hacked?!

wheres me jumpa

Homepage got replaced last night, was able to trace my visitor to this site....

http://old.zone-h.org/en/defacements/filter/filter_domain=.ie/page=1/

The link is to a search page where I have searched for ie domains. Makes for interesting reading. I found my hacker, even has a pic up claiming it!

dahamsta

How do you mean you traced it to there. That site looks like a regular defacement mirror to me. And the only reason you'd search for IE domains there is to find other ones that have been defaced! Your time might be better spent tracking down how they defaced your site so it doesn't happen again.

adam

wheres me jumpa

Ken Shabby wrote:

How do you mean you traced it to there. That site looks like a regular defacement mirror to me. And the only reason you'd search for IE domains there is to find other ones that have been defaced! Your time might be better spent tracking down how they defaced your site so it doesn't happen again.

adam

The site appeared in my stats. Searched the site for my domain and found my hacker. A 777 setting seems to be the problem, I know the pages they exploited, both had forms.

I was just posting as I thought others might be interested as I was in seeing what other sites had been defaced. Apologies.

leeroybrown

Occasionally these sites can be useful for establishing a start point for trail. One day while bored I managed to trace down a defacement that caused a lot of hassle for me to a script kiddie in Cork. I had a copy of his CV and all his personal details. It was about 18 months after the event and he appeared to have copped on an awful lot so I didn't bother having any more fun.

Obviously that was an exceptional case but...

wheres me jumpa

HOw did you get his cv?

dahamsta

No offense intended, but you didn't find the "hacker", you found his or her handle on a generic mirroring site via a referer in your logs. Which was probably already somewhere on the defacement.

I'm pretty sure most hackers in the world would be slightly miffed by your use of the word too. The word you're looking for is "cracker", although in this case "script kiddy" would probably be more accurate.

adam

wheres me jumpa

Ken Shabby wrote:

No offense intended, but you didn't find the "hacker", you found his or her handle on a generic mirroring site via a referer in your logs. Which was probably already somewhere on the defacement.

I'm pretty sure most hackers in the world would be slightly miffed by your use of the word too. The word you're looking for is "cracker", although in this case "script kiddy" would probably be more accurate.

adam

Again apologies.

What I should have said was, I found a portfolio of sites the cracker had defaced which I found interesting.

dahamsta

No need to apologise to me, I was just making a point. I thought it important to note that the site is just a defacement mirror, and not the home of a single hax0r muppet that probably can't code for toffee.

adam

wheres me jumpa

Ken Shabby wrote:

No need to apologise to me, I was just making a point. I thought it important to note that the site is just a defacement mirror, and not the home of a single hax0r muppet that probably can't code for toffee.

adam

I was aware there was more than one "haxor muppet" on the site.

leeroybrown

wheres me jumpa wrote:

HOw did you get his cv?

My memory is a bit sketchy but I used some extra details I found (which most people are clueful enough to conceal) on one of the mirror sites to trace back via some other forums, etc to his personal web page with CV, and a load of other stuff. There was enough breadcrums along the way to be sure it was him.

The mirror site probably appears in your logs due to a link directly after your site was added. The real culprit is generally buried in your apache logs somewhere. The last time I traced one back fully it was from a DHCP IP address in a South American ISP's netblock.

As a matter of interest was the site running off any of the usual PHP CMS or Bulletin Boards packages?

Peter B

Just out of interest how can a site be defaced through a form.

Just wanna fix my sites against these defacings as best as possible

DJB

Peter B wrote:

Just out of interest how can a site be defaced through a form.

Just wanna fix my sites against these defacings as best as possible

I'm not 100% sure how your site was hacked but I'm guessing it has something to do with XSS (Cross Site Scripting). Here's a definition on the net I found:

XSS:An abbreviation of cross-site scripting. XSS is a security breach that takes advantage of dynamically generated Web pages. In an XSS attack, a Web application is sent with a script that activates when it is read by an unsuspecting user’s browser or by an application that has not protected itself against cross-site scripting. Because dynamic Web sites rely on user input, a malicious user can input malicious script into the page by hiding it within legitimate requests. Common exploitations include search engine boxes, online forums and public-accessed blogs. Once XSS has been launched, the attacker can change user settings, hijack accounts, poison cookies with malicious code, expose SSL connections, access restricted sites and even launch false advertisements. The simplest way to avoid XSS is to add code to a Web application that causes the dynamic input to ignore certain command tags. Scripting tags that take advantage of XSS include <SCRIPT>, <OBJECT>, <APPLET>, <EMBED> and <FORM>. Common languages used for XSS include JavaScript, VBScript, HTML, Perl, C++, ActiveX and Flash.

Here's a good site to refer to for testing your site for XSS vulnerabilities:

http://ha.ckers.org/xss.html

It can be quite scary the first time you execute one of these on your site and see the potential JS that can be initialised by a hacker. So, if a hacker inputs one of these into your form (or a more dangerours one) and you save it to the database and your website is pulling that record out of your database and display it on your home page, the script will be executed by all your visitors.

wheres_my_jumpa... do you know how your site was hacked?

Dave

wheres me jumpa

DJB wrote:

wheres_my_jumpa... do you know how your site was hacked?

Dave

Not entirely sure but I have an idea. My host was very helpful and pointed this out...

"IPs from the Sudan POSTing (submitting) information to your guestbook and news.php scripts. Not sure if you made them yourself but this will be the point of exploit. Notice how the hostmasks are different even though it's the same IP.
"

So an attack on my php scripts.


Host has also some "additional security systems to hopefully negate some of the possible exploits".