Website hacked! What to do?

OK, so a website I run got hacked. It’s an in-office box with its own T1.

Logs reveal that somehow someone uploaded a little php script to two folders (that turned out to have 777 permissions). The scripts were rough and ready file management scripts. They put them there in April and came back yesterday and used them to delete index.html and replace it with the coup page.

I fixed it right away, examined the logs, removed the naughty php scripts. The folders are all given more appropriate permissions. No point alerting the FBI, I imagine, as the perp’s IP addresses are in Egypt and I’ve already compromised the scene getting the website back up, etc.

My assumption is that the combination of Webdav and folders set to 777 is what did it – how do I find out for sure? (Aside from auditing all the code in other php and perl scripts to check the security of any upload functions, which I know I must do but it is last on the list because Hell is Other People’s Perl.)

Do a inventory of what is running on the server, including versions and hotfixes, then go out on the intarweb and search for security alerts for the different products.

I would suggest you also run through backups from the past and find out exactly when the malicious code was uploaded then restore the entire installation to a point before that, taking copies of any necessary files changed since, after screening them for tampering.

A rundown of all the permissions on the site would be usefull as well.

Also, please tell what kind of site setup you have, e.g. PHP/Apache/Mambo etc. I am interested in this since I help admin a friends mambo site but Linux is not really my strong side (yet). Never had my IIS’ hacked though.

Course, if you are sure the logs show an accurate picture of events, and, due to the fact that the perps are in such a country and are probably “untouchable” in terms of finding them as they did not bother hiding their tracks… perhaps you can be secure just by replacing the damaged files and removing the extra ones (instead of taking down the whole site and re-configuring it)…

This reminds me that I should probably take a backup of my sites database, just in case )=

I don’t have any advice, but I’m curious about the nature of the hacking. Was this just a “haha u r haxx0red” thing, or was there data theft or something going on?

It’s OSX 10.3 server on a powerPC G5, with all the automatic patches applied. The nature of the firm (small, non-techincal, this box does everything for them) means that staff must be able to perform minor maintenance on the box through the server admin GUI, which has led me to shy away from manual upgrading in case the gui breaks.

No CMS systems at all. Scripts are actually few and far between, and mostly coded by me. I’ll be going through them all and reading up on the latest PHP security stuff to see if there is anything new. (globals are off, etc., all the basics are definitely covered.)

Course, if you are sure the logs show an accurate picture of events, and, due to the fact that the perps are in such a country and are probably “untouchable” in terms of finding them as they did not bother hiding their tracks… perhaps you can be secure just by replacing the damaged files and removing the extra ones (instead of taking down the whole site and re-configuring it)…

This reminds me that I should probably take a backup of my sites database, just in case )=

The in-out cheap-shotedness of the hack makes me suspect that rebuilding the whole box from scratch would be overkill, though I will do a thorough audit of all the files on the webserver itself.

I’m a fairly good backer up: monthly to DVD, daily to USB hard disk which holds four days back and lives in a fireproof safe, and twice daily mysqldumps of every database. Can’t really afford tape, though.

Log in, upload new index.html, leave. As far as I can tell…

Of course; There is always the chance that they made a script-kiddie hack complete with log evendence to hide the real hack that occured…

I suppose having a mirror of the production site in a non-networked location would make it fairly easy to just run a “dif” on the files and see which have been changed. In fact I think thats what I’ll do with the site I administer. The hosting company run backups, but I doubt they will jump if something happens to the site that would require a restore.

Hehe, nice screenshot. :-)

Anyone have a translation of the arabic text?

Also, have you tried emailing [email protected]?

It’s nice to see that the Egyptians are as fond of goofy hacker names as Americans. Maybe the cultural gap between the West and the MidEast isn’t that wide.

Troy

Ugh. What a pain in the butt. To paraphrase Clerks, buncha savages on this Internet.

I’d be willing to bet the Arabic says something along the lines of “Black Scorpion is the best, shout outs to other hackers X, Y and Z.”

See, we’re a newspaper – we’re thinking of emailing and seeing if we can interview them. It would be fascinating if we’d been the victim of jihadist teens from Egypt targeting rural U.S. newspapers as part of a hi-tech modern campaign, and the Arabic was all political and religious and stuff.

Truth is, though, that it’s probably just a buncha savages, and emailing them will just remind them we exist. As Hawkeye says, it’s probably just “Shouts out to other hackers Slayer and Sub” etc.

If you can get me a bigger screenshot of the Arabic text I might be able to manage a basic translation but also maybe not. My Arabic was always basically awful despite taking the equivalent of six semesters of it. I also don’t know where my Arabic dictionary is.

There might be some help in running suphp in the future. You can then safely
chmod directories to 700 and keep the webserver and ownership of files the
same.

http://www.suphp.org/Home.html

My fave webhost runs it, and apart from installer scripts for PHP-based
software still being dumb and chmod’ing without asking, it’s great.

يهدي الاختراق لشبكه

العقرب الاسود

شبكه العقرب

الاسود

الموقع مع سبق الاصرار والترصد من قبل

العقرب الاسـود

Note that the unicode text copied from the original file seems to be messed up. Mac TextEdit is doing something weird with copy and paste.

The translator I tried (http://www.1-800-translate.com/machine_trans/free_result.asp) offers the hilarious:

“The black scorpion offers the penetration.”

"The position with the insistence precedence and the surveillance by. "

An online translator spit this out:

"The black scorpion

The lions

The site with antecedence the insisting [waaltrSd] before

The scorpion [aalaasw]"

That sounds very useful, I’ll take a look.

Oh man this brings back memories of exactly why I never excelled at Arabic.

You know there’s four different ways to write most of the 28 letters.

Ugh.

Anyway, I’m gonna go with Hawkeye’s translation. :P

burka burka burka burka

Are you running any additional tools like AWStats? There was an exploit in it that bit me a while back, after I’d forgotten I even had it installed and didn’t keep it up-to-date.

No. It’s actually a quite bare-bones server. The only stuff running on it that I don’t really understand at a kind of primordial “this thing reeks of evil” level is WebDAV. But, I know only the very basics of security and I appreciate every suggestion.

I would not be running a non-current OSX installation unless I chose to carry out all the upgrades and bugfixes myself, and did so regularly and thoroughly. There was a widely-known PHP exploit, if I remember right, patched over a year ago, that would have allowed easy access in the manner that seems to have happened. OSX was one of the platforms affected.

Thank you. So it’s time to plunk down $500 for OSX 10.4 server? We’d been eyeing it for pre-configured spamassassin and clamx anyway…