-
September 8th, 2007, 05:33 PM
#1
Website is Persistently Defaced
Hey guys, been a long time since I posted here, but I need some advice on a problem my friends' are having with their site.
Take a look at www.tfarchive.org and click forums (specifically www.tfarchive.org/forum).
Now depending on how soon you click that link from my posting it, the site may or may not still be defaced, but basically our site keeps getting defaced by "Hacoor" of the "Palestenian Hacker Team" ("Dr.exe & Kaher ELhkr & Al.GhAmEd & The Big Hackerz") claiming mafia-hack.com as their home.
The admin of the site is a pretty sharp guy, and has been working on patching and improving security on the site for the past week. Despite every measure he's tried after identifying each vulnerable back door and closing it, the darn scripties within a day or two have it defaced and down again with their little message page. Within the past week, the site has been attacked five times.
So these guys are very persistent and intent on not letting the site recover and come back up, and thus far every security measure to keep them out has failed.
Now personally, I'm not a web design guy, much less versed in any vb script, so all this is well over my head -- I'm a network guy. But can any of you guys here provide any advice on what more can be done?
Last edited by AngelicKnight; September 8th, 2007 at 05:37 PM.
-
September 8th, 2007, 05:53 PM
#2
What forum software is being used? My first suggestion would be to change to another one. Is it only the forum that they successfully hack?
-
September 8th, 2007, 05:56 PM
#3
Do you have access to the server logs? Are you sure they're getting in via web based attack? There are quite a few services running on that server... I personally wouldn't be using one server for all of that. Unless that specific server is not in the DMZ and is just a NAT'd router/firewall (watchguard?) which is port forwarding to internal services?
There are quite a few open services that I would deny access to from the internet... You also have redundant services... why use ssh and ftp? Why not just use ssh and scp? Why allow access to ports 111? Why allow access to mysql from the internet? It looks like a mail server too? Why allow both imap and imaps? Why allow pop3 and pop3s? Why smtp and smtps? Pick one and use it... either encrypted or not, why both? Why allow remote access to port 631? And what the heck are you using port 1 and port 199 for?
Is your OS up to date? Is your mysql and forum software updated? What about third party scripts, etc.
Maybe you should do some scanning of that box? I did a couple of nmap probes, but it looks like you could use a lot more. Start scanning with various vulerability scanners. Nessus would be a good start. Then start using web scanners and etc. http://sectools.org/
Though, if they've been defacing you over and over and the number of open services... there is a chance that you've been owned and they have a backdoor. Though, if I had a backdoor somewhere... I certainly wouldn't try to screw it up and alert you to the fact that I was there.
Do you have an IDS on there? Are you capturing the traffic? Is your firewall filtering and logging BOTH in bound and outbound (sucess and failure)?
Without access to firewall/IDS/host/service logs (that have not been tampered with, say from a secured/dedicated syslog), all we can do is guess.
Personally, if it were me, I'd consider building a new box from scratch. Install the bare minimum and then start adding your services. Configure all the servcies from scratch too... don't restore from backup. You'll probably end up restoring the vulnabilities with it.
Since the server is no good to right now (it keeps getting defaced)... I'd take it offline and start the rebuild.
Last edited by phishphreek; September 8th, 2007 at 06:38 PM.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
September 8th, 2007, 06:02 PM
#4
Not sure if this is a help:
http://www.alm3refh.com/vb/showthread.php?p=91254
Looks like it could be a vBulletin exploit?
I am afraid my Arabic isn't up to it
EDIT: There seem to be quite a few sites affected?
Last edited by nihil; September 8th, 2007 at 06:05 PM.
-
September 8th, 2007, 06:40 PM
#5
Thanks guys, I really appreciate the input. Nice to know I can still get a stir out of folks after being gone so long.
Phis, Nihil, I passed that stuff on to the admin and I'll see what he has to say about it. I do know he has logs and has been digging through them. As far as the box's security, it's actually hosted third party I believe, so they don't have physical access to the server.
JPnyc (is that JP??), they're using vb...There's been talk about moving over to phpbb, but I'm not sure if they're actually going to do it.
Thanks again...I'll let you know what our admin replies with. This is great input.
-
September 8th, 2007, 07:14 PM
#6
Tell em not to bother. phpBB has more holes than vb does.
-
September 8th, 2007, 07:32 PM
#7
By the way, I recommend you disable javascript before clicking that link to your forum, as I did.
-
September 8th, 2007, 10:36 PM
#8
hmm, they're using the latest version of vb... well, at least they were a couple of minutes ago and they got defaced again. i wish i could see some logs.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
September 9th, 2007, 01:03 AM
#9
It looks like there is a fairly recent exploit?
http://66.249.91.104/translate_c?hl=...icial%26sa%3DN
vB 3.6.8
Sorry, it is in Russian
-
September 9th, 2007, 01:24 AM
#10
It looks like they're also running cPanel and whm 10... not sure which subversion... according to securityfocus, 10 has it's share of bugs.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
Similar Threads
-
By jethro in forum The Security Tutorials Forum
Replies: 4
Last Post: August 9th, 2006, 10:13 AM
-
By YoungNobody in forum Miscellaneous Security Discussions
Replies: 11
Last Post: May 21st, 2006, 01:53 PM
-
By Aspman in forum Spyware / Adware
Replies: 20
Last Post: November 21st, 2005, 09:07 AM
-
By Shrekkie in forum Tips and Tricks
Replies: 1
Last Post: June 11th, 2004, 05:41 AM
-
By Negative in forum Web Development
Replies: 1
Last Post: December 12th, 2003, 11:58 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|