Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Website is Persistently Defaced

  1. #1

    Website is Persistently Defaced

    Hey guys, been a long time since I posted here, but I need some advice on a problem my friends' are having with their site.

    Take a look at www.tfarchive.org and click forums (specifically www.tfarchive.org/forum).

    Now depending on how soon you click that link from my posting it, the site may or may not still be defaced, but basically our site keeps getting defaced by "Hacoor" of the "Palestenian Hacker Team" ("Dr.exe & Kaher ELhkr & Al.GhAmEd & The Big Hackerz") claiming mafia-hack.com as their home.

    The admin of the site is a pretty sharp guy, and has been working on patching and improving security on the site for the past week. Despite every measure he's tried after identifying each vulnerable back door and closing it, the darn scripties within a day or two have it defaced and down again with their little message page. Within the past week, the site has been attacked five times.

    So these guys are very persistent and intent on not letting the site recover and come back up, and thus far every security measure to keep them out has failed.

    Now personally, I'm not a web design guy, much less versed in any vb script, so all this is well over my head -- I'm a network guy. But can any of you guys here provide any advice on what more can be done?
    Last edited by AngelicKnight; September 8th, 2007 at 05:37 PM.

  2. #2
    Senior Member JPnyc's Avatar
    Join Date
    Jan 2005
    Posts
    2,734
    What forum software is being used? My first suggestion would be to change to another one. Is it only the forum that they successfully hack?

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Do you have access to the server logs? Are you sure they're getting in via web based attack? There are quite a few services running on that server... I personally wouldn't be using one server for all of that. Unless that specific server is not in the DMZ and is just a NAT'd router/firewall (watchguard?) which is port forwarding to internal services?

    There are quite a few open services that I would deny access to from the internet... You also have redundant services... why use ssh and ftp? Why not just use ssh and scp? Why allow access to ports 111? Why allow access to mysql from the internet? It looks like a mail server too? Why allow both imap and imaps? Why allow pop3 and pop3s? Why smtp and smtps? Pick one and use it... either encrypted or not, why both? Why allow remote access to port 631? And what the heck are you using port 1 and port 199 for?

    Is your OS up to date? Is your mysql and forum software updated? What about third party scripts, etc.

    Maybe you should do some scanning of that box? I did a couple of nmap probes, but it looks like you could use a lot more. Start scanning with various vulerability scanners. Nessus would be a good start. Then start using web scanners and etc. http://sectools.org/

    Though, if they've been defacing you over and over and the number of open services... there is a chance that you've been owned and they have a backdoor. Though, if I had a backdoor somewhere... I certainly wouldn't try to screw it up and alert you to the fact that I was there.

    Do you have an IDS on there? Are you capturing the traffic? Is your firewall filtering and logging BOTH in bound and outbound (sucess and failure)?

    Without access to firewall/IDS/host/service logs (that have not been tampered with, say from a secured/dedicated syslog), all we can do is guess.

    Personally, if it were me, I'd consider building a new box from scratch. Install the bare minimum and then start adding your services. Configure all the servcies from scratch too... don't restore from backup. You'll probably end up restoring the vulnabilities with it.

    Since the server is no good to right now (it keeps getting defaced)... I'd take it offline and start the rebuild.
    Last edited by phishphreek; September 8th, 2007 at 06:38 PM.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Not sure if this is a help:

    http://www.alm3refh.com/vb/showthread.php?p=91254

    Looks like it could be a vBulletin exploit?

    I am afraid my Arabic isn't up to it

    EDIT: There seem to be quite a few sites affected?
    Last edited by nihil; September 8th, 2007 at 06:05 PM.

  5. #5
    Thanks guys, I really appreciate the input. Nice to know I can still get a stir out of folks after being gone so long.

    Phis, Nihil, I passed that stuff on to the admin and I'll see what he has to say about it. I do know he has logs and has been digging through them. As far as the box's security, it's actually hosted third party I believe, so they don't have physical access to the server.

    JPnyc (is that JP??), they're using vb...There's been talk about moving over to phpbb, but I'm not sure if they're actually going to do it.

    Thanks again...I'll let you know what our admin replies with. This is great input.

  6. #6
    Senior Member JPnyc's Avatar
    Join Date
    Jan 2005
    Posts
    2,734
    Tell em not to bother. phpBB has more holes than vb does.

  7. #7
    Senior Member JPnyc's Avatar
    Join Date
    Jan 2005
    Posts
    2,734
    By the way, I recommend you disable javascript before clicking that link to your forum, as I did.

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    hmm, they're using the latest version of vb... well, at least they were a couple of minutes ago and they got defaced again. i wish i could see some logs.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    It looks like there is a fairly recent exploit?

    http://66.249.91.104/translate_c?hl=...icial%26sa%3DN

    vB 3.6.8

    Sorry, it is in Russian

  10. #10
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    It looks like they're also running cPanel and whm 10... not sure which subversion... according to securityfocus, 10 has it's share of bugs.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

Similar Threads

  1. Website Administration
    By jethro in forum The Security Tutorials Forum
    Replies: 4
    Last Post: August 9th, 2006, 10:13 AM
  2. GovernmentSecurity.org Defaced?
    By YoungNobody in forum Miscellaneous Security Discussions
    Replies: 11
    Last Post: May 21st, 2006, 01:53 PM
  3. Website to website malware scanning
    By Aspman in forum Spyware / Adware
    Replies: 20
    Last Post: November 21st, 2005, 09:07 AM
  4. Create a nice security for your website
    By Shrekkie in forum Tips and Tricks
    Replies: 1
    Last Post: June 11th, 2004, 05:41 AM
  5. Click for Traffic: Free website promotion
    By Negative in forum Web Development
    Replies: 1
    Last Post: December 12th, 2003, 11:58 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •