I went to visit the blog to share some awesome news, flirc is now patent pending.
However, when I went to visit the blog, I get a glorious message saying, “fuck you” with a site redirection to some stupid hackors website that was obviously designed in 1994.
How did this happen…going to share…
Okay, let’s try getting into the wordpress backend, logged in, everything looked fine. WordPress is still intact. I notice there is wordpress upgrade available, so I hit that, maybe there was some security flaw. WordPress updated, went back to the main page, still hacked.
Okay, let’s go one step further. I ssh into and start looking at the log files. Crazy, no one got into SSH.
Okay, how about FTP? Looked through those log files, nothing….
Scratching my head at this point, I go into the directory with wordpress and do an
-rw-r–r– 1 _www _www 6.1K Jun 30 20:23 index.html
Okay, here we go, there isn’t supposed to be an index.html file in this directory, wordpress uses index.php. Opening this up, yup, it’s some crap html with redirects and pop-ups. Okay, let’s save it:
mv index.html index.asshat
Let’s keep looking
Two more files owned by www and not me:
-rw-r–r– 1 _www _www 124B Jun 22 20:55 jundab.txt
-rw-r–r– 1 _www _www 28K Jun 29 22:44 file.htm
Let’s peek inside the file
MagelangCyber Was Here-Hacked by Jundab-thx Hmei7, kaMtiEz, k4l0ng666, boebefa, s13doeL, Dr. Cruzz , ibl13Z and you~
Okay, great, file.htm is still there, feel free to check it out. What a waste of time that must have been to do.
So how did this happen. Let’s go into /var/log and check.
grep jundab -ir *
Ahah, found it in apache2/access_log
Here is the line: “GET /favicon.ico HTTP/1.1” 404 1075 220.127.116.11 – – [22/Jun/2011:20:55:39-0700] “PUT /jundab.txt HTTP/1.0” 201 308
Mother Fucker…. so for someone to be able to do this, they used the standard HTTP PUT method. How? Simple:
curl blog.flirc.tv/ –upload-file jundab.txt
Did that from another machine, bam, transferred. So you can just transfer files to webservers? Yes and no. I made a huge error. For this to be possible, my root directory of the blog was writeable by www. I believe the set permissions were:
drwxrwxr-x 40 ‘user’ _www 1.3K Jun 30 22:34 blog
Yeah, that’s bad. How do you fix this? Change it so it’s not writeable by apache.
chmod 755 blog
drwxr-xr-x 40 ‘user’ _www 1.3K Jun 30 22:34 blog
So this small error could have been a lot of trouble. I found it pretty close after it happened, but that doesn’t matter. Drop a php script on there that has an exploit, call the php script from a browser, and I’m done. There were no php scripts, so thankfully, it was probably a BOT that runs around and try’s putting files on servers. But in any case, the server was hacked and the only way to recover is to assume the system has been compromised, and restore.