David Kaplowitz on 18 Jan 2005 06:55:30 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Websites Defaced, any advice?


On 07:37 Mon 17 Jan, George Theall wrote:
> > ....configuration (or lack thereof) of PHP/MySQL (and a few popular CMSes,
> > TikiWiki and Wordpress).
> 
> This may be due to the recently announced vulnerability in TikiWi
> enabling anyone to upload files and then execute them:
> 
>   http://tikiwiki.org/tiki-read_article.php?articleId=97
> 
> The link provides some info on telltale log entries and ways to resolve
> the problem. 
>

Good call, George! They actually did compromise tikiwiki. It must have
been this exploit, but the instructions on the page you directed me to
didn't produce any results.

I did eventually find entries in my logs for someone in Brazil (possibly
a hacked box itself) who must have scanned the box at some unknown time,
used the "unauthorized file upload vulnerability" to create a
tikiwiki/temp directory, upload a PHPSHELL.PHP script that allowed him
to run directory commands (discovering all the virtual
hosts/subdirectories) and delete any file the web server user had access
to (anything in my chroot) and also upload any file he wanted ---all
from his browser. At some point the attacking machine was an IP in
Mexico, probably hacked.

Luckily for me it appears they only defaced the site and didn't do any
more serious damage (other than deleting my index pages) to the rest of
the data on the sites. Lucky too that I don't host for other people. 

This is a particularly humbling attack b/c the files were all edited in
Windows...so the little script rat was a Windows user. O well, that's
life I guess.

> You may also wish to search BugTraq -- http://www.securityfocus.com/bid/
> -- for some of the other software you run; it's very likely you'll find
> problems with those as well, unless you're up-to-date. 
>

I'm choosing to forego the PHP/MySQL combo entirely for the time being
until I can settle into a better monitoring, patching, alerting
scenario. Once that stuff's more in place I'll be prepared to try again,
but the default config on these services is just too insecure to play
around with.  

Thanks for the reply. Though getting hacked is no fun (esp. if it's by a
Windows user), but it's actually quite engaging to try and figure out
what happened and where it originated, etc. I'd definitely have fun
being a penetration tester for a living. O well...maybe in a couple of
years.

Cheers, Dave

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug