Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other
Author Message
onnig
Hangin' Around


Joined: Jun 15, 2006
Posts: 36

PostPosted: Tue Jun 03, 2008 12:29 pm Reply with quote

I'm not sure if some of you folks remember me, I installed Raven Nuke on our site, Only registered users can see links on this board! Get registered or login! with two add-ons that you guys have not incorporated, podcast and Kalendar. I have since removed these two add ons which I believe have caused the latest havoc on our sites.

These stinkin' turkish "hackers" where able to delete all files in our main directory, not just that, but they were able to get into my root directory where I also host all my other sites, for which they uploaded these dumb index.html files with their hack posts. They changed ownership on some directories. I'm looking at the log file but just can't see how they did it.

So frustrating. I have changed ownership of the directories and have fixed the sites. How do they get access?
 
View user's profile Send private message
jakec
Site Admin


Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom

PostPosted: Tue Jun 03, 2008 12:36 pm Reply with quote

Your logs should hold the clue.

Are you up to date with the versions of RN and NS?
 
View user's profile Send private message
onnig
PostPosted: Tue Jun 03, 2008 12:41 pm Reply with quote

jakec wrote:
Your logs should hold the clue.

Are you up to date with the versions of RN and NS?


NS yes, not RN but am planning to do it very soon. They did it the second time after the removal of the two nuke modules I mentioned, this time only uploading the index files. Have they uploaded a file that they are executing on my server of some kind?
 
jakec
PostPosted: Tue Jun 03, 2008 12:56 pm Reply with quote

Do the files have a timestamp? This might give you a clue of when the hack took place and then you can check the logs files.

It might not be RN, perhaps you host has been compromised.

Are you on a shared host?
 
onnig
PostPosted: Tue Jun 03, 2008 1:21 pm Reply with quote

jakec wrote:
Do the files have a timestamp? This might give you a clue of when the hack took place and then you can check the logs files.

It might not be RN, perhaps you host has been compromised.

Are you on a shared host?


Yes I'm on a shared host. I'll speak to them also and I'll check for timestamps. Thanks for the tip.
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9456
Location: Arizona

PostPosted: Wed Jun 04, 2008 6:19 am Reply with quote

Just keep in mind that if they are really good, they could also be really good at covering their tracks. They can even "touch" a file to have any date/time they want. I would definitely look for files that should not be there or directory permissions that are more wide open.

Unfortunately, if they have compromised another account on that box to the point where they can upload files at will AND they know your /home/<<accountname>> path, even with RN you are not safe. You can only do what you can do. Definitely ensure you have regular backups of your site files and db at all times.

Definitely getting your host involved is a good thing, but I just hope you have a good host. We hear so many crazy support responses and actions from crappy hosts... Sad

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
onnig
PostPosted: Tue Jun 10, 2008 5:32 pm Reply with quote

Turns out I had a lot of directories that had chmod 777 which is very vulnerable. They were using DFind to scan for the vulnerabilities and uploaded software to grant root access. Anyway, everything has been chmod'd to 755 that were 777 using file zilla ftp client which can do recursive chmod'ing. Everything is well for now.
 
montego
PostPosted: Tue Jun 10, 2008 6:44 pm Reply with quote

One would still have to have a hole somewhere, most likely on another account, that would allow a file upload. Even with 777 one cannot just upload a file without a user/password. The trick is them finding a hole in a PHP script somewhere that would allow the upload to occur using the user's account or the web server account.

Long story short, I sure hope your web host has found the hole and closed it up!
 
slackervaara
Worker
Worker


Joined: Aug 26, 2007
Posts: 236

PostPosted: Tue Jun 10, 2008 8:43 pm Reply with quote

Earlier I had a chat module installed that the hackers frequently used for uploading index.php, config.php or index.html files. It was the smileyupload.php that always were used by them.
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©