 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
*The Attack* From what I've uncovered, there is a file called phpexplorer.php (file management script with upload capability) which appeared in my OSCommerce catalog directory on May 18th. I verified that this file is not contained in my local development server, and not in the distributed source for the OSCommerce package. So, I'm trying to figure out who put it there and how. phpexplorer is a project on sourceforge (there are two -- the one in question is http://sourceforge.net/projects/phpexplorer/) Somehow this script (pretty effective file manager) was put in place, and then used to probe for writable directories in the document root. Once found, further scripts were put in place. Since I created a symlink to one of my directories, and I think the symlink was world-writable, that became the crackers new directory or he/she replaced it. *The cast of attackers* Saudi Arabia - the cracker who defaced my site was from Saudi Arabia (e.g. cache3-2.jed.isu.net.sa). As soon as he put up a new homepage for me, he obviously told a friend (cache7-4.ruh.isu.net.sa), who visited the site moments later. Then I'm sure they all had great laughs. United Emirates - another cracker searching for phpexplorer Italy - another cracker searching for phpexplorer More? still trying to find the time to analyze this stuff, and I don't have logs from my ISP except for the past 2 days. *The tools they used* Google -helps script kiddies find my exploitable file phpexplorer. I didn't put this script on my server, and I don't know how Google found it. All I can tell you from my server logs is that people are searching for this script and my site comes at the top of the list. PHP Shell is aninteractive PHP-page that will execute any command entered. see http://www.gimpster.com phpexplorer.php That file later appears in my access logs as the subject of Google queries from multiple IPs (and my site shows up in the top results!). Lesson here is that I should use robot rules so that Google can't help script kiddies crack your site. webadmin.php - another Web-based file manager knowledge of or perhaps an exploitable flaw in cpanel. Because there was a file called cplogin.php which I don't have access to at the moment because the cracker deleted it after I first discovered the break-in. This may have allowed the attacker to log into my ISP hosting account. The ISP says there was no system-wide compromise. Anyway, I've got a lawn to mow, and a 5-yr old and a 2-yr old to pay attention to, so this is all I can share right now. When I finally get my site back online, I hope to have this whole saga described in more detail. Of course some people think I should just be quiet about it because the fact that my site was compromised could make me look bad. But then again, maybe it's a badge of honor since there have been breakins at the most noteworthy sites. In any case, I'm not one to shy away from the truth.
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
