We've Been Hacked !

[metaliana]

Hi everyone

Today our site has been hacked !!! All pages were deleted from our server and instead we got another index page of which i'll post the source file below.

I thought the site was pretty "secure"...non of the folders are chmod 777 for instance, we have htaccess files and password protected files....so, other than reporting and showing the source of this EVIL attempt, i'd like to ask what we can do to prevent this ?

<html>
<head>
<title>xfree team . defaces . c2r</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#C8C2C2" scroll="no" text="#CCCCCC" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<table width="100%" height="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td><p align="center"><img src="http://www.albieri.net/xfree/xfree2.jpg" width="500" height="379" align="absmiddle"></p>
<p align="center"><font face="Verdana, Arial, Helvetica, sans-serif" size="1" color="#663300">Need Help ? </font><font face="Verdana, Arial, Helvetica, sans-serif" size="1" color="#FFFFFF">
<font color="#0000FF">-</font> <font color="#F40606">c2r@xfree-defaces.net</font><br>
<font color="#663300">Xfree Team .. Defaced By <font color="#010101"><strong>c2r</strong></font>!<br>
We Are: <font color="#CC3300"><font color="#663300"><font color="#CC3300"><b><font color="#1B1213">c2r</font></b></font></font><font color="#0000FF">,</font> Mr_W4r<font color="#0000FF">,</font> ph0enix<font color="#0000FF">,</font>
Silvertape <font color="#0000FF">and</font> Squid; <br>
<font color="#663300">Contact:</font></font></font></font> <font face="Verdana, Arial, Helvetica, sans-serif" size="1" color="#FFFFFF"><font color="#FF0000">irc.chatnet.com.br<font color="#0000FF">/</font>irc.brasnet.org - #XFREE
</td>
</tr>
</table>
</body>
</html>

thanks in advance

[CXGJarrod]

metaliana,

Can you give us some more information about the OS of the server?

It might also be worth it to contact http://www.albieri.net/ because the graphic http://www.albieri.net/xfree/xfree2.jpg appeared on your website.

[khabi]

in order to stop them, you would first have to know how they did it. just making sure that no folders are chmod 777 isn't security. Do you own this box, or is it hosted by a company? Did you have any web apps running that might be vulnerable? Did you program any of those apps yourself? Maybe your code needs a little work. I could be any number of things.
If this site is hosted by a company, I suggest you get a new company first (assuming it wasn't a bug in some web app)

[metaliana]

Yes , CXGJarrod

i've already contacted the owner of the site the picture is stored on, maybe they dont know their site is being used for illegal practices...

our servers' info :

Server Software: Apache/1.3.27 (Unix)
Operating System: Linux 2.4.20-grsec

[metaliana]

to khabi :

running apps?.... well, i suppose we have plenty of those....

a mailinglist, a BB, a gallery with send postcard function, a voting system ....

[Tiger Shark]

Zone-h's web site indicates a dozen or so similar defacements by this group in the last 24 hours. (Zone-h's website seems to have ground to a halt right now), but I did notice the same graphic on one defacement and the fact that all the systems I looked at were Linux hosting with Apache which I see you say you are running. Looking at their "logo" it seems they are a Brazilian group which isn;t uncommon nowadays. Unfortunately there is no indication of their route inbound to these sites.... at least not during the short time I could get to zone-h.

[Edit]

Think you will have a job prosecuting..... This mob have been around for a while. Zone-h shows this for their activity.... and there's lots of it......

[/Edit]

[Maestr0]

Get a copy of all your logs and start checking them. See if the attackers left their footprints or cleaned up after themselves. Before you change/touch anything get a dd copy of the entire machine. If you plan to prosecute you may want to contact someone who can properly handle the chain of evidence. Contact you ISP about providing you logs with recent connections to your IP.


-Maestr0

[DjM]

Originally posted here by Tiger Shark
Zone-h's web site indicates a dozen or so similar defacements by this group in the last 24 hours. (Zone-h's website seems to have ground to a halt right now), but I did notice the same graphic on one defacement and the fact that all the systems I looked at were Linux hosting with Apache which I see you say you are running. Looking at their "logo" it seems they are a Brazilian group which isn;t uncommon nowadays. Unfortunately there is no indication of their route inbound to these sites.... at least not during the short time I could get to zone-h.

I am not sure if this link is going to work, but here is a link @ Zone-H of all the attacks from this group.

http://www.zone-h.org/en/defacements...e+Team/page=1/

It looks (like tiger said) their hack of choice is Apache & Linux and they seem to do alot of mass defacements, which leads me to believe the are targeting web hosts.

Cheers:

[prodikal]

Well if they are Brazilian i dont think there is much you can do. Correct me if i am wrong but i dont think Brazil has laws on breaking in to sytems please some one correct me if i am wrong

[CXGJarrod]

You might want to upgrade your version of apache to the latest version. (2.0.48 and 1.3.29)