A recent wave of website defacements have been initiated because of a hole in DokuWiki's security. A script kiddy named “EffDee” has been defacing websites and leaving messages like the following:
Hello there, your system got hacked. Fix your system instantly, before you're putting your website back. Some useful urls for you: www.net-security.org secunia.com www.zone-h.org www.securityfocus.com Cheers, effdee
He's using an exploit in dokuwiki that allows people to upload files with .gif.php extensions. Here's a bug report on the issue, along with fix instructions: http://bugs.splitbrain.org/index.php?do=details&id=247
Here's the domain name and IP address of the the guy who hit me:
195-50-201-121-dsl.krw.estpak.ee [195.50.201.121]
Here is the whois record for that IP (from the European network registrar RIPE):
% This is the RIPE Whois query server #2. % The objects are in RPSL format. % % Note: the default output of the RIPE Whois server % is changed. Your tools may need to be adjusted. See % http://www.ripe.net/db/news/abuse-proposal-20050331.html % for more details. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html % Note: This output has been filtered. % To receive output for a database update, use the "-B" flag % Information related to '195.50.201.0 - 195.50.201.255' inetnum: 195.50.201.0 - 195.50.201.255 netname: EE-ESTPAK descr: DSL links descr: Sole 14 descr: Tallinn descr: Elion Enterprises Limited country: EE admin-c: ET332-RIPE tech-c: ET332-RIPE status: ASSIGNED PA "status:" definitions remarks: INFRA-AW mnt-by: ESTPAK-MNT source: RIPE role: ESTPAK NOC address: Elion Enterprises Ltd. address: Hostmasters and NOC helpdesk address: Sole str 14, Tallinn address: Estonia fax-no: +372 639 1180 remarks: trouble: 24/7 phone +372 639 1082 remarks: trouble: abuse@estpak.ee remarks: ---------------------------------------- remarks: Abuse notifications to: abuse@estpak.ee remarks: Network problems to: noc@elion.ee remarks: Peering requests to: peering@elion.ee remarks: IPv6 peering requests to: ipv6@elion.ee remarks: ---------------------------------------- admin-c: KK3254-RIPE tech-c: RIX2-RIPE tech-c: JT82-RIPE tech-c: AK546-RIPE tech-c: AI451-RIPE tech-c: EL848-RIPE nic-hdl: ET332-RIPE mnt-by: ESTPAK-MNT source: RIPE abuse-mailbox: abuse@estpak.ee % Information related to '195.50.192.0/19AS3249' route: 195.50.192.0/19 descr: ESTNET origin: AS3249 mnt-by: ESTPAK-MNT source: RIPE
Given the domain of estpak.ee, pulling up the web page http://www.estpak.ee redirects to http://www.elion.ee/wwwmain (apparently an Estonian ISP). According to their English home page, Elion is the largest telecommunications and Internet provider in Estonia (surprise, surprise!). Their web site also says that they have experienced over 50% growth in broadband connections in the last year - that is, they have had explosive growth in their user base, including unpatched systems, unknowledgeable users, and other malcontents - potentially without the staff to handle it.
Here are the TCP ports that he had open:
- 389 (LDAP)
- 1002 (Microsoft Internet Locator Service)
- 1720 (NetMeeting)
- 47624 (Direct Play Server)
This indicates to me that he's most likely performing the hack from a Windows box. I'm not sure if it's a zombie box or his own computer, but since the system is on a DSL, I wonder if it's not a compromised box. All of the instances of him hitting me were from same machine, but that doens't mean he doesn't have other ones working. He's essentially running a script that he's using to spider through sites looking for the vulnerability… it then posts the results on this site:
http://www.zone-h.com/en/defacements/filter/filter_defacer=effdee/
The file he uploaded on my server was called google1.gif.php
Try searching your logs for this if you want to find out what domain name or IP
he used to hit you. I personally wouldn't mind tracking this guy 
he hit
quite a few of my sites in one hour.
As of May 11, 2005, he was still at it. Google found that the following sites are currently (as of May 11, 2005) in a hacked state:
Anyone tracking these or helping to get the word out?
NMAP Output (taken at a later date, as of 5 May 2005):
Initiating FIN Scan against 195-50-201-121-dsl.krw.estpak.ee (195.50.201.121) [1663 ports] at 16:11 FIN Scan Timing: About 31.21% done; ETC: 16:12 (0:01:06 remaining) The FIN Scan took 53.03s to scan 1663 total ports. Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Host 195-50-201-121-dsl.krw.estpak.ee (195.50.201.121) appears to be up ... good. Interesting ports on 195-50-201-121-dsl.krw.estpak.ee (195.50.201.121): (The 1662 ports scanned but not shown below are in state: open|filtered) PORT STATE SERVICE 113/tcp closed auth Device type: broadband router|webcam|switch|general purpose Running: 3Com embedded, AXIS embedded, Cisco embedded, IBM MVS, Microsoft Windows 95/98/ME|NT/2K/XP OS details: 3Com Sharkfin/Tailfin Cable Modem, Axis 200+ Web Camera running OS v1.42, Cisco Catalyst 2820 switch Management Console, IBM MVS TCP/IP stack V. 3.2 or AIX 4.3.2, Microsoft Windows 98SE + IE5.5sp1, Microsoft Windows Millennium Edition (Me), Windows 2000 Pro or Advanced Server, or Windows XP, Microsoft Windows 2000 Server SP1, Microsoft Windows 2000 Server SP4 OS Fingerprint: T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RIPCK=F%UCK=F%ULEN=134%DAT=E)
This had happened to me on my site, http://wikipes.com/ and it turned out the upload permissions on an older build of DokuWiki wasn't correct. It's since been fixed, if you don't want to upgrade to the latest build, check the bug tracker and you'll find the fix in there.
Wow… what a fucking tard… I hope this guy gets busted for the shit he's been pulling… defacing a wiki is just wrong Defacing a wiki is some kind of stupid, just write your content in it ;) Probably he was using Google to find sites running doku wiki therefor google1.gif.php, just a stupid guy with too much spare time
I think that if that guy didn't f*ck your data up and didn't stole something then there's nothing to worry about. Guys “message” said you enough at the index or what? It was just a warning to clients of hosting provider 
Ż
