My site has been hacked


#1

WTF is going on??

index.html for both my sites was just replaced with:

core-project

breaking your security

we`are: J0shua - L0rd_Byr0n - id3nt - h4v3r3st - hellsink

contact on: #cproject in irc.phawked.org

cproject@linuxmail.org

Made in Brasil

##########

This had to be from the server end… I’m certain no one knows my password. WTF is going on? Is Dreamhost not secure?


#2

I also can’t connect to my mail server. I can get into webmail, but it’s slow.

How do I even alert dreamhost? I filed a support ticket, but who knows when they’ll see it?


#3

I need to know what to do now. I’ve saved copies of the files they replaced and I’ve restored my site.

Has my password been compromised? Do I need to change my passwords? How can I get the IMAP server back up and running??


#4

Contact DH Support and make sure to mark your priority as urgent.


MacManX.com


#5

I did that earlier, but didn’t mark it as urgent.

I killed my old ticket and refiled. Thanks.

Waiting on a response…


#6

DH is pretty daggum security conscious, no one can say they’re 100% secure. I’m sure you were hacked through an unsecure script that you or some other account on your server has running. Been a lot of vulnerabilities with common apps discovered lately.

No big deal most likely, you can however change your passwords via the web panel, and probably should every now and then anyhoo.

They left their address if you wanna go talk to them, I bet they’d tell you what they exploited :wink:

[color=#0000CC]jason[/color]


#7

Arghhhhh… I’m pretty ticked off.

I changed all my passwords.

I will try and contact them… bastards.


#8

please don’t contact them and call them bastards, I might be you neighbor on that machine :slight_smile:

[color=#0000CC]jason[/color]


#9

As one of the people here who deals with this type of issue on a frequent basis, I’d be willing to bet $10 that your site was compromised via an insecure PHP (or Perl) script.

I’d leave the support ticket open so that we can check things out and make sure they don’t have processes running as your user, but in the meantime, I’d check out the kbase article on snapshots and restore your site contents (if you haven’t already).

I’d then check any / all third party software on your site and make sure you’re running an up to date version of it. We’ve announced about a lot of holes in common software, and there’s plenty of other stuff that we haven’t announced about.

Gallery (and the Gallery modules for phpNuke and other CMS systems), twiki, awstats, phpBB, and others have all had high profile and widely exploited vulnerabilities recently.

It’s unlikely to me that the server itself was compromised.


#10

Lately I’ve been doing a lot of writing my own programs (custom CMSes, to be most simplistic about it) from scratch… presumably they’re not very secure against hacking, because I don’t have training in that sort of thing… is being hacked something I should be seriously concerned about? What I mean is, presumably I’m running scripts that probably have holes, but since my scripts are not open-source or available anywhere, and since they’re not being used outside of the company I work for, is the chance of being hacked probably actually less than it would be if I were using better-security-but-widely-known mainstream programs?

I hope this makes sense!


#11

The biggest thing to worry about is making sure that (especially with $register_globals enabled, which unfortunately it still is on our setup) variables get sanitized properly. I believe that disabling register_globals via php_flag (in .htaccess) will work with mod_php – however it will not work with php-cgi (which is necessary in some cases to get around some other restrictions with our mod_php setup).

I’ve seen custom code get compromised - a lot of times, people can figure stuff out from the errors PHP spits out and from the way that variables are passed to the program in a URL. They’re obviously less succeptible to worms and such, but there are some pretty uncommon and / or proprietary scripts which seem to get owned by script kiddie types.

These are the links I usually send customers who have gotten compromised via a web script:

http://www.sklar.com/page/article/owasp-top-ten
http://www.modsecurity.org/db/resources/category.php?id=7

For general information on $register_globals:
http://www.php.net/register_globals


#12

Thanks for the reply, I’ll check out the links. :slight_smile: The server where my scripts eventually wind up has register_globals turned off, which was a pain at first (I had to change all the code!) but now I’m quite happy about it.

FYI – while my older sites would break, break, break if $register_globals was turned off, I do think it’d be a good idea… if customer response is why it’s still on, here’s one customer who’d rather rewrite all her stuff than have it left on indefinitely. :slight_smile: