Re: Hacked by aLpTurkTegin, help patching this hole

["Jay D. Dyson" <jdyson () treachery net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 20 May 2008, Mifa wrote:

> Our website was defaced by aLpTurkTegin.  We are running apache, php 
> ect.  Does anyone know how this hacker is getting in and what I can do 
> to prevent this?
>
> Our main web directory had all but one file deleted and hackedIndex.php, 
> a.asp(a 0 byte file) and trustscn_put_test2 were placed into the main 
> directory.  The fact that the webserver served hackedindex.php makes me 
> think its a apache web server flaw.
>
> Any comments, suggestions?

Not enough information is provided to yield an accurate assessment.  For 
example, the PHP version, Apache version, other services running on the 
system, permissions of the affected directory, whether the site is 
vhosted, et cetera).  With that in mind, it's anyone's guess and the best 
response you're going to get is a shot in the dark.  Moreover, just 
because your web content was affected doesn't necessarily mean that the 
web server is at fault.

My $0.02: the intruder exploited a common flaw in one of your PHP scripts. 
PHP, for all its ease of use, has a habit of being the weakest link in a 
lot of web sites.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFINF8W5uViX8vEG7URAjUdAJ9wG1GdDf9fmw5OYwTJby7Xe1qWlQCfYknh
+H4GMqSBuYIk5Yx+Wk0JSjU=
=zKjC
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------