Another side down by Boxhead

[Crucify]

me? i was not hacked

and i told that to let the ppl know how he gets access to all those sites... but what cyberhack said is also true...

these were the two videos i think...
http://clairvoyantcss.info/mywrzhost...nfo_owned.html
http://clairvoyantcss.info/wazowned/Waz-Host-Owned.html

[limewire]

What BoxHead is doing is good but bad its teaching fools who use the same pass over and over again a lesson lol

[frontlinegamerz]

boxhead fails if the server and passwords are secure, i have the proof and its not using other people's passwords from databases, as he hacked my server and i wasn't a member on any site but mine. You people need to look at logs, phpmyadmin, mysql etc..

[Chutad]

lol yeah..

crucify bro.. i dint meant to u.. eg..!!

[CyberHacK]

yea FLG. Also many people don't know what to do when he's got in. As people make the same mistakes.

So to kick him out of your server.

1.Change all FTP, cPanel passes (doesn't normally get those but still)
2.Backup your MySQL Database then make a new user use a diff pass and make a new database using a different name and import your database to that.
3.Change your file settings to it goes to your new database.
4.(For Forums) Check the last line of all vbulletin files. If it starts like this <? after a ?> (meaning his inserted another code) it's a webshell. Reup all vbulletin files.

For more info on step 4. See what he added to TiendaDDL: http://clairvoyantcss.info/wazowned/Waz-Host-Owned.html
It's a webshell.

5.Don't reuse your pass.
6.If your index says Hacked By Boxhead even after you reupped your files. Go to http://ur-website.com/admincp and login, navigate to any templates it says u recently edited when u didn't, revert them back as he removes all the original code and put's hacked by boxhead.
7.Tell all Admins to change their passes.
8.Change email passes aswell as he sometimes get's into them if they're the same pass as your forum admin account pass (see step 5)
9.use cPanel's "Password protect directories" to password protect your admincp, just for added security.(Do Not Put The Login The Same As your or any admins Forum Account username/pass, Do NOT Even Put The Username The Same)
10. Another Good Tip Is To Use .htaccess To Only Allow Certain Ip's To Access your admincp. e.g All The Admins. Same With ModCP so nobody can hack a mod's account and prune all posts.

Then he should be out of your server

[Chutad]

did that.. thanks to warezdemon for that..

also <? sometimes gets on the users profile too..

[frontlinegamerz]

also turn off php showing itself in php.ini if you can this will help out also, get your server secured by somebody also.

Taken from my apache access logs:

Code: 

67.212.80.148 - - [25/Dec/2009:23:47:48 +0100] "GET //myadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 560
67.212.80.148 - - [25/Dec/2009:23:47:48 +0100] "GET //PHPMYADMIN/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 563
67.212.80.148 - - [25/Dec/2009:23:47:48 +0100] "GET //PHPMYADMIN/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 563
67.212.80.148 - - [25/Dec/2009:23:47:48 +0100] "GET //phpMyAdmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 563
67.212.80.148 - - [25/Dec/2009:23:47:48 +0100] "GET //phpMyAdmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 563
67.212.80.148 - - [25/Dec/2009:23:47:49 +0100] "GET //p/m/a/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 558
67.212.80.148 - - [25/Dec/2009:23:47:49 +0100] "GET //p/m/a/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 558

[Elio]

he does the work from inside not outside , so pretty much he gets into an account on a shared hosting provider and then gets a hold of the whole box , could be easily avoided

[Chutad]

i got that elio bro..

nyways +ve point for flg .. tx

[Saime]

Who the fuck made that Camtasia video? He's a fucking retard, pathetic security? How is that pathetic security? You got a password to another site from a Personal Message wooooooooooooooowwwww leeeeeeet, fucking dipshit come hack my site if you're so fucking leet, I can take the pressure.