My site got hacked

  • Willy
  • Graduate
  • Graduate
  • Willy
  • Posts: 199

Post 3+ Months Ago

//removed .. That was on the my site for the holidays. Anyone heard of these guys before?? THey didn't thrash to much, I realized my index.html was 777 perms, i'm still curious what exactly happend though


LMK
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

I removed the link to your site due to the content nature.

You are still welcome to pose your question. The guys he's refering to in the post above were boxocide and esx.
  • Willy
  • Graduate
  • Graduate
  • Willy
  • Posts: 199

Post 3+ Months Ago

Was having a 777 directory and .html file all they needed to exploit? Or was there something more ??


Should i be concerned?


...p.s. steelers suck
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

They would have had to have gained access to your files. The 777 and index.html file wouldn't have mattered. Somehow, they gained access to your files either by discovering a username and password, or by taking advantage of a hole on your server. The first thing you should do if you haven't already done so is change your password you use to access files on the server. If you don't run your own server, then whomever does, needs to look into their security to make sure it doesn't happen again.

I'm assuming the link you had provided was a copy of what they did, but they actually defaced your index.html file?
  • Willy
  • Graduate
  • Graduate
  • Willy
  • Posts: 199

Post 3+ Months Ago

Yeah, what happend is they put up a hahaha page, but left everything in tact. The new index file was owned by nobody. I feel like it was a scripting exploit on something via the web. The server is locked down pretty well, or at least I hope it is after the new firewall we put in.
  • KAZAA
  • Banned
  • Banned
  • KAZAA
  • Posts: 9

Post 3+ Months Ago

you need security, i mean "good security".
  • KCamel
  • Beginner
  • Beginner
  • User avatar
  • Posts: 39
  • Loc: Kuwait

Post 3+ Months Ago

Hey,

Hacking can happen even on toughf security. but you always do your best to stop some one of hacking your site. If what you was using a Dediicated server then check the security guide for you OS if you dont have time for this try
fastservermanagement.com
I tried them before they're amazing they can check all the security holes update ur kernel backup and every thing and for cheap price !

If youi're using webhosting then i believe its not your responsibilty you need to contact your provider. they'll restore the site back to you

Regards,
  • SpooF
  • ٩๏̯͡๏۶
  • Bronze Member
  • User avatar
  • Posts: 3422
  • Loc: Richland, WA

Post 3+ Months Ago

if you file is set to 777 can someone make a script that makes files and saves them in that the folder with the 777 access, with out having the username and password to the ftp?
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

They have to have an in to the server, or they need authentication access of somekind.
  • Daemonguy
  • Moderator
  • Web Master
  • User avatar
  • Posts: 2700
  • Loc: Somewhere outside the box in Sarasota, FL.

Post 3+ Months Ago

Or if ftp is set up anonymously -- or, gads, tftp? eeek!

There are a lot of poorly configured servers out there "maintained" by dubious 'sysads' who merely install some version of *nix and believe themselves safe from the woes.

Bad mistake.

777 is "bad" (tm). It means that the owner, the group the file belongs to AND EVERYONE ELSE has the ability to RWX (read, write and execute) that particular file.

Note the word, 'write' in the sentence above. Pair that with the term 'EVERYONE ELSE' and you might begin to see why that is considered, "bad"(tm).

There are any number of ways to break a machine and deface a website -- the trick is to make it so difficult, the low-hanging fruit don't even bother. (The apples on the top of the tree probably don't want to hack your webserver.)

Any files that are served to the internet should be read-only, and for the web user only as well. (Whichever process-owner instantiates the webserver).

Cheers.
  • Willy
  • Graduate
  • Graduate
  • Willy
  • Posts: 199

Post 3+ Months Ago

The box is very secure. Or so I thought. No ftp / telnet access at all, firewall requests to the server are limited to port 80. I think these guys must have gotton in through a cgi exploit. I have geeklog and phpbb running on there, along with custom scripts... So the first question is has anyone heard of versions of phpbb or geeklog that are vunerable to attacks?
  • UNFLUX
  • Genius
  • Genius
  • User avatar
  • Posts: 6376
  • Loc: twitter.com/unflux

Post 3+ Months Ago

just a thought, but what exactly does your host say about it? they are the ones that should be helping you here. I have a feeling no one really knows all the facts.
  • UNFLUX
  • Genius
  • Genius
  • User avatar
  • Posts: 6376
  • Loc: twitter.com/unflux

Post 3+ Months Ago

// moved to hosting
  • Carnix
  • Guru
  • Guru
  • User avatar
  • Posts: 1098

Post 3+ Months Ago

I don't know of any specific exploits (and wouldn't post them here if I did), but it wouldn't surprise me. PostNuke is riddled with exploits that, if you have 777 on files, can give people unlimited access.

That the file was owned by "nobody" tends to point to a CGI exploit, as you've already said, because the file would have been created by an anonymous web user (probably) and not an authenticated user. In other words, they didn't log into the server.

Make sure to remove, or lock out to anon web users, any CGI files you don't use, and make sure user's can't post (and execute) server-side code anywhere on your site, and make sure they can't upload server-side script files (and then execute them). An oldie-bug-goodie bug, for example, is photo uploads that allow extensions other than predefined graphic extensions. Most systems, like geeklog, for example, don't have this problem out of the box, but since you've been hacked, a through assessment is in order.

As was already mention, you'll never be totally secure. The idea isn't to be invlunerable (which would means, simply, unplugging the network cable completely... heh), it's just to not be as vulnerable as the next guy (that is, don't be the low hanging fruit). Most crackers are nothing but opportunistic script-kiddies who have no idea how to actually do the cracking, all they know how to do is read a description and run a script. If you're not a high-value target (one that store bank account or credit card information, for example), the guys who know what their doing will pretty much leave you alone. This means, as long as you're not vulnerable to the simple attacks, you'll probably be ok. The REAL crackers out there don't bother wasting there time defacing random website. Actual hackers would (and rightly should) be angry the term has even been used in conjuction with this...
.c
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

If the box has been exploited you need to take a careful look at the machine and its current sys status. Alot of the time guys will leave back doors so even if you do change passwords etc they can still gain access to the server.

There are some know eploits on phpbb but there are also patches available for them. Malformed packets can cause buffer over run type exploits even through port 80 which can allow people o run arb code on the machine opening it up.

No machine is 100% secure, if someone wants to get in and has enough time on their hands then they will get in.

Have you checked your access logs? and as Unflux said, Server security is more the issue of the hosting company. All you can really prevent is a few script hacks and SQL injection attacks.
  • Willy
  • Graduate
  • Graduate
  • Willy
  • Posts: 199

Post 3+ Months Ago

As a follow up there is a vounerability in phpbb versions below 2.0.8, thats how I got hacked
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

yeah... we know Thanks
  • Willy
  • Graduate
  • Graduate
  • Willy
  • Posts: 199

Post 3+ Months Ago

Since no one every mentioned it in this HIGHLY relevant thread i figured i'd bring it up
  • darkermoon
  • Expert
  • Expert
  • User avatar
  • Posts: 542
  • Loc: Riverdale, MD

Post 3+ Months Ago

not exactly highly relevent when the other postings were two months ago and everyone already found out about the phpbb vulnerability.

Post Information

  • Total Posts in this topic: 19 posts
  • Users browsing this forum: No registered users and 3 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.