What happened, according to the leaker, was he/she went to the site, and index.php started downloading... So it would have to be a web-server (Apache, Nginx) mis-configuration that removed the php-handler from the file-type.<p><a href="http://iobm.net/forum/dos/index.php/topic,17.0.html" rel="nofollow">http://iobm.net/forum/dos/index.php/topic,17.0.html</a><p>> It was not our aim to bring BMR down, we just published the leak because if we had it, enforcement and private hackers could have it as well, trouble could arise if the leakage would have been exploited without people to know.<p>> Besides, we want to make clear that we have no contact to anyone of the involved parties, neither backopy nor VPS admin.<p>> When we tried to access the site, it offered us the index.php for DOWNLOAD. So we downloaded it as we assumed we were not the only one to be able to download it.<p>> For any reason the file was not executable anymore by the VPS and thus offered for download! Whether ot not this happened intentionally or was a simple but severe mistake, is outside our knowledge.<p>> We just think that such mistakes must not happen as they can endanger the users and we think they must be published and not exploited.
Seems a few comments here are pointing to the VPS provider being the ones who might have leaked the source code. I don't think that was the concern, but hopefully somebody more in the know can elaborate.<p>From what I understand, once a portion of the source code was in the open, a match could be made (not easily like a google search) to that server's index.php page, pointing to exactly which server is running the code, and can then be back traced to who the account was registered under.<p>What I don't understand (and I've never used any of these sites) is how do they have a DNS registration and ip look-up without that being connected to an individual. I know you can make your DNS details private, but I would have assumed that was only 'private' from public view and that most of the DNS companies would have cooperated with law enforcement.<p>Unlike general snooping, I think I'd be fine with Law Enforcement getting a warrant to find who registered a particular domain, and back trace from there. They would still need to make a case of illegal activity, so should this be protected information?
<a href="http://iobm.net/forum/dos/index.php/topic,17.msg113.html#msg113" rel="nofollow">http://iobm.net/forum/dos/index.php/topic,17.msg113.html#msg...</a><p>This is evidently some of the code that was leaked. It's some pretty ugly PHP.
Uhm, concatenating user controlled content into SQL queries? Do black marketeers today learn nothing at code school?<p>It is a good thing he took the site down promptly, else it would have been exploited in no time.