Hacked site! How to investigate?

wordpress

#1

One of my sites was hacked, druidry.org by the South Africans. Defaced actually; the index page was changed to read

“WHACKERZ OWNZ by Saudia_HaCker”

We use PostNuke and PHPBB. This site is maintained by an international team from N. America, Europe and Oceania, so there could have been a number of ways in.

I have changed passwords. That is obvious. How do I figure out how they got in? Do I report this to Dreamhost?

TIA,

Bill


#2

Absolutely. Send them a support note and give them as much information as you can. The hack may have been the result of a wider system issue that could effect other customers. It probably isn’t, but it is better to be safe than sorry, and DH may be able to help you figure out how it happened.

Look at your access logs over the last few days. You should get an indication of what happened, and you may be able to get IP addresses for the perpetrators (although they are probably faked).


Simon Jessey
Keystone Websites | si-blog


#3

If your site runs off php then you better always have a good backup of it somewhere. php is an extremely easy target, especially the older versions. There is probably very little dreamhost can do to track them down especially if the person is in another country.


#4

Also is your PHPBB up to date? An older version did have some security holes in it.

-Matttail


#5

It’s probably PostNuke. PHPbb is quite secure in most regards because so may people use it. The last few security concerns were to do with what version of PHP you were using, I think.
My friend used a similar sort of content system before, and his site has hacked because of it. Just make sure that your content system (especially) stays up to date.


#6

I just go hacked this morning on sethandjulie.net – just index.php defaced, far as I can tell – and the odd things is that I run no software (phpBB, etc), except for a Gallery 1.x install on there in a subdirectory.

Any ideas?


#7

Older versions of Gallery are easily hacked, go to the gallery site for info and updates.

http://gallery.menalto.com/

PHPbb is easily hacked if it is not updated, make sure you update your phpbb and go to the forums reguarily.

http://www.phpbb.com/

Postnuke has been the target of some security issues lately
Their site has more info, updates.

http://www.postnuke.com/

XSS hacks cam be made to any of these programs/portals if they are not kept updated. Also, added modules can open up vulnerabilities.

Turn on mod_security at Dreamhost to further protect your sites

Look in your logs to find out who hacked you and how.

Back up your databases reguarily.

Program-specific forums will have step by step guides for cleaning up defacements and hacks.


#8

I was wrong; it actually wasn’t an older version of Gallery. So now I’m flummoxed. I’m not running any other 3rd party software (IIRC).

[quote]Look in your logs to find out who hacked you and how.
[/quote]

How, what, exactly?

Thanks.


#9

if you are on a shared server, it may not be your scripts/software, but someone else on that same server. Did you contact Dreamhost Support and let them know yet?


#10

Yeah, saying basically what I said here. They said it was probably a 3rd party script and told me about the 1-click Gallery install.

Edited to add: I was wondering if it could be someone else, too; that’s really the only reason I contacted support.


#11

Now they say that any hack of a PHP-based program can only change files within the same directory as the exploit – meaning that it can’t be Gallery or other 3rd party software.

I’m a bit confused at this because I’ve had PHP write files outside the directory the script is in rather frequently. Anyone know what they mean? I’m very confused.


#12

I think what they mean is the same root directory. Within your own domain, or account.

Defacement hacks are pretty mild too. Best to just clean up house (drop and re-set admin accounts, change any passwords) and make sure you are using the latest patched/upgraded versions of 3rd party software.

For example, the santy worm used a php vulnerability in phpbb to find (via google) and write over non phpbb pages at websites with un patched versions of the BB installed, attacking the root index page and any directories within that user’s account/virtual domain.

Your logs are accessible via ftp or the shell. They can be found outside of your domain directory. Older logs are accessible there too.

Here is a typical defacement of phpnuke (older version, newer versions should not be susceptible to this XSS hack – attacked domain name removed)


the attack:

200.208.63.205 - - [27/Oct/2004:18:47:59 -0700] “GET /xxxx/admin.php?op=AddAuthor&add_aid=pcx&add_name=God&add_pwd=pcx&add_email=foo@xxxxxxx&add_radminsuper=1&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox HTTP/1.1” 200 471 “-” "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)"
200.208.63.205 - - [27/Oct/2004:18:48:01 -0700] “GET /xxxx/admin.php?op=mod_authors HTTP/1.1” 200 2855 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)”

and the defacement:

200.208.63.205 - - [27/Oct/2004:18:49:19 -0700] “GET /xxxxx/admin.php?op=messages HTTP/1.1” 200 4030 “http://xxxx.com/xxxx/admin.php?op=editmsg&mid=1” "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)"
200.208.63.205 - - [27/Oct/2004:18:49:23 -0700] “GET /xxxxx/modules.php?name=Your_Account&op=gfx&random_num=36410 HTTP/1.1” 200 1720 “http://xxxx.com/xxxx/admin.php?op=messages” “Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)”



#13

I’ve gone through the logs line-by-line twice now, and there’s no evidence whatsoever of being hacked. Is it possible – even if it was one of my own scripts, and not Gallery – that there could be a hack from inside my own account (vs. somewhere else on the shared host) and it not show up in the logs? There are very few scripts called in my logs that aren’t from my own IP (which makes sense), and the few that are show no signs of suspicious activity that I can find.

Thanks for all your help.

Edit: also, there is absolutely NO activity in the logs that matches the timestamp of the altered file by a long shot. Is it possible to alter timestamps? And if so, why would someone want to bother?


#14

Hmm, if you are using various php scripts, besides gallery, one of them may be the culprit. Are you sure someone didn’t get your ftp log-in and alter your files that way?

Any upload scripts can open one up to hacks. An exploit could be hidden in an image file, for example.

What has DH said to you about your site?

Are you using AWSTATS? There was a vulnerability in it too.


#15

Not running any upload scripts; not using AWStats.

According to support, if someone had gotten my FTP login, they would have done more damage than just editing the index file.

DH’s main line has been that it’s probably a 3rd party script and they see it all the time. (And I’m frustrated on that count, so I’ll stop there.)

Thanks for your help.


#16

If someone is going through telnet/shell, that wouldn’t be our basic logs would it? Would you not need to get access to the server logs for that type of activity?


#17

Possibly. But now support just decided to close my support request, without ever answering it… !


#18

By chance were you running wordpress (less than 1.5) on any of your sites?


#19

No, but I was running a variant. There’s no evidence of hacking in the logs, but someone pointed out to me that the xml-rpc vulnerability, and since it’s just been sitting there dormant, so much so that I utterly forgot about it until I literally searched for it just on the offchance that some program somewhere in my files had it! (Then I felt like an idiot, 'cause I totally forgot that it even existed.) No evidence that it was exploited at all, but it at least probably could have been, so I got rid of it just in case.

Thanks so much for all your help – I’d have posted the above earlier, except that I’m moving and haven’t had internet access. :-\ Still mystified about the logs seeming to have been wiped, but… eh, at least I know one thing it could have been.