Got Hacked!

[fab]

Friday got one of my sites hacked. Fortunately they were nice enough to leave tracks on how they did it.

What a bunch of losers!

I got the site fix, then did it again twice, so I think I've got it under control now for the time being.

Here's the exploit, for those interested:

# script name : Wallpaper site 1.0.09
# GoogLe Dork : Powered by EasySiteNetwork


# Vuln : http://www.victim.com/category.php?c...+admin_login/*
#
# Admin panel: www.victim.com/siteadmin/index.php
#

[Devil Dog]

?

"Go to a dos prompt after you started dial up networking type by the way if you don't know what victim.com stands for you are a dumb mother f*cker."

(Chameleon, marc5@earthlink.net)
The full exploit is available. "

[omosquera]

Friday got one of my sites hacked. :

I used to get my sites hacked for using proxies....

[simon johnson]

It's very easy for some script kiddie to break into a site, particularly with "point and click" exploit code. The message here is stay up to date with the latest patches and fixes.

[tiptop]

same thing,one of my joomla sites got hacked..., mother*******r

[fab]

I looked up all the other sites that got hacked. it seems like I was the only one to get my site back up. Couldn't afford to have the site down. Yes I know what victim.com is, thanks for the lovely comment.

[afloat.com]

heh, victim.com is just the placeholder for the site thats being attacked

http://www.milw0rm.com/exploits/4770

[fab]

Yes, yes I know!

[sunja]

just to let you know, victim.com is... oh wait, you know, right?

EDIT: on another note, that exploit must affect a lot of sites. I just managed to get the mysql root password (hash) for one site by using a modification of that exploit (and yes, I'll be notifying them)

[Dale Hubbard]

Linux/variant site?

1. Never install phpBB

2. ps aux|grep -i exe

In above, usr/libexec/ files are normally fine, so ignore those.

3. Check /tmp for gremlins, if found chmod 0

4. check /var/tmp for gremlins, if found chmod 0

Generally, gremlins can easily be identified by doing a 'cat' [filename]

Here's obvious examples of gremlins from my unfortunate experience:

/tmp/b0t.txt
/tmp/ddos.txt

Your mileage will undoubtedly vary, but this is just a 'steering' guide.

[fab]

EDIT: on another note, that exploit must affect a lot of sites. I just managed to get the mysql root password (hash) for one site by using a modification of that exploit (and yes, I'll be notifying them)

Oh boy, now that sounds really dangerous. BTW, are you a hacker?

AZooZa, thanks for the info, however, it's a little over my head. Could you either give a more detailed explained, or I will start Googling.

[sunja]

If I was able to crack the hash to give me the actual password, and they haven't firewalled mysql access from outside, then I could own their entire database (all product info, admin passwords, customer credit card info in some cases, etc, etc). Potentially very nasty.

I'm not really a hacker, just a guy with a keen interest in web security. I come from a web programming background. I have hacked some tiny little things in the past, nothing serious, nothing destructive, always purely for fun or from boredom. I wouldn't consider myself a hacker in the true sense.

This is not an invitation for a million PMs asking me to hack stuff btw - I get enough offers of "very interesting little jobs" through my website which has the dubious honour of being no.1 on google for "hacking for beginners"... sorry if you were hopeful

If you need a PHP/mySQL coder though...

[fab]

If I was able to crack the hash to give me the actual password, and they haven't firewalled mysql access from outside, then I could own their entire database (all product info, admin passwords, customer credit card info in some cases, etc, etc). Potentially very nasty.

Yes this is what frightened me!

This is not an invitation for a million PMs asking me to hack stuff btw - I get enough offers of "very interesting little jobs" through my website which has the dubious honour of being no.1 on google for "hacking for beginners"... sorry if you were hopeful

That was not my intention! Is this you http://www.puremango.co.uk/cm_how_to_hack_79.php

If you need a PHP/mySQL coder though.

Might try you in the future.

[Dale Hubbard]

Most of these hacks show up in /tmp.

[sunja]

Is this you http://www.puremango.co.uk/cm_how_to_hack_79.php

yep, that's me (damn, there goes my "mysterious stranger" plan ).
Going to redesign the site soonish. Pretty old design atm. I'll look forward to hearing from you if you've anything I might be helpful with

EDIT: actually, when I say "that's me", the actual main article on that page wasn't written by me (as explained on the page). Just to be clear.

[kissedbymysweety]

That sucks, glad you found a fix though. I've been hacked quite a few times.