Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: How webpage defacement possible just using web hacking?

From: "Hamish Stanaway" <koremeltdown () hotmail com>
Date: Wed, 09 Mar 2005 16:27:44 +0000
Hi there Monty,
Are you able to tell us if there was any other web applications running on the website / web spave e.g. a forum / billetin board system, chat room, etc? This is a common way in which milicious system crackers crack (or hack as you say) into web servers. 



Kindest of regards,

Hamish Stanaway, CEO

Absolute Web Hosting / -= KoRe WoRkS =- Internet Security
Auckland, New Zealand

http://www.webhosting.net.nz
http://www.buywebhosting.co.nz
http://www.koreworks.com





From: "Monty Ree" <chulmin2 () hotmail com>
To: security-basics () securityfocus com
Subject: How webpage defacement possible just using web hacking?
Date: Wed, 09 Mar 2005 00:55:50 +0000
MIME-Version: 1.0
X-Originating-IP: [222.235.68.254]
X-Originating-Email: [chulmin2 () hotmail com]
X-Sender: chulmin2 () hotmail com
Received: from [205.206.231.27] ([205.206.231.27]) by mc2-f12.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 8 Mar 2005 21:49:54 -0800 Received: from no.name.available by [205.206.231.27] via smtpd (for [65.54.190.7] [65.54.190.7]) with ESMTP; Tue, 8 Mar 2005 21:49:54 -0800 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid C3D99236FB8; Tue, 8 Mar 2005 19:38:55 -0700 (MST) 
Received: (qmail 8809 invoked from network); 9 Mar 2005 01:11:55 -0000
X-Message-Info: 6sSXyD95QpUpYOP2Bn5UQ49DybFffGX0JNNjCnDrpIE=
Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <security-basics.list-id.securityfocus.com>
List-Post: <mailto:security-basics () securityfocus com>
List-Help: <mailto:security-basics-help () securityfocus com>
List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
Delivered-To: mailing list security-basics () securityfocus com
Delivered-To: moderator for security-basics () securityfocus com
X-OriginalArrivalTime: 09 Mar 2005 00:55:50.0974 (UTC) FILETIME=[BD25CDE0:01C52442] Return-Path: security-basics-return-33010-koremeltdown=hotmail.com () securityfocus com 

Hello, all.

Some days ago, a site is defacemented by web hacking.
I guess that some attacker gained web server permission using web application vuln. and changed index file. Surely, the attacker did gain just nobody privilege(web server user) not root privilege and the index file permission is 644 with other user owned.(and there is no write permission at directory)
I guess that it is impossible to change index file just nobody privilege. But most webpage defacement is occured using web application vuln. by php or cgi something like that.
Of course, it will be possible that vulnerable cgi is set suid. but most is not. 


Any idea?


Thanks in advance.

_________________________________________________________________
°í.. °¨.. µµ.. »ç.. ¶û.. ¸¸.. µé.. ±â.. MSN ·¯ºê http://www.msn.co.kr/love/
Previous By Date Next
Previous By Thread Next

Current thread: