Printable View
Recently I've had 2 websites defaced. Both run php/mySQL.
In one, the index.php was replaced or overwritten with the message:
"Tech Team ownz u FreeBSD"
My host for that site uses a Free BSD os.
On the other site, they replaced or overwrote my index.html with the message:
Tech Team ownz your box."
How would these folks go about doing this? I really want to take measures so it doesn't happen again.
Thanks
The only real measures you can take is to turn off any unneccesary services and update all the patches for your systems. well actually your host would have to do that unless you work at it. I would give em a call and try to get them to sort it all out.
PeacE
-BoB
Actually, without knowing the setup, the first thing that comes to mind is permissions. Directory permissions should only be 711 (rwx--x--x) and files should only be 744 (rwxr--r--). I'd also check for any trojans or other items running before doing any patches. Remove any potential "repeat" type items that could cause the site to be defaced again. Get rid of any unused service (no, you don't need games, email, etc running on the server). Check history files and logs. You need to find out first the how of what they did before you lock it down (which should be done before the machine is connected to the Net).
Download patches, disconnect machine, update machine, restart services, double check no extra "things" running and reconnect. Do regular checks of logs and activities of users on the system.
Is this site hosted through a hosting company? If so, then I would look at another company to host your website.Quote:
If you run a commercial site in the US your host is in a very actionable position.
If you are paying them it is not ok that they have failed to secure the site. Unless you went through and altered the permission of your site to allow your default documents to be written to by the webservice user/cgi user and uploaded weak scripts.
Not only that but since they run FreeBSD they will most likely have an exceptionally difficult time demonstrating that they took due care as no TFM exists for FreeBSD at this time and they would have needed to create their own _and_ get it approved by someone with clout, which seems unlikely at best since if they cared that much about security they 1. would not be running FreBSD and 2. would not be having their client's websites defaced.
If it isn't a commercial website, your losses were likely so small (just replacing the page) that further action prolly wouldn't be worth your time.
catch
Tech Team ownz u
i heard of this group, and they are GOOD!
I mean that they know what there doing.
there a chinese based organisation.
anyhow best of luck, and i hope you solve your problem.
And MsMitten's idea sounds pretty good to me.
Cheer's
This sounds sensible. My current directory permissions are 755 and files are 644.Quote:
Originally posted here by MsMittens
Actually, without knowing the setup, the first thing that comes to mind is permissions. Directory permissions should only be 711 (rwx--x--x) and files should only be 744 (rwxr--r--). I'd also check for any trojans or other items running before doing any patches. Remove any potential "repeat" type items that could cause the site to be defaced again. Get rid of any unused service (no, you don't need games, email, etc running on the server). Check history files and logs. You need to find out first the how of what they did before you lock it down (which should be done before the machine is connected to the Net).
Download patches, disconnect machine, update machine, restart services, double check no extra "things" running and reconnect. Do regular checks of logs and activities of users on the system.
Also, I was wondering about the Free BSD. My host will move me to a Linux on Apache if I so desire. Would this be worth it?
Well it's not going to make a difference if the host isn't locking down FreeBSD. Often errors done on one OS are carried over to others. Have you asked them how the defacement occurred and if they have fixed the problem?
Unlike what the other posters suggest (locking down the system), I suggest that you reformat all the affected (or possibly affected boxes). This might of course include your entire hosting operation. If there is any possibility that the attackers compromised a machine, it MUST be reformatted.
Patching an already compromised system is closing the door after the horse has bolted :)
No ... seriously... any intruder may have left any number of back doors, not all of which you may be able to detect. So no amount of patching will necessarily help, as the attacker could come straight back in through one of their back doors.
Also they could have used one machine as a springboard to attack your other boxes (this avoiding your firewall). So you can't take any chances.
Because they defaced sites however, I'd suggest kiddies rather than real skilled individuals. Bear in mind that they probably started the attack by compromising your PHP application - so ensure that you audit it carefully.
Restoring backups is also a tricky process. You should take great care not to restore any executable content (this of course includes PHP scripts and their include files etc) from a backup taken after the compromise.
If you can, take the code from a copy held on an uncompromised box (for example, a staging server or development machine)
Data should be audited very carefully to spot any surprises they may have left ... at the very least you should check any users databases to see if there are any extra users in, and probably should force a password change on everybody to be on the safe side.
TechTeam are from brazil the most likely it was a cgi script and they just done |echo TechTeam ownz blah blah >index.html| my suggestion would be to look for any vulnerable cgi scripts on you're website and remove them if you're not using them the access they would have had was probably the nobody account anyways if that has been locked down and doesent have wget or compiler rights you should be fine does the admin of the boxes know they were defaced ? has he found the problem at all ?
Thanks for the excellent advice slarty. I simply uploaded all the php scripts I had saved on my home computer and overwrote the old ones (I saved them 1st to compare to the originals).
My webhost isn't being very cooperative, though. They claim it has to be a password issue (I change it daily) or a script vulnerability - which I admit is possible. However, one of the defacement messages was directed at the Free BSD OS. So, I have to wonder. I may have to switch to a more cooperative webhost.
I want to thank everyone for their excellent advice and help in this thread.
Sorry they are from China.
There is a group calling themselves Tech Team, in Brazil.
But there just script kiddies, well lam0rs to be correct.
I know this because they have got a few defaced sites down in www.2600.com
In there Archives.
And they state that they are an Chinese based Organisation, but how they call themselves an Organisation is beyond me.
As people that do that sort of thing is just a moron in my opinion.
Anyhow cheers.
Actually, a small web design/hosting company out in california was recently hacked by these guys. I had some info on one of the servers and alas, the data is no longer there. But it is a real pain in the ass for the hosting company because they had to try to rebuild everything from as he said and I quote "image like backups."