforum/index.php ?

[Minnerva]

Care to explain why failsafedesign.com was redirecting to http://russiangirs2.tkforum/index.php ?

not sure i started getting that same page, it started about the same time facebook went down.

[Mcduffie]

Yeah, seemed weird that the AF was blocking me all of a sudden.

Then I saw the URL, and was like "wut? MT got hacked?"

[Chicken]

I was wondering the same thing for a bit there.

[Sabindeus]

Yeah, seemed weird that the AF was blocking me all of a sudden.

Then I saw the URL, and was like "wut? MT got hacked?"

Yeah. I have no idea HOW, I've been scouring logs for a while now to no avail and I really need to get back to work. :/

[Minnerva]

well i guess we know what the administrators were watching when the server got messed up. lol

[Sabindeus]

We do? What was I watching?

[Arnock]

It was wierd the way it was handled to, looked like they just replaced the text "maintankadin.failsafedesign.com" with whatever the website's homepage's url was. Leaving the post ID and whatnot from maintankadin on the tail end of it.

[Chicken]

Kinda reminded me of a similar issue another website I regularly visit had a few years ago. Their website had it for a while that about half the time you visited it you'd end up at the homepage of a tattoo parlor instead. It was an issue with the DNS in their case though, and they had to contact their hosting to get it sorted out.

That was kind of different from this though, as the URL in the address bar didn't change, just the website it ended up going to.

[Snake-Aes]

That was kind of different from this though, as the URL in the address bar didn't change, just the website it ended up going to.

On the contrary, the url did change. It kept replacing www.failsafedesign.com/maintankadin and maintankadin.failsafedesign.com to russgirs2~

[Arnock]

That was kind of different from this though, as the URL in the address bar didn't change, just the website it ended up going to.

On the contrary, the url did change. It kept replacing http://www.failsafedesign.com/maintankadin and maintankadin.failsafedesign.com to russgirs2~

I think he meant that the URL didn't change for the other website.

[Sabindeus]

They managed to edit our .htaccess file and add a Rewrite rule replacing start to / with the russia thing, which is why it failed on longer paths.

Checked wtmp and the auth log and couldn't find any trespass... tried to do some grepping through the webserver access log to see if there was some sort of exploit at work, but I couldn't find anything... this server gets so much traffic that it's a big pain in the ass to try and find stuff like that if you don't know what you're looking for.

If anyone has any idea how this happened let me know... possible vectors would include joomla and phpbb

[Minnerva]

We do? What was I watching?

you take comments too serious, that is why I try stick to joking with the other administrators

[Invisusira]

If anyone has any idea how this happened let me know... possible vectors would include joomla and phpbb

I'll create a GUI interface using visual basic
see if I can track an IP address

[Fridmarr]

hahahaha