Mass Defacement / Hacking?


#1

My website was hacked by TechTeaM which planted a php file somehow in my root directory. After talking with a few CISSP collegues of mine, we found out they used the Open SSH exploit to dump the php file to the root directory. The php file could then be called from a web browser and gives the user the ability to execute commands, go to any folder, and deface/delete/edit files. They defaced my site, and was wondering if anyone else had been hacked too. Took me a good 4 hours to get back up. :frowning:


#2

Nothing here yet but I would contact DreamHost ASAP this could be a real problem :-/

You might want to turn off SSH until it is fixed.

willscorner.net


#3

well Dreamhost did fix the OpenSSH vulnerability. The problem is that these hackers moved faster and dumped a php file in my root which they executed LATER. Thing was called rox.php and looks something like this when invoked from a web browser:

http://www.muevelonyc.com/rox.jpg

My site was hacked to look like this:
http://www.muevelonyc.com/hacked.jpg


#4

Are you sure that they actually exploited the OpenSSH hole? Obviously this is something we’d be concerned about, but my guess is that they just broke into your site itself (using an XSS hole or something).

One assumes that if they rooted our machine, they’d have at least some more interesting things to do than “hack” your site.


#5

Well looking at their past history of hacks on Zone-h.com

http://www.zone-h.com/en/defacements/filter/filter_defacer=TechTeam/

you can see that all they do is deface the pages of the first one, then protest against the USA and Bush on the war. You can also see that if they root one ip of the entire machine, they just alter all the index.php files for every domain on that machine. A Simple Search on Google for TechTeaM Defacement will easily get you a few dozen sites that checked out how they did it. All were done with the OpenSSH flaw.

What they did was drop a nasty little php script called rox.php that could be called from a webrowser that could pretty much do anything. A screenshot I posted here, before I removed the evil php script.

http://www.muevelonyc.com/rox.jpg

Scary how much power that damn thing has.

It seems that they dropped the script prior to Dreamhost updating the security files. I remember a few months back we were under DoS attack. I’m guessing that’s their zombied bots executing their attacks on all the ip’s that are hosted which dropped these php files. From there maybe it’s just manually going through each site to the rox.php script (or whatever they named it to) to deface the page.

Fortunately I have a webservice that checks to see if my website appears on defacement websites, and it notified me immediately when it appeared. From there, I just did some investingating, got rid of the malevolent file, and uploaded my backup.

Pretty damn annoying, although I’m glad they didn’t really destroy data.


#6

and here’s me listed on Zone-H.com :frowning:

http://www.zone-h.org/en/defacements/filter/filter_domain=muevelonyc.com/


#7

Well that’s just it - I think we’d have heard about it if they had defaced all of the sites on your machine - and it seems kind of odd that they would root the machine and pick your site randomly to deface. As far as I know, it’s not a particularly high profile site. You’d think they also would have uploaded more rox.php files… and all of this is the best case scenario… I’m looking right now, but so far I’m not seeing other files with this name on that machine.

I didn’t notice before that you were running PHPNuke, but this seems like a much more likely point of entry. I believe there have been a number of XSS holes in it. Old versions of Gallery and other common PHP programs are the most common way that people manage to gain access to users’ accounts on our machines.

I can’t find the original file in any of our snapshots (not sure when you removed it) but the creation / modification time on this file would probably be helpful in that respect. The window where we would have been vulnerable to any of the OpenSSH holes should have been a very small period of time.

I notice that “attack method” was left blank on the site you listed.

Well about as much power as someone gaining access to your ftp or shell account…

To the best of my knowledge, this is not related to either of the DOS attacks of a few months ago (one inbound, one outbound).


#8

good point… hmm…

Well I remember the dates on rox.php were on 11/25 (server time) However my index.php wasn’t altered until 11/28 (11/29 EST when I noticed it). Did a synch check to my local copy of my files and it was only my domain’s root index.php that was altered aside from them dropping the rox.php file. If there’s an email that you have I can email you the rox.php file, although it seems like a generic script kiddie thing.

As for PHPNuke, I was running Postnuke, and have been in very close contact with their development team in trying to figure out if it was possible that they exploited Postnuke or if this was an exploit of the Linux kind. Will keep you posted. I’m just trying to get to the bottom of this since I don’t want to have to fix my site again later. sigh


#9

Debian released a fix for the ssh hole shortly after it was announced (9/16 or so). We upgraded as soon as a fix was available.


#10

Hey Will,
I investigated the idea of the Gallery Nuke module being insecure, and paid off. Turns out the vulnerability was announced 11/26, I was hacked on 11/28. I posted more info as well as the fix here:
http://forums.postnuke.com/index.php?name=PNphpBB2&file=viewtopic&p=71017#71017

As for my site, it’s patched. I guess TechTeaM is going after small CMS/Nuke sites now. Shameful script kiddies!

Thanks for the heads up though. Much appreciated! Dreamhost rules!


#11

I know you guys use Debian, so I was wondeirng if Dreamhost has addresses this?


#12

We’ve already built new kernels; they should be installed shortly (and, as mentioned in the article, the hole is not Debian specific).


#13

Hey I just got an email saying that it was confirmed that my server was hacked and that someone put an irc server on it. Do you think that this had anything to do with them hacking my site a few months earlier?


#14

The email was from DH support?


#15

yeah - it was an official Level 5 email.


#16

What in the world is going on? What exactly happened? I got this level 5 email from dreamhost just now:

Hello Slash users,

Due to your server being compromised recently we ask that you please
change the passwords for each user on that machine. You can do so via
the
webpanel here:

https://panel.dreamhost.com/index.cgi?tree=users.passwords&

This goes for FTP users and Telnet/SSH users alike (exempting mail-only
users).

We appreciate your cooperation,
Happy DreamHost Slash Fixin Team!


#17

There was a root compromise on the morning of the 24th (which you should have received an announcement about if you’re on that machine). The machine was switched over quickly to new hardware. We are still investigating how the machine was compromised, but we do not think the attacker had time to do much before we detected the breach. We don’t believe the attacker obtained a copy of the shadow password file, but just in case, we’re requesting that users change their passwords, as they could possibly have gained access to this file.

There was a (likely unrelated) DOS attack coming from (the new) slash this morning. This was a user level compromise (they accessed the system via an insecure PHP script), and to the best of our knowledge, there was no root compromise in this case.

Hope this clears things up. That’s about all we know at this point; as we get more information, we’ll try to post a followup announcement.


#18

thanks. That explains why the website loads a heckofa lot faster now. :slight_smile: Dreamhost rocks!


#19

I think someone has hacked into my site… this has never happened before and i’m not sure how to regain control. I’ve contacted support about this and am anxiously waiting a response… wish I could call somebody!

Any ideas??