

Site Got Hacked. Want to know how. Ideas? - gaoshan

A site I work on got hacked this morning. a small snippet of code (html, css, javascript) was appended to a number of pages of an ad system (PHP) we use.<p>How does this happen? How do they get write access to these pages (which have permissions of 755 as does the containing dir). They are not pages that are editable through the ad system so as near as I can tell you need to have admin access via ssh to edit these. Is that correct?<p>Any info is appreciated as I want to get a handle on how this happened.
======
Scott_MacGregor
If you have not already done so, you might want to try installing rkhunter
(Rootkit Hunter). It scans for rootkits, backdoors and possible local
exploits. It does this by comparing SHA-1 hashes of important files with known
good ones in online databases, searching for default directories (of
rootkits), wrong permissions, hidden files and suspicious strings in kernel
modules.

Maybe installing Jailkit to chroot SSH users might plug a hole for you too.
This is a set of utilities to limit user accounts to specific files using
chroot() and or specific commands. It is used to secure cvs, sftp, shell or
daemon processes. You can give your users shell access without having to fear
that they can see your whole system. Your users will be jailed in a specific
directory which they will not be able to break out of.

As a future potential preventative, you might want to think about installing
fail2ban. It is an intrusion prevention framework. It blocks selected IP
addresses for hosts that are trying to breach the system's security by
monitoring log files and will ban any host IP that makes too many login
attempts or performs any other unwanted action within a time frame defined by
the administrator.

These are for Linux, and I’m not an expert with them, so I can’t really walk
you through installing or using them, but you might want to look into them and
see if they might help you.

If this "Security" stuff is not your cup of tea, these guys might be able to
help: <http://www.serverwizards.com/> I have never used them, but have come
across a few of their happy "Security" customers in tech forums in the past. I
keep them in my contact list just in case.

------
nzmsv
There are many ways a site can be hacked. This could range from a silly error
in one of your PHP scripts, to some other software on the server being
vulnerable.

Often sites are hacked by automated bots rather than an actual person. Which
means you are using some popular piece of code with a vulnerability. Whatever
you run, you need to keep track of security announcements for that product.
Especially if it is popular, like Drupal for example. I'm not saying Drupal is
bad, it's just that lots of people look for vulnerabilities in it.

Look at your server logs (assuming they are still there). This should give you
a clue as to how they got access. Also, you say permissions are 755. And the
owner is...?

~~~
gaoshan
my username is displayed as the owner. I've looked at the access, error and
secure logs and the only thing I see that looks odd is a GET request that
contains a short (40 or 50 characters total) string of hex like \xc3\x83\etc,
etc. But that request indicate it comes from msnbot. Could that be the culprit
and they faked the user agent?

~~~
noodle
whats the get request contain? and whats the variable? search the source for
the variable and see what it does.

~~~
gaoshan

      /somecategory/apage.php?id=34\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\x9d&listing=989
    

Thing is, removing that hex and just putting in

    
    
      /somecategory/apage.php?id=34&listing=989 
    

does the same thing. I get the same output to the browser regardless of which
is used.

~~~
noodle
it is probably not the culprit, but did you take a look at the code in
apage.php that processes id just in case? it could be something.

~~~
gaoshan
I have looked at the code and the GET request is sanitized before being passed
on.

~~~
noodle
i ask again, then, are you using something like filezilla, and/or do you log
in as root without a sudo?

~~~
gaoshan
No I am not using Filezilla and root cannot be logged into without sudo.

------
noodle
could be an FTP hack. you using filezilla?

otherwise, if you're using a downloaded software package, upgrade it and
report the problem.

