Current time: 04-23-2014, 11:06 PM Hello There, Guest! (LoginRegister)

Post Reply 
Sites hacked
03-01-2012, 03:38 PM
Post: #141
RE: Sites hacked
(03-01-2012 03:17 PM)scubadollar Wrote:  this is understood, it is why popular themes and plugins need to be updated when these weaknesses are found but it is still in the realm of "your Wordpress or Joomla install is insecure" In my experience, hackers do not do this to custom sites unless they are very popular, there is an obvious exploitable hole or there is some info to gain. Of course some times they are just bored but there is no evidence that this was a bored persons attack.

Scubadollar,

I just posted about this, download my php tool to look at your own websites and tell me that custom site aren't under attack. I'm blogging about gluten free cookies and getting pounded by login trollers and people trying to customize some obscure plugins with cracker code.

repairitblog.org under 'dreamhost tools' go look at your own sites.

:-)

Bill
Find all posts by this user
Quote this message in a reply
03-01-2012, 03:38 PM
Post: #142
RE: Sites hacked
(03-01-2012 03:20 PM)amphibious Wrote:  How difficult would it be to send out another mass email with explicit instructions on what's going on and how to fix it?

A ray of light... this is all we require, this is all we expect. Getting a bit late in the day though.

I would just like to know I am secure... I have done nothing but clean code and update out of date sites but, from what I hear, this is not enough and I would hate to have to spend the 8 hours again. Most of which consisted of seeking out the backdoors which were pretty well hidden. Luckily we knew the file structure of our bespoke sites so well and were able to discover them relatively quickly but would hate to have to scan through 3000 Joomla files as even modification dates were touched in many of the occurences.
Find all posts by this user
Quote this message in a reply
03-01-2012, 03:47 PM
Post: #143
RE: Sites hacked
(03-01-2012 03:20 PM)amphibious Wrote:  In mid-February, all of a sudden, potentially thousands of sites that they host start forwarding to people to porn/malware sites.

In mid-November last year this current attack floored users on other big hosts and became news across the Internet. We have all had ample time to prepare if we had remained dedicated to staying informed about the scripts we use. I had an account here compromised and I take full responsibility for it. There was an easy install One-Click WP that I didn't even use and had totally forgotten about. I really should have removed it months ago. Truth is I would have been totally oblivious to the attack reaching Dreamhost had I not been using the account for some dev work and noticed files being changed before my eyes as I sat there in shell.


(03-01-2012 03:20 PM)amphibious Wrote:  How difficult would it be to send out another mass email with explicit instructions on what's going on and how to fix it?

That isn't the host's job, it's the webmaster's job. When we take the responsibility of buying a domain the onus is on us - and us alone - to keep whatever we use it for in a workable condition. If we do not possess the skills required to keep it workable, then we need to either learn how, employ someone who actually does know what they're doing, or quit.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost
Visit this user's website Find all posts by this user
Quote this message in a reply
03-01-2012, 03:56 PM (This post was last modified: 03-01-2012 05:56 PM by amphibious.)
Post: #144
RE: Sites hacked
(03-01-2012 03:47 PM)sXi Wrote:  That isn't the host's job, it's the webmaster's job. When we take the responsibility of buying a domain the onus is on us - and us alone - to keep whatever we use it for in a workable condition. If we do not possess the skills required to keep it workable, then we need to either learn how, employ someone who actually does know what they're doing, or quit.

From a customer service/retention and brand management perspective it absolutely is the host's job to do this.

It's not the host's job to manually update everyone's site, but it is in the host's best interest to notify their users, particularly when the problem seems to be so wide spread.

DreamHost certainly has staff that are intelligent enough to figure this thing out and then package a fix with an easy to follow guide.

What would it take? An hour?

How much would that hour cost DreamHost?

Certainly less than the $600/yr I've been giving them for my hosting and domain registrations. And I'm just one customer...
Find all posts by this user
Quote this message in a reply
03-01-2012, 04:00 PM
Post: #145
RE: Sites hacked
Create in your user root folder this:

/.php/5.3/phprc

In the phprc file add this line:

allow_url_fopen=0

Be aware this might adversely effect some scripts that require it to be open. And of course you also have to upgrade to php 5.3 if you're not already on it. But DH makes that a couple clicks away.

Unsure if that will completely stop this attack but judging by the code in my files I believe it will help.

Quote:This is actually not the case on our system — default permissions (755 for directories, 644 for files) will still allow uploads to work, as PHP scripts on our system run as the owner, not as the web server.

Might be true but many scripts request 777 or even do checks on install and won't properly install unless chmods are to it's desires. I know that's not neccessarily the fault of DH but to claim that a site has been made insecure because of a 777 chmod isn't completely accurate imho. That's like saying having a website makes you vulnerable to attack.

Quote:We've got a blog post in the works about this.

I'm really glad to hear that. For the most part I find DH to be communicative in it's blogs and status updates. However I do find the support ticket system to be mainly a waste of time as I alway get canned responses which normally don't address my well-worded and detailed tickets.

Quote:We are taking steps to try to detect some of these situations proactively and notify customers when we notice something wrong — we aren't omniscient, though, and so we can't always catch problems before they are exploited.

Sure but 2 weeks later and your first reply in this thread was 2/21, 8 days ago. DHTR on page 5 posted the payload. A quick scan of servers and some automatic emails to effected customers would have been great.

I've already started to rework just about my entire DH account. Gonna move all my WP installs into one user accounts.

One thing I love about DH is their custom control panel. Just putting that out there.

Quote:That being said, DH should probably do more than just set the most secure option as default.

My account is old. DH stated that it's now default new users have it enabled. I still add new user accounts. However it would have been nice when the feature was added if I wasn't sent a notifcation email informing me that a new secure option was available. I don't say they are required but certainly it's in their best interest to inform clients of new security features. Heck even a header in control panel on next login. I login probably once a week. I'd have seen it and utilized it.

Quote:In mid-February, all of a sudden, potentially thousands of sites that they host start forwarding to people to porn/malware sites. They do nothing, give callous answers to their users looking for help, and do not provide their paying customers a clear path to remove the crap and secure their sites. Additionally, they don't seem to be providing their paying customers any notification to alert them that there may be an issue.

Agreed. That's how I feel about this too. I've already tweeted and posted this thread in a number of places and I'll continue to do so at other webmaster sites in order for pressure to be mounted on DH to do more about this situation. Possibly make some policies changes too.

On my WP one-click installs I have them set to update automatically. So far that's been a blessing. All my WP installs were up to date.

Support Forums | MyBB Central
Visit this user's website Find all posts by this user
Quote this message in a reply
03-01-2012, 04:08 PM
Post: #146
RE: Sites hacked
It is absolutely the Webmaster's job. If it were not, then the title would not exist.

An hour? I've spent about 3 hours so far looking at variables and testing code for an automated dehackerer and I expect to be spending more hours on it until I'm satisfied that it is workable against the many and varied scripts that it will need to process in order to be worthy of release. Unfortunately progress is at a standstill because I don't have some of the hacks available to me that people have indicated they have encountered.

If you, or anyone else reading this thread, has found a file with a size of 21675 Bytes (possibly named style.php) I'd be grateful if they'd forward it to me.

http://discussion.dreamhost.com/thread-1...#pid150618

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost
Visit this user's website Find all posts by this user
Quote this message in a reply
03-01-2012, 04:08 PM (This post was last modified: 03-01-2012 04:10 PM by PacIslandAqua.)
Post: #147
RE: Sites hacked
I was also hacked, though i do not run Wordpress.

Prestashop
Magento
phpBB
VBulletin

All my sites have the eval script in the .php files. It's going to be a long night... Though the script is in my forum files i have no reports of any redirects.


EDIT: My dreamhost ticket was sent to the hacked website department and responded to. They provided me with a .txt file with a list of 8002 infected files.
Find all posts by this user
Quote this message in a reply
03-01-2012, 04:27 PM
Post: #148
RE: Sites hacked
(03-01-2012 04:08 PM)PacIslandAqua Wrote:  They provided me with a .txt file with a list of 8002 infected files.

Does that list have filesizes as well ?

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost
Visit this user's website Find all posts by this user
Quote this message in a reply
03-01-2012, 04:32 PM
Post: #149
RE: Sites hacked
Quote:It is absolutely the Webmaster's job. If it were not, then the title would not exist.

It's WEBMASTER not SYSADMIN. Your statement is wrong. I could have a site with only an index.html and if server is not correctly configured I could be compromised.

A webmaster is certainly responsible for a level of security but it has to begin with a secured server.

fyi tip...on the sites I had effected I downloaded entire site then did a search/replace with notepad++. You can also search for the payloads that way to remove those files. Once you believe your files are secured then upload them after deleting everyone on the DH account.

Be sure to take my advice and alter your php to 5.3 and add the phprc file to prevent sockets. Enable Ehanced Security as well if not already.

Support Forums | MyBB Central
Visit this user's website Find all posts by this user
Quote this message in a reply
03-01-2012, 04:45 PM
Post: #150
RE: Sites hacked
(03-01-2012 04:27 PM)sXi Wrote:  Does that list have filesizes as well ?


It does not. Sad
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: