Re: Hacked by aLpTurkTegin, help patching this hole

From: "Jay D. Dyson" <jdyson@xxxxxxxxxxxxx>
Date: Wed, 21 May 2008 10:42:46 -0700 (MST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 20 May 2008, Mifa wrote:

Our website was defaced by aLpTurkTegin. We are running apache, php ect. Does anyone know how this hacker is getting in and what I can do to prevent this?

Our main web directory had all but one file deleted and hackedIndex.php, a.asp(a 0 byte file) and trustscn_put_test2 were placed into the main directory. The fact that the webserver served hackedindex.php makes me think its a apache web server flaw.

Any comments, suggestions?

Not enough information is provided to yield an accurate assessment. For example, the PHP version, Apache version, other services running on the system, permissions of the affected directory, whether the site is vhosted, et cetera). With that in mind, it's anyone's guess and the best response you're going to get is a shot in the dark. Moreover, just because your web content was affected doesn't necessarily mean that the web server is at fault.

My $0.02: the intruder exploited a common flaw in one of your PHP scripts. PHP, for all its ease of use, has a habit of being the weakest link in a lot of web sites.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFINF8W5uViX8vEG7URAjUdAJ9wG1GdDf9fmw5OYwTJby7Xe1qWlQCfYknh
+H4GMqSBuYIk5Yx+Wk0JSjU=
=zKjC
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

References:
- Hacked by aLpTurkTegin, help patching this hole
  - From: Mifa

Prev by Date: Re: Vuln Scanner for Web App Source Code
Next by Date: Re: THC-Hydra web form attack
Previous by thread: Hacked by aLpTurkTegin, help patching this hole
Next by thread: Re: Hacked by aLpTurkTegin, help patching this hole
Index(es):
- Date
- Thread

Relevant Pages

Re: sessions and domain names
... calls it a host in PHPSESSID, perhaps it should just use domains? ... I suggest you all stop trying to disguise the massive bug in PHP ... is how PHP figures out it's in the same session. ... Those web sites are independent and they should NOT share sessions ...
(comp.lang.php)
Re: PHP-Yes, HTML-No --- Why?
... People who know and people who care are two entirely different worlds. ... I doubt that a single person has ever been fired, not paid or told to change the URLs in he web design because they ended in .php. ... But once you have code great HTML, great CSS, great PHP, and you server is quick, smooth and working well, it doesn't make sense to just stop making your site better. ... Ergo there is no concession on presentation at all and our web sites are already "better". ...
(comp.lang.php)
FOSS Web Dev. w/o Dreamweaver
... Dreamweaver user to developing Web sites with ... * I'm pretty darn good at throwing together a PHP script in a pinch. ... * This is not a guide for how to run Dreamweaver in Linux. ... I primarily do all of my work in Kate (or occasionally Vim, ...
(Fedora)
Re: [SLE] GUI webpage program needed
... If anyone points that sort of stuff at me it goes straight to ... > about 90% of the web sites) huge volumes of html are ... > database engines where google can't get at it. ... and the backend with PHP and MySQL on a Linux box. ...
(SuSE)
Re: apache - how to redirect page not found
... > I notice on some web sites when you try to load a page that does not ... If you have PHP installed, you can use the following PHP code: ... handler, and if you know the old location of a page, then it is very trivial ... where the 1st parameter to addis the requested original URL, ...
(freebsd-questions)