administration mode
Pssst...Ferdy is the creator of JungleDragon, an awesome wildlife community. Visit JungleDragon

 

I'm hacked...for real »

FERDY CHRISTANT - NOV 19, 2008 (07:17:34 PM)

It had to happen sooner or later...I'm hacked

About an hour ago my friend Barry told me he got a trojan horse warning whilst visiting one of my sites. The site in question is a youtube parody on one of my other friends, displaying some of his most embarassing moments. Therefore, I will not link to it :)

Anyway, the parody site is extremely simple. It is one static page with an embedded video, and a single dynamic php page which shows comments and allows one to post new ones. For storage there is a MySQL database with a single comments table. The site's been put together in about 3 hours, so the code is a bit sloppy, but it works.

When I started the investigation I suspected the comments section to be a bit leaky but could not find the issue there. There was also no visual clue of the site being hacked. Until I viewed the source of the page. The HTML source was injected with hundreds of hidden spam links, probably with the intention of gaming search engines. At the bottom of the source was an additional iframe linking once more to an obscure site.

The links and iframes showed up in the source of both the static and dynamic page, so I checked out the actual files but found nothing related to this specific markup. This meant that it is injected during runtime. Then I noticed a new .htaccess file in the directory, with the following content: 

RewriteEngine On
RewriteRule ^$ /img/chat/forum/linkator.php [NC,L]
RewriteRule ^(.*)/$ /img/chat/forum/linkator.php [NC,L]
RewriteRule ^(.*)\.p*html*$ /img/chat/forum/linkator.php [NC,L]
RewriteCond %{REQUEST_URI} !img/chat/forum/linkator.php$
RewriteCond %{REQUEST_URI} !img/chat/index.php$
RewriteRule ^(.*)\.php[345]*$ /img/chat/forum/linkator.php [NC,L]

This file basically includes a PHP script that was placed by the hacker (linkator) into every incoming request. The hacker also placed some additional files to support that script, one being a long list of spam links. After removing the .htaccess and spam scripts, the hack was gone.

With the damage under control (or so I thought), I started to reason how this hack was done. The only thing I could think of was that somebody got hold of my FTP account for the host. In my effort to change the password at the hosting company, I noticed 5 additional FTP accounts with very cryptic names were created under my account. Clearly, somebody has my FTP account credentials. After deleting the new accounts and changing my password I thought I was done. 

Then I realized that my portfolio site (s3maphor3.org) runs on the same host. You guessed it, exactly the same hack was deployed there. Luckily, it was equally easy to remove it.

Although the damage was limited I learned a valuable lesson today. Be extremely careful with your passwords and don't think this cannot happen to you.

Comments: 13

COMMENT: GERALD MENGISEN

NOV 20, 2008 - 12:22:50 PM

comment » Thanks for the warning; it seems like SFTP does have its merits if your provider supports it. «

COMMENT: YANN email

NOV 27, 2008 - 09:31:46

comment » Hej hallo.

Ik had precies t zelfde. Maar hoe komen ze dan aan de inloggegevens?

Ik sta wel paf

Yann «

COMMENT: FERDY

NOV 28, 2008 - 09:52:49 AM

comment » Yann,

Geen flauw idee, wellicht een brute force? «

COMMENT: ROMAN KOPAC emailhomepage

NOV 29, 2008 - 17:28:03

comment » Ferdy, you're hosting your sites on Servage.net. They are the crappiest provider there is. It wasn't only your account or FTP password that has been compromised - it's their servers. Even if you think you solved the issue, it will happen again. You better start moving your sites to a new provider asap. «

COMMENT: ROMAN KOPAC emailhomepage

DEC 1, 2008 - 12:59:11

comment » Please, look at the HTML source of http://www.s3maphor3.org/. At the bottom you have an iframe that you didn't put there. Run from Servage, run! «

COMMENT: FERDY

DEC 2, 2008 - 06:17:31 PM

comment » Roman,

thanks for reporting this, it seems the hack is back. I've raised a support call at Servage, let's give them a chance to clean up. «

COMMENT: LIGHTINTHEDARK

DEC 5, 2008 - 20:12:43

comment » I have just finished cleaning up the exact same thing.

I have raised a support request with the Servage admins, and the nearest they have given to any information on how this could have happened is

"may I request you please delete all the contents or the effected contents of your domain and then change the password of your control panel"

and

"please restrict the FTP account for your user, if more than your main FTP account. And also check the permission of your script, some poor permission may causes the problem."

I'm at a loss as to how poor permissions on a script would allow someone to create ftp accounts. My main password is very strong (with an obscure username too), and I can still log in, so I don't think my account has been compromised.

I'm awaiting an answer from the tech guy right now, so will either post an explanation once he gives me one, or be following the advice here and fleeing Servage.

Hello

:- Dave «

COMMENT: ALEX

DEC 5, 2008 - 11:01:16 PM

comment » I will also be running from servage. I host about 12 clients websites on the account, with obscure password etc and all were hacked. This is the second time I have had a security breach from servage...

If I were you I would also check the file/folder permissions. They had set a lot of my perms to 777 to enable a back door to get back in. Change them to 755 for folders and 644 for files. «

COMMENT: FERDY

DEC 6, 2008 - 04:13:53 PM

comment » Lightinthedark,

Same here. Here's response #1 from Servage:

"Due to the vast nature of the internet, we employ the same standard methods of safeguarding against malicious entry as all Web hosting companies. This is done through the standard username and passwords we assign to each of our clients. The complexity of the password chosen by the user determines the probability of hacking into a site. Our system will assign your username alphanumerically to assist you in securing your site, but we do encourage use of cryptic, alphanumeric passwords to lower the potential of unauthorized entry into your site."

Response #2:

"Hello Ferdy,

WE are sorry for the inconvenience faced by you :-(

We request you to delete any affected content and upload unaffected content from your local backup.

We also request you to use strong passwords for your control panel and FTP account logins. Also please ensure to logout properly after each time you complete work after logging in.

This will make your account free from security risks.

For maximum security please ensure your account password is secure (at least 6 mixed numbers and letters) and that it is changed regularly. Ensure that permissions for your Folders are set to 755 and for files it is set as 644. Also check that no folders have insecure permissions such as 777 (unlimited access)." «

COMMENT: ROEL

DEC 18, 2008 - 12:51:22

comment » I have exactly the same problem... and I've got your response #2 as my first response. Exactly copy-paste. «

COMMENT: FERDY

DEC 18, 2008 - 07:53:09 PM

comment » Roel,

I have only one answer for you...LEAVE SERVAGE. Moving is a pain but oh so worth it. «

COMMENT: DAVE emailhomepage

FEB 7, 2009 - 02:51:41

comment » Hi All,

Big problems with servage, hacked hacked and hacked again. Support tickets skimmed for keywords, then copy n paste responses, downtime galore and a bit more hacking for fun. Hate them 100%

Read my long story http://blog.lottomad.info/ab-personal-updates/servagenet-hosting-stay-away «

COMMENT: FERDY

FEB 7, 2009 - 10:11:00 AM

comment » Very well put, Dave. I went through the exact same scenario. This company is a disgrace, everybody please stay away from them! «

CREATE A NEW COMMENT
required field
required field HTML is not allowed. Hyperlinks will automatically be converted.