rooshv.com hacked!

kerouac · 01-28-2011, 01:17 PM

I just went on rooshv.com to see that it's hacked. Anyone have details?

"Owend

By blackhunter.dz"
followed by a pic of zidane

I just googled blackhunter.dz and it looks like he/they are hacking into a ton of sites:
http://www.zone-h.org/archive/notifier=BlaCKhuNTER.Dz

Hopefully Roosh's got things backed up!

Lief · 01-28-2011, 01:37 PM

The conspiracy theorists will claim that it is a feminist hater from a site like Jezebel

Lumiere · 01-28-2011, 01:39 PM

Well the guy does have a lot of haters

kerouac · 01-28-2011, 01:52 PM

Considering the sites this hacker's going after, I'd imagine he just found some exploit in some server/software and is going after sites indiscriminately... although his nick "Black Hunter" showing a picture of Zidane hanging out with some Arab kids could mean something...

Looks like the "blackhunter" is Algerian, part of a group called dz

more info on this group:
http://www.algerianamericans.com/news/17...arget.html

blackhunter.dz seems to be a part of this group:
http://dz4all.com/cc/

~~truedat~~ · 01-28-2011, 02:06 PM

It looks like an indiscriminate hack using some exploit in a script he is running. Roosh make sure everything is running at its latest version. Id switch to WordPress If I were you because it auto updates and is heavily supported.

Tuthmosis · 01-28-2011, 02:26 PM

My Conspiracy Theory: That Jezebel biotch gave up a little tail to a desperate foreign hacker in exchange for some sweet revenge on the hairy Persian.

Hope there's no permanent damage.

Samseau · 01-28-2011, 02:46 PM

Quote: (01-28-2011 02:26 PM)Tuthmosis Wrote:

My Conspiracy Theory: That Jezebel biotch gave up a little tail to a desperate foreign hacker in exchange for some sweet revenge on the hairy Persian.

I think this about nails it. [Image: ky.gif]

Badstuber · 01-28-2011, 02:56 PM

The hacker just found a vulnerability to your blog and I am sure the hacker didn't target this site just because guys here exploit women. Most hackers just run around and deface random sites for fame.

What software did Roosh run on his blog?

Roosh · 01-28-2011, 03:34 PM

I got control of Wordpress back but now there's a form prompt at the top of the blog and I'm not sure how to get rid of it. I'm looking for recently changed files while asking my host to do a security scan.

Roosh · 01-28-2011, 03:50 PM

Alright I think I got everything back to normal. If you guys notice anything weird let me know.

FretDancer · 01-28-2011, 10:12 PM

Damn I couldn't witness this shit, not wishing Roosh anything bad but I wish I had seen the event.

Badstuber · 01-29-2011, 06:24 AM

Quote: (01-28-2011 10:12 PM)FretDancer Wrote:

Damn I couldn't witness this shit, not wishing Roosh anything bad but I wish I had seen the event.

I forgot to take a screenshot, damn.

Roosh · 01-29-2011, 11:05 AM

This is the php file I found in my root directory:

http://hotfile.com/dl/100412428/6f0a29e/id.php.html

It looks like some type of script to do whatever they want. I guess I'm wondering how they got it on there in the first place.

Badstuber · 01-29-2011, 12:59 PM

Quote: (01-29-2011 11:05 AM)Roosh Wrote:

This is the php file I found in my root directory:

http://hotfile.com/dl/100412428/6f0a29e/id.php.html

It looks like some type of script to do whatever they want. I guess I'm wondering how they got it on there in the first place.

Gonna analyze it for you.
It looks like a php shell

~~IshGibbor~~ · 01-29-2011, 01:54 PM

Yeah, I kinda flipped out. It was funny though.

~~truedat~~ · 01-29-2011, 02:03 PM

http://it.slashdot.org/story/09/07/13/142210/RIP-FTP

http://www.unmaskparasites.com/

Badstuber · 01-29-2011, 02:16 PM

some part of the code is to get into safe mode and file manager
it definitely looks malicious.

its a PHP shell.

Roosh · 01-31-2011, 05:29 PM

Turns out I had a keylogger on my computer. I'm pretty sure that's the cause, since my host found nothing unusual. I changed all my passwords just in case.

Badstuber · 02-01-2011, 01:06 PM

Quote: (01-31-2011 05:29 PM)Roosh Wrote:

Turns out I had a keylogger on my computer. I'm pretty sure that's the cause, since my host found nothing unusual. I changed all my passwords just in case.

get this
http://download.cnet.com/Malwarebytes-An...04572.html

DanDeLaCruz · 02-01-2011, 01:50 PM

Quote: (01-31-2011 05:29 PM)Roosh Wrote:

Turns out I had a keylogger on my computer. I'm pretty sure that's the cause, since my host found nothing unusual. I changed all my passwords just in case.

I took a quick glance at that code and theres a lot of nasty stuff in there. All types of exploits trying to establish backdoors to your server.

Just to be safe you can ask your support staff to run clamscan, and and also root kit hunter. Clamscan is trusted linux antivirus, and rootkit hunter looks for rootkits. If they're good techs they probably already did that, but it would be good just to make sure. I'd also ask them to monitor for suspicious outbound connections and suspicous connections to 127.0.0.1, even if they just take a quick look for a few minutes. Also backup your stuff just in case.

speakeasy · 02-01-2011, 02:34 PM

Quote: (02-01-2011 01:50 PM)DanDeLaCruz Wrote:

I took a quick glance at that code and theres a lot of nasty stuff in there. All types of exploits trying to establish backdoors to your server.

Are you talking about the source code of the rooshv blog? I just took a quick look and didn't see anything out of the ordinary. I'm curious, what specifically are you referring to?

Roosh · 02-01-2011, 04:42 PM

I'm pretty sure he means the hacker file.

I used malwarebytes to identify the keylogger.

Login
Username:
Password:	Lost Password?
	Remember me