uploading index file

Hangin' Around Joined: Jun 15, 2006 Posts: 36

I'm not sure if some of you folks remember me, I installed Raven Nuke on our site, [ Only registered users can see links on this board! Get registered or login! ] with two add-ons that you guys have not incorporated, podcast and Kalendar. I have since removed these two add ons which I believe have caused the latest havoc on our sites.

These stinkin' turkish "hackers" where able to delete all files in our main directory, not just that, but they were able to get into my root directory where I also host all my other sites, for which they uploaded these dumb index.html files with their hack posts. They changed ownership on some directories. I'm looking at the log file but just can't see how they did it.

So frustrating. I have changed ownership of the directories and have fixed the sites. How do they get access?

Posted: Tue Jun 03, 2008 12:36 pm

Your logs should hold the clue.

Are you up to date with the versions of RN and NS?

Posted: Tue Jun 03, 2008 12:41 pm

jakec wrote:

Your logs should hold the clue.

Are you up to date with the versions of RN and NS?

NS yes, not RN but am planning to do it very soon. They did it the second time after the removal of the two nuke modules I mentioned, this time only uploading the index files. Have they uploaded a file that they are executing on my server of some kind?

Posted: Tue Jun 03, 2008 12:56 pm

Do the files have a timestamp? This might give you a clue of when the hack took place and then you can check the logs files.

It might not be RN, perhaps you host has been compromised.

Are you on a shared host?

Posted: Tue Jun 03, 2008 1:21 pm

jakec wrote:

Do the files have a timestamp? This might give you a clue of when the hack took place and then you can check the logs files.

It might not be RN, perhaps you host has been compromised.

Are you on a shared host?

Yes I'm on a shared host. I'll speak to them also and I'll check for timestamps. Thanks for the tip.

Posted: Wed Jun 04, 2008 6:19 am

Just keep in mind that if they are really good, they could also be really good at covering their tracks. They can even "touch" a file to have any date/time they want. I would definitely look for files that should not be there or directory permissions that are more wide open.

Unfortunately, if they have compromised another account on that box to the point where they can upload files at will AND they know your /home/<<accountname>> path, even with RN you are not safe. You can only do what you can do. Definitely ensure you have regular backups of your site files and db at all times.

Definitely getting your host involved is a good thing, but I just hope you have a good host. We hear so many crazy support responses and actions from crappy hosts... Sad

Posted: Tue Jun 10, 2008 5:32 pm

Turns out I had a lot of directories that had chmod 777 which is very vulnerable. They were using DFind to scan for the vulnerabilities and uploaded software to grant root access. Anyway, everything has been chmod'd to 755 that were 777 using file zilla ftp client which can do recursive chmod'ing. Everything is well for now.

Posted: Tue Jun 10, 2008 6:44 pm

One would still have to have a hole somewhere, most likely on another account, that would allow a file upload. Even with 777 one cannot just upload a file without a user/password. The trick is them finding a hole in a PHP script somewhere that would allow the upload to occur using the user's account or the web server account.

Long story short, I sure hope your web host has found the hole and closed it up!

Worker Joined: Aug 26, 2007 Posts: 236

Earlier I had a chat module installed that the hackers frequently used for uploading index.php, config.php or index.html files. It was the smileyupload.php that always were used by them.