Blog

[ do default stuff if no widgets ]

Doh! – Blog Was Hacked

I went to visit the blog to share some awesome news, flirc is now patent pending.

However, when I went to visit the blog, I get a glorious message saying, “fuck you” with a site redirection to some stupid hackors website that was obviously designed in 1994.

How did this happen…going to share…

Okay, let’s try getting into the wordpress backend, logged in, everything looked fine. WordPress is still intact. I notice there is wordpress upgrade available, so I hit that, maybe there was some security flaw. WordPress updated, went back to the main page, still hacked.

Okay, let’s go one step further. I ssh into and start looking at the log files. Crazy, no one got into SSH.

Okay, how about FTP? Looked through those log files, nothing….

Scratching my head at this point, I go into the directory with wordpress and do an

ls -lah

-rw-r–r–    1 _www     _www   6.1K Jun 30 20:23 index.html

Okay, here we go, there isn’t supposed to be an index.html file in this directory, wordpress uses index.php. Opening this up, yup, it’s some crap html with redirects and pop-ups. Okay, let’s save it:

mv index.html index.asshat

Let’s keep looking

ls -lah

Two more files owned by www and not me:

-rw-r–r–    1 _www     _www   124B Jun 22 20:55 jundab.txt

-rw-r–r–    1 _www     _www    28K Jun 29 22:44 file.htm

Let’s peek inside the file

cat jundab.txt

MagelangCyber Was Here-Hacked by Jundab-thx Hmei7, kaMtiEz, k4l0ng666, boebefa, s13doeL, Dr. Cruzz ,  ibl13Z and you~

Okay, great, file.htm is still there, feel free to check it out. What a waste of time that must have been to do.

So how did this happen. Let’s go into /var/log and check.

cd /var/log

grep jundab -ir *

Ahah, found it in apache2/access_log

Here is the line:  “GET /favicon.ico HTTP/1.1” 404 1075 118.96.148.7 – – [22/Jun/2011:20:55:39-0700] “PUT /jundab.txt HTTP/1.0” 201 308

Mother Fucker…. so for someone to be able to do this, they used the standard HTTP PUT method. How? Simple:

curl blog.flirc.tv/ –upload-file jundab.txt

Did that from another machine, bam, transferred. So you can just transfer files to webservers? Yes and no. I made a huge error. For this to be possible, my root directory of the blog was writeable by www. I believe the set permissions were:

drwxrwxr-x  40 ‘user’  _www    1.3K Jun 30 22:34 blog

Yeah, that’s bad. How do you fix this? Change it so it’s not writeable by apache.

chmod 755 blog

ls -lah

drwxr-xr-x  40 ‘user’  _www    1.3K Jun 30 22:34 blog

So this small error could have been a lot of trouble. I found it pretty close after it happened, but that doesn’t matter. Drop a php script on there that has an exploit, call the php script from a browser, and I’m done. There were no php scripts, so thankfully, it was probably a BOT that runs around and try’s putting files on servers. But in any case, the server was hacked and the only way to recover is to assume the system has been compromised, and restore.

7 Responses to “Doh! – Blog Was Hacked”

  1. uncola Says:

    pwned.

  2. Jason Kotzin Says:

  3. nrg Says:

    A better solution would be, assuming you are using Apache, to put something like this in your Apache configuration:

    Order allow,deny
    Allow from all
    Deny from all

    Order deny,allow
    Deny from all
    Allow from all

    As far as I know, that is Apache’s default behavior so maybe you should check for some explicit Allows for PUT instead.

    See also: http://httpd.apache.org/docs/2.2/mod/core.html#limit

  4. nrg Says:

    Hm, your blog removes the tags. There’s a better solution anyway:
    (LimitExcept POST GET)
    Order allow,deny
    Allow from all
    Deny from all
    (/LimitExcept)

    Replace the parentheses with angle brackets.

  5. Jason Kotzin Says:

    What was this for?

  6. Jundab Says:

    hello bro, I’m here, I do not damage your site: AND .. I just put the txt files only .. sorry bro

  7. Jason Kotzin Says:

    I appreciate you not doing anything malicious, thank you Jundab.

Leave a Reply