What do I do after a PHP site break-in?
September 14, 2004 10:02 PM   Subscribe

A couple months ago my site was lightly hacked. It happened again on a site for a friend of my father, possibly not as lightly. -->

The weakness in both cases for piss poor php coding. I had written the code a few years ago w/o thinking about vulnerability. Basically I had an index page and then index2.php (I know real original) for everything else. Content of other pages were loaded when the filename was passed in the querystring.
One site passed the entire filename. The other site appended the extension on the file.
Well some Brazilian haxors passed their url to a "jpg" with command line commands. Viola they can dink around some. Everything they did is in the logs.
On my site they only wrote an index.html file after trying to get up in the server (unsuccessfully) to get to some config info. I deleted the file, rewrote my php code, and went on with my life.
Well on the other site some files were loaded.
Files include: f3, kmod, mremap, r0nin, telnetd, ptrace, tfmaster, some perl, C, eggdrop (tar), and psyBNC (tar). It mostly seems like they were setting up IRC stuff.
I took all of their files/dirs and moved them. Changed all login info. I reworked my php to close the obvious hole.
So after all of that backstory here is my question: What specifics should I look for in their trail (cmds in logs and actual files) to see if they were able to compromise anything serious?
posted by sailormouth to Computers & Internet (4 answers total)
Were I in your shoes, given the loading of things like eggdrop, I would do a clean reinstall. I've been owned on two occasions over the years (once via BIND, once via Sendmail; I no longer run either), and each time found that the web of modifications was sufficiently extensive that it was easier to just reinstall.

The danger, of course, is that they were able to execute any one of those binaries and use them to retrieve further exploits that are running as replacement for legitimate binaries -- a version of "ls" that won't list their nasties, a version of "ps" that won't list their IRC server, etc. There'd be nothing in your shell logs to indicate that any of that had happened.

Celebrate -- it's an excuse to start anew with a clean server. :)
posted by waldo at 10:12 PM on September 14, 2004

Someone did that to me a few years ago, but the dumbass put a traceable email in one of his attempts to do something that ended up in my logs. He was using some webmail account or something, but once didn't and it was a uni in the UK. Long story short, I outed this person's identity based on some googling and reminded him that the university he was going to probably had something in its code of conduct and he could get kicked out. I also said I was certain BT would pull his account for using it for hacking into my system and he'd have a hard time explaining that to his parents. He ended up sending me a sincerely apologetic email saying he was just playing with a known but overlooked hole in PHP. I told him I'd drop it if he promised to never do it again.
posted by birdherder at 10:20 PM on September 14, 2004

Response by poster: Thanks waldo.
Both sites are hosted on 1and1 which is pretty limited on accessing/installing outside your assigned area. If it makes much difference the sites are on their linux plan.
My site is constantly bombarded with requests for any cgi files in my non-existant cgi-bin dir. Both sites are very pared down (2 levels of heirarchy) so it is very easy to see any files that do not belong.
posted by sailormouth at 10:36 PM on September 14, 2004

Ah. You'd likely want to tell 1and1, then. They can check to see if their server has been compromised, presumably by comparing the binaries to known-good ones. But if you only have responsibility for the files in the webroot, then after you tell 'em, if everything looks OK to you, then Bob's your uncle.
posted by waldo at 8:20 AM on September 15, 2004

« Older Li Batteries   |   Speaking Skills Newer »
This thread is closed to new comments.