Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Its was definitely hacked .. the log shows that the size of userprefs.js has definitely changed multiple times in the past 25 hrs : http://lerdorf.com/static.log.gz


The site that is linked to in the obfuscated code is http://lnkhere.reviewhdtv.co.uk/stat.htm and it is that site which Google has marked as unsafe. Php.net has received the malware warning as a result.

http://safebrowsing.clients.google.com/safebrowsing/diagnost...

Notably the whois on that domain includes the registrants full name and address. Nominet allows personal registrants an opt-out on the full details in whois, so you would be unlikely to try and hack PHP.net and forget to use a privacy service on a domain name that isn't quite so traceable..

The domain record for that site show:

  Domain name:
      reviewhdtv.co.uk
 
  Registrant:
      Oli Bachini
 
  Registrant type:
      UK Individual
 
  Registrant's address:
      Rainbow Cottage
      West Perry
      Huntingdon
      Cambs
      PE28 0BX
      United Kingdom
 
  Registrar:
      Webfusion Ltd t/a 123-reg [Tag = 123-REG]
      URL: http://www.123-reg.co.uk
 
  Relevant dates:
      Registered on: 13-Oct-2010
      Expiry date:  13-Oct-2014
      Last updated:  06-Oct-2012
 
  Registration status:
      Registered until expiry date.
 
  Name servers:
      ns.123-reg.co.uk
      ns2.123-reg.co.uk
 
  WHOIS lookup made at 11:44:39 24-Oct-2013


While this is publicly available information, I'm not sure what purpose it serves to post it here as they are quite possibly an innocent bystander.

You are just making them a target for malicious people who would otherwise be too lazy to find that information.

It is pretty bad form to post people's personal addresses on a forum such as this.


Whois data is public in any case, so there's no harm to re-posting it.


>> While this is publicly available information

>> You are just making them a target for malicious people who would otherwise be too lazy to find that information.

I already addressed that.


That site probably was hacked, too.


And this comment probably is too; who can we trust - am I the only one seeing this comment? Will it disappear after reload? WOhaa.


Whow

  $ zcat ~/Downloads/static.log.gz |
  perl -lne'if (m/ 200 (\d+)/) { print $1 }'|sort |uniq -c
    390 0
    523 10881
    639 12479
  16276 1279
 178111 2602
      1 4071
     14 4072
     63 4801
    112 4812
   9431 5097
  27654 5821
    110 5911
   1348 6008
    162 7884
    256 8278
    568 9035
   1103 9634
That's a lot of changes


You seem to be counting all the files, not just this one file.

Update: no, you're correct, this log apparently only has one file.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: