Ahhh... another milestone in my webdevelopment adventures.. HACKED!!!
-
-
- GollumX
- Elite Rocketeer
- Posts: 2817
- Thanks: 0
-
I knew it had to come some time. There was no "It won't happen to me" attitude. I did take precautions.
1.) No extensions that have a place on the official J! vulnerable extensions list were used.
2.) Configuration.php was sitting outside of public_html
3.) Sessions folder sitting outside public_html
4.) The other stuff.. php register globals and j! emulate switched off.
5.) strong passwords.
Thank goodness he didn't deface the site.
As far as I can tell all he did was place an index.php in the domain.com/images/ folder with the following in plain text:
HACKED BY [his name and website here]
It happened on the 8th so a whole week has gone by since the intrusion.
It was pure luck that I found it as I just happened to check my google webmaster tools and was told by my old friend that there was a url that robot.txt was stopping it from crawling... images/index.php . WTF?! I said, that shouldn't be there!... sure enough I had been hacked.
Lets all hear a round of applause. - Say no to Internet Explorer 6.
twitter.com/mark_up
-
-
-
- GollumX
- Elite Rocketeer
- Posts: 2817
- Thanks: 0
Re: Ahhh... another milestone in my webdevelopment adventures.. HACKED!!!
Posted 18 years 5 days ago-
where are rliskey or xyzulu when you need them
- Say no to Internet Explorer 6.
twitter.com/mark_up
-
-
-
- GollumX
- Elite Rocketeer
- Posts: 2817
- Thanks: 0
Re: Ahhh... another milestone in my webdevelopment adventures.. HACKED!!!
Posted 18 years 5 days ago-
Unfortunately, only today's log is available to me. I have sent off a request to my host. Hopefully they have the log for the past month.
What I have tells an interesting tale:
I found several instances of this:140.105.63.158 - - [17/Apr/2007:12:04:55 +1000] "GET /images/index.php HTTP/1.1" 200 46 "-" "Mozilla/5.0 (experiment in act by University of Trieste - Italy. This is not an attack; if you need more info please visit http://www.units.it/~bartolia/def.htm)"
I followed the link and came upon this:
AUTOMATED CHECK FOR DEFACED WEB SITES
(this is NOT an attack)
Starting from March 23rd, 2007, we are executing an experiment aimed to estimate healing times of defaced web sites.
To this end, we check every hour a collection of resources obtained from zone-h's archives, which hosts a list of defaced web sites ( www.zone-h.com ). In order to verify whether a site in the list has resurrected we download its content using a normal and innocuous http GET request. We stop checking a site when the site is marked as recovered.
If your site has been included in zone-h's archives, thus, we have been sending one GET request to your site every hour, starting from when your site has been included in the list at zone-h.
In order to help system administrators in theirs log analysis, we put extra informations in the HTTP GET header, altering the "User-Agent" value to read:
"Mozilla/5.0 (experiment in act by University of Trieste - Italy. This is not an attack; if you need more info please visit www.units.it/~bartolia/def.htm "
IF
* you need more informations regarding this experiment
* you think this page is fake and part of the defacement
* you think our action is damaging your company
* you want to send us suggestions, comments, etc.
please feel free to contact us: This email address is being protected from spambots. You need JavaScript enabled to view it. ( www.univ.trieste.it/bartolia )
So basically these folk knew about my hacked site within an hour of it being posted on the infamous zone-h site and wanted to see how long it would take me to fix it. I really don't know what their [IMO pretty cool] experiment will achieve but wouldn't it be great if they, or someone, would use the same mechanism to find out which sites have been defaced and send and alert to the site owners (maybe via an email to admin@domain, info@domain etc)
Not everyone checks their sites every single day... and in my case, how would I have known to check my images folder.
More details to follow.
EDIT:
>>zone-h actually provides the notification service .. and it's free ... read about it here: www.zone-h.org/content/view/13883/31/
>>Zone-h runs on J! LOL.... using a 'free' template.. and their google analytics code is in the wrong place
- Last Edit: 18 years 5 days ago by GollumX.
- Say no to Internet Explorer 6.
twitter.com/mark_up
-
-
-
- Dave Goodwin
- Elite Rocketeer
- Posts: 1472
- Thanks: 4
- Howdy!!
Re: Ahhh... another milestone in my webdevelopment adventures.. HACKED!!!
Posted 18 years 5 days ago-
GollumX wrote:
I knew it had to come some time. There was no "It won't happen to me" attitude. I did take precautions.
1.) No extensions that have a place on the official J! vulnerable extensions list were used.
2.) Configuration.php was sitting outside of public_html
3.) Sessions folder sitting outside public_html
4.) The other stuff.. php register globals and j! emulate switched off.
5.) strong passwords.
Thank goodness he didn't deface the site.
As far as I can tell all he did was place an index.php in the domain.com/images/ folder with the following in plain text:
HACKED BY [his name and website here]
It happened on the 8th so a whole week has gone by since the intrusion.
It was pure luck that I found it as I just happened to check my google webmaster tools and was told by my old friend that there was a url that robot.txt was stopping it from crawling... images/index.php . WTF?! I said, that shouldn't be there!... sure enough I had been hacked.
Lets all hear a round of applause.
Welcome to the club. I've been hacked 4 times (three sites). Haven't for a while though.
Thanks for the good info. We all need to be reminded about that.
dave - "I'm an individual, just like everyone else."
-
-
-
- William E Dooley
- Elite Rocketeer
- Posts: 740
- Thanks: 1
- Web Developer
Re: Ahhh... another milestone in my webdevelopment adventures.. HACKED!!!
Posted 18 years 5 days ago-
Yes, I had about 13 sites hacked..but wasn't really a big deal since they just had a fresh joomla install on them and I hadn't even gone through the setup yet. The homepage was just the install for joomla at the moment when they were hacked!LOL At first I thought it was the hackers targeting my hositng..however later I learned that it is hackers targeting joomla sites since they know exaclty what directories are 777 from when you have to chmod them for the install. Seems there are 4-5 groups each claiming fame for doing this, but seems like they are all just using a script with the name changed on it. I got hit by 2 different group names, but in the exact same way. Then later had a third alter my config file because I had left it writeable!LOL..they don't really hurt anything, just let you know where your holes are because of either your ignorance to them or that you just plain forgot to chmod it back:) The first one just placed an index.html into my root..which was very helpful to me. My hosting will automatically use an index.html as the mainpage if there is one, if not it will move on to the index.php...but after the hack I learned that I could tell it to use the index.php in the control panel, thereby speeding up the loading of my mainpage since it no longer looked for a html file and then defaulted to a php file:) Anyways, like I said, these guys really don't do any harm..they just try to get there day or 2 of fame by having their tag on your site.
Hats off to the script kiddies thinking they are hackers, but in the end turn out to be nothing more then security testers for us site owners:)
David Henderson
-
-
-
- Dave Goodwin
- Elite Rocketeer
- Posts: 1472
- Thanks: 4
- Howdy!!
Re: Ahhh... another milestone in my webdevelopment adventures.. HACKED!!!
Posted 18 years 4 days ago-
William E Dooley wrote:
Yes, I had about 13 sites hacked..but wasn't really a big deal since they just had a fresh joomla install on them and I hadn't even gone through the setup yet. The homepage was just the install for joomla at the moment when they were hacked!LOL At first I thought it was the hackers targeting my hositng..however later I learned that it is hackers targeting joomla sites since they know exaclty what directories are 777 from when you have to chmod them for the install. Seems there are 4-5 groups each claiming fame for doing this, but seems like they are all just using a script with the name changed on it. I got hit by 2 different group names, but in the exact same way. Then later had a third alter my config file because I had left it writeable!LOL..they don't really hurt anything, just let you know where your holes are because of either your ignorance to them or that you just plain forgot to chmod it back:) The first one just placed an index.html into my root..which was very helpful to me. My hosting will automatically use an index.html as the mainpage if there is one, if not it will move on to the index.php...but after the hack I learned that I could tell it to use the index.php in the control panel, thereby speeding up the loading of my mainpage since it no longer looked for a html file and then defaulted to a php file:) Anyways, like I said, these guys really don't do any harm..they just try to get there day or 2 of fame by having their tag on your site.
Hats off to the script kiddies thinking they are hackers, but in the end turn out to be nothing more then security testers for us site owners:)
David Henderson
That's a cool way to look at it. David, did you ever get and 'death to America' text with a Crescent Moon?
dave - "I'm an individual, just like everyone else."
-
-
-
- William E Dooley
- Elite Rocketeer
- Posts: 740
- Thanks: 1
- Web Developer
-
-
-
- Bob Ateah
- Elite Rocketeer
- Posts: 4521
- Thanks: 0
Re: Ahhh... another milestone in my webdevelopment adventures.. HACKED!!!
Posted 17 years 11 months ago-
Sorry to dredge up an old thread, but Gollumx, did you determine how the hacker infiltrated your server?
Was it a permissions setting that enabled him access?
Cheers! - The member formerly known as Roland Deschain
After your question is solved, please Edit your original post and choose the Solved message icon, thank you!
-
-
-
- GollumX
- Elite Rocketeer
- Posts: 2817
- Thanks: 0
Re: Ahhh... another milestone in my webdevelopment adventures.. HACKED!!!
Posted 17 years 11 months ago-
I can only surmise that he used some script to get in, but he only had access to the folder that was 777.
Further, i found that almost 50 joomla sites had been hacked on the same shared server/IP. Most of the sites that were hacked had a txt file placed in the images folder, although a few had them in the components folder. As all the hacks happened within a period of 3days, it is almost impossible for him to have managed to get password access to all those sites, whose owners live all over the world. Therefore i assume he used some script. I checked the sites and there was no common extension installed in them (that could indicate it was the security hole). In my own case, all extensions were fully updated.
Due to the reasons mentioned above, I DID NOT wipe my sites clean and install backups as one normally should. I simply changed all passwords and set all folders to 755, images to 644.
In any case I am currently in the process of moving my sites to my own server. I will be installing suEXEC or PHPsuEXEC so i won't need 777/666 to make any changes ever again. - Say no to Internet Explorer 6.
twitter.com/mark_up
-
-
-
- Bob Ateah
- Elite Rocketeer
- Posts: 4521
- Thanks: 0
Re: Ahhh... another milestone in my webdevelopment adventures.. HACKED!!!
Posted 17 years 11 months ago-
Thanks for the info and update pal!
Cheers! - The member formerly known as Roland Deschain
After your question is solved, please Edit your original post and choose the Solved message icon, thank you!
-
Time to create page: 0.067 seconds