Site defaced - what next?

Greg Rundlett greg at freephile.com
Sun Aug 8 12:09:07 EDT 2004


*The Attack*
 From what I've uncovered, there is a file called phpexplorer.php (file 
management script with upload capability) which appeared in my 
OSCommerce catalog directory on May 18th. I verified that this file is 
not contained in my local development server, and not in the distributed 
source for the OSCommerce package. So, I'm trying to figure out who put 
it there and how.

phpexplorer is a project on sourceforge (there are two -- the one in 
question is http://sourceforge.net/projects/phpexplorer/)

Somehow this script (pretty effective file manager) was put in place, 
and then used to probe for writable directories in the document root.  
Once found, further scripts were put in place.  Since I created a 
symlink to one of my directories, and I think the symlink was 
world-writable, that became the crackers new directory or he/she 
replaced it.

*The cast of attackers*
Saudi Arabia - the cracker who defaced my site was from Saudi Arabia 
(e.g. cache3-2.jed.isu.net.sa).  As soon as he put up a new homepage for 
me, he obviously told a friend (cache7-4.ruh.isu.net.sa), who visited 
the site moments later.  Then I'm sure they all had great laughs.
United Emirates - another cracker searching for phpexplorer
Italy - another cracker searching for phpexplorer
More?  still trying to find the time to analyze this stuff, and I don't 
have logs from my ISP except for the past 2 days.

*The tools they used*
Google -helps script kiddies find my exploitable file phpexplorer.  I 
didn't put this script on my server, and I don't know how Google found 
it.  All I can tell you from my server logs is that people are searching 
for this script and my site comes at the top of the list.

PHP Shell is aninteractive PHP-page that will execute any command 
entered. see http://www.gimpster.com

phpexplorer.php That file later appears in my access logs as the subject 
of Google queries from multiple IPs (and my site shows up in the top 
results!). Lesson here is that I should use robot rules so that Google 
can't help script kiddies crack your site.

webadmin.php - another Web-based file manager

knowledge of or perhaps an exploitable flaw in cpanel.  Because there 
was a file called cplogin.php which I don't have access to at the moment 
because the cracker deleted it after I first discovered the break-in.  
This may have allowed the attacker to log into my ISP hosting account.  
The ISP says there was no system-wide compromise.

Anyway, I've got a lawn to mow, and a 5-yr old and a 2-yr old to pay 
attention to, so this is all I can share right now.  When I finally get 
my site back online, I hope to have this whole saga described in more 
detail.  Of course some people think I should just be quiet about it 
because the fact that my site was compromised could make me look bad.  
But then again, maybe it's a badge of honor since there have been 
breakins at the most noteworthy sites.  In any case, I'm not one to shy 
away from the truth.



More information about the Discuss mailing list