Tencent Games uses employees to hack database systems

[Deleted_413010]

So a friend of mine told me that an IP belonging to Tencent Games tried to hijack his phpmyadmin on multiple occasions using the same password list.

Spoiler

139.199.198.220 - - [31/Dec/2018:22:50:43 -0600] "POST /db_session.init.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:50:47 -0600] "POST /wp-admins.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:50:51 -0600] "POST /db_dataml.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:50:52 -0600] "POST /db_desql.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:50:52 -0600] "POST /mx.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:50:53 -0600] "POST /wshell.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:50:55 -0600] "POST /xshell.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:50:56 -0600] "POST /qq.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:50:56 -0600] "POST /conflg.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:00 -0600] "POST /lindex.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:01 -0600] "POST /phpstudy.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:03 -0600] "POST /weixiao.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:04 -0600] "POST /feixiang.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:07 -0600] "POST /ak48.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:10 -0600] "POST /xiao.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:11 -0600] "POST /yao.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:13 -0600] "POST /defect.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:16 -0600] "POST /q.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:17 -0600] "POST /pe.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:19 -0600] "POST /hm.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:20 -0600] "POST /cainiao.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:20 -0600] "POST /zuoshou.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:21 -0600] "POST /zuo.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:21 -0600] "POST /aotu.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:22 -0600] "POST /cmd.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:23 -0600] "POST /bak.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:24 -0600] "POST /system.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:24 -0600] "POST /l6.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:26 -0600] "POST /l7.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:28 -0600] "POST /q.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:28 -0600] "POST /56.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:32 -0600] "POST /xx.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:33 -0600] "POST /yumo.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:33 -0600] "POST /min.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:34 -0600] "POST /wan.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:34 -0600] "POST /wanan.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:35 -0600] "POST /ssaa.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:38 -0600] "GET /index.php HTTP/1.1" 200 1591
139.199.198.220 - - [31/Dec/2018:22:51:38 -0600] "GET /phpmyadmin/index.php HTTP/1.1" 401 1332
139.199.198.220 - - [31/Dec/2018:22:51:39 -0600] "GET /pmd/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:40 -0600] "GET /pma/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:43 -0600] "GET /PMA2/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:44 -0600] "GET /pmamy/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:44 -0600] "GET /pmamy2/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:45 -0600] "GET /mysql/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:45 -0600] "GET /admin/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:46 -0600] "GET /db/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:46 -0600] "GET /dbadmin/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:47 -0600] "GET /web/phpMyAdmin/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:51 -0600] "GET /admin/PMA/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:55 -0600] "GET /admin/mysql2/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:56 -0600] "GET /admin/phpmyadmin/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:51:59 -0600] "GET /admin/phpMyAdmin/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:00 -0600] "GET /admin/phpmyadmin2/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:03 -0600] "GET /mysqladmin/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:04 -0600] "GET /mysql-admin/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:07 -0600] "GET /mysql_admin/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:10 -0600] "GET /phpadmin/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:11 -0600] "GET /phpAdmin/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:12 -0600] "GET /phpmyadmin0/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:13 -0600] "GET /phpmyadmin1/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:15 -0600] "GET /phpmyadmin2/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:16 -0600] "GET /phpMyAdmin-4.4.0/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:16 -0600] "GET /myadmin/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:18 -0600] "GET /myadmin2/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:19 -0600] "GET /phpMyadmin_bak/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:21 -0600] "GET /www/phpMyAdmin/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:21 -0600] "GET /tools/phpMyAdmin/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:22 -0600] "GET /phpmyadmin-old/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:23 -0600] "GET /phpMyAdminold/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:24 -0600] "GET /phpMyAdmin.old/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:24 -0600] "GET /pma-old/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:25 -0600] "GET /claroline/phpMyAdmin/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:25 -0600] "GET /typo3/phpmyadmin/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:28 -0600] "GET /phpma/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:28 -0600] "GET /phpmyadmin/phpmyadmin/index.php HTTP/1.1" 401 1343
139.199.198.220 - - [31/Dec/2018:22:52:29 -0600] "GET /phpMyAdmin/phpMyAdmin/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:30 -0600] "GET /phpMyAbmin/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:31 -0600] "GET /phpMyAdmin__/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:32 -0600] "GET /phpMyAdmin+++---/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:35 -0600] "GET /phpmyadm1n/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:36 -0600] "GET /phpMyAdm1n/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:39 -0600] "GET /shaAdmin/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:40 -0600] "GET /phpMyadmi/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:43 -0600] "GET /phpMyAdmion/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:44 -0600] "GET /MyAdmin/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:44 -0600] "GET /phpMyAdmin1/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:45 -0600] "GET /phpMyAdmin123/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:47 -0600] "GET /pwd/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:48 -0600] "GET /phpMyAdmina/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:48 -0600] "GET /program/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:49 -0600] "GET /shopdb/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:51 -0600] "GET /phppma/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:52 -0600] "GET /phpmy/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:55 -0600] "GET /mysql/dbadmin/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:56 -0600] "GET /mysql/sqlmanager/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:56 -0600] "GET /mysql/mysqlmanager/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:57 -0600] "GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php HTTP/1.1" 404 1082
139.199.198.220 - - [31/Dec/2018:22:52:57 -0600] "GET /manager/html HTTP/1.1" 404 1082

Tencent Games owns Epic Games and having links to the Chinese Government does not make this look very good. It makes it looks like they use their employees to gain confidential information or something of that sort. Why they are doing this is unknown but as stated before this news post will be updated later with the log but the IP will NOT be shown for security purposes.

What does this mean for Tencent? What's happening over there?
​

https://pastebin.com/0xEGup4n

 

[pstrick]

Pretty standard Chinese hacking stuff. When I ran my own servers, Chinese IP addresses hammered away day and night trying to break in.
If anything, the Chinese government encourages IP theft.

I wouldn't worry too much about it. It just how the world works these days.

 

[Heran Bago]

[citation needed]

 

[Deleted_413010]

[citation needed]

What kind of citation would be needed? Do I just say my friend?

 

[The Real Jdbye]

Why am I not surprised. It seems like every month we hear about some big Chinese company doing shady (and outright illegal) things like this.

 

[Heran Bago]

If it's happening to more people, this would be a big and well documented story. You're making a pretty big claim in a restricted venue with no proof. If your friend has some good evidence they should write to a tech journal site.

Or maybe your friend has some malware from a poorly pirated app or nasty website. Run malwarebites on the thing once and see what comes up.

 

[Deleted_413010]

If it's happening to more people, this would be a big and well documented story. You're making a pretty big claim in a restricted venue with no proof. If your friend has some good evidence they should write to a tech journal site.

Or maybe your friend has some malware from a poorly pirated app or nasty website. Run malwarebites on the thing once and see what comes up.

I said I would be getting the logs later. That is more than enough proof. And my friend is pretty damn smart not to get a virus. But he's also not on windows. Its a server not a home PC.

--------------------- MERGED ---------------------------

I have added the logs!

 

[pasc]

Creepy stuff.

 

[monokin1114]

Tencent owns China Energy?

That IP is actually owned by China Energy which is owned by the Chinese government.

 

[the_randomizer]

Fuck malicious programmers

 

[Deleted_413010]

Tencent owns China Energy?

That IP is actually owned by China Energy which is owned by the Chinese government.

Well after further research it says TencentCloud and links to tencent.com but the IP goes to a different site.

 

[nero99]

Fuck malicious programmers

I'd rather not do that. I don't want to catch some kind of bug.

 

[Deleted_413010]

I'd rather not do that. I don't want to catch some kind of bug.

Lmao. I'm with you on that xD