-
November 24th, 2003, 08:21 PM
#1
Member
We've Been Hacked !
Hi everyone
Today our site has been hacked !!! All pages were deleted from our server and instead we got another index page of which i'll post the source file below.
I thought the site was pretty "secure"...non of the folders are chmod 777 for instance, we have htaccess files and password protected files....so, other than reporting and showing the source of this EVIL attempt, i'd like to ask what we can do to prevent this ?
<html>
<head>
<title>xfree team . defaces . c2r</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#C8C2C2" scroll="no" text="#CCCCCC" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<table width="100%" height="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td><p align="center"><img src="http://www.albieri.net/xfree/xfree2.jpg" width="500" height="379" align="absmiddle"></p>
<p align="center"><font face="Verdana, Arial, Helvetica, sans-serif" size="1" color="#663300">Need Help ? </font><font face="Verdana, Arial, Helvetica, sans-serif" size="1" color="#FFFFFF">
<font color="#0000FF">-</font> <font color="#F40606">c2r@xfree-defaces.net</font><br>
<font color="#663300">Xfree Team .. Defaced By <font color="#010101"><strong>c2r</strong></font>!<br>
We Are: <font color="#CC3300"><font color="#663300"><font color="#CC3300"><b><font color="#1B1213">c2r</font></b></font></font><font color="#0000FF">,</font> Mr_W4r<font color="#0000FF">,</font> ph0enix<font color="#0000FF">,</font>
Silvertape <font color="#0000FF">and</font> Squid; <br>
<font color="#663300">Contact:</font></font></font></font> <font face="Verdana, Arial, Helvetica, sans-serif" size="1" color="#FFFFFF"><font color="#FF0000">irc.chatnet.com.br<font color="#0000FF">/</font>irc.brasnet.org - #XFREE
</td>
</tr>
</table>
</body>
</html>
thanks in advance
-
November 24th, 2003, 08:25 PM
#2
More Information
metaliana,
Can you give us some more information about the OS of the server?
It might also be worth it to contact http://www.albieri.net/ because the graphic http://www.albieri.net/xfree/xfree2.jpg appeared on your website.
N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
-
November 24th, 2003, 08:27 PM
#3
Junior Member
in order to stop them, you would first have to know how they did it. just making sure that no folders are chmod 777 isn't security. Do you own this box, or is it hosted by a company? Did you have any web apps running that might be vulnerable? Did you program any of those apps yourself? Maybe your code needs a little work. I could be any number of things.
If this site is hosted by a company, I suggest you get a new company first (assuming it wasn't a bug in some web app)
-
November 24th, 2003, 08:34 PM
#4
Member
Yes , CXGJarrod
i've already contacted the owner of the site the picture is stored on, maybe they dont know their site is being used for illegal practices...
our servers' info :
Server Software: Apache/1.3.27 (Unix)
Operating System: Linux 2.4.20-grsec
-
November 24th, 2003, 08:43 PM
#5
Member
to khabi :
running apps?.... well, i suppose we have plenty of those....
a mailinglist, a BB, a gallery with send postcard function, a voting system ....
-
November 24th, 2003, 08:46 PM
#6
Zone-h's web site indicates a dozen or so similar defacements by this group in the last 24 hours. (Zone-h's website seems to have ground to a halt right now), but I did notice the same graphic on one defacement and the fact that all the systems I looked at were Linux hosting with Apache which I see you say you are running. Looking at their "logo" it seems they are a Brazilian group which isn;t uncommon nowadays. Unfortunately there is no indication of their route inbound to these sites.... at least not during the short time I could get to zone-h.
[Edit]
Think you will have a job prosecuting..... This mob have been around for a while. Zone-h shows this for their activity.... and there's lots of it......
[/Edit]
-
November 24th, 2003, 08:49 PM
#7
Get a copy of all your logs and start checking them. See if the attackers left their footprints or cleaned up after themselves. Before you change/touch anything get a dd copy of the entire machine. If you plan to prosecute you may want to contact someone who can properly handle the chain of evidence. Contact you ISP about providing you logs with recent connections to your IP.
-Maestr0
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
November 24th, 2003, 08:54 PM
#8
Originally posted here by Tiger Shark
Zone-h's web site indicates a dozen or so similar defacements by this group in the last 24 hours. (Zone-h's website seems to have ground to a halt right now), but I did notice the same graphic on one defacement and the fact that all the systems I looked at were Linux hosting with Apache which I see you say you are running. Looking at their "logo" it seems they are a Brazilian group which isn;t uncommon nowadays. Unfortunately there is no indication of their route inbound to these sites.... at least not during the short time I could get to zone-h.
I am not sure if this link is going to work, but here is a link @ Zone-H of all the attacks from this group.
http://www.zone-h.org/en/defacements...e+Team/page=1/
It looks (like tiger said) their hack of choice is Apache & Linux and they seem to do alot of mass defacements, which leads me to believe the are targeting web hosts.
Cheers:
-
November 24th, 2003, 08:56 PM
#9
Well if they are Brazilian i dont think there is much you can do. Correct me if i am wrong but i dont think Brazil has laws on breaking in to sytems please some one correct me if i am wrong
By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
The 20th century pharoes have the slaves demanding work
http://muaythaiscotland.com/
-
November 24th, 2003, 08:56 PM
#10
You might want to upgrade your version of apache to the latest version. (2.0.48 and 1.3.29)
N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|