I went to visit the blog to share some awesome news, flirc is now patent pending.<\/p>\n
However, when I went to visit the blog, I get a glorious message saying, “fuck you” with a site redirection to some stupid hackors website that was obviously designed in 1994.<\/p>\n
How did this happen…going to share…<\/p>\n
Okay, let’s try getting into the wordpress backend, logged in, everything looked fine. WordPress is still intact. I notice there is wordpress upgrade available, so I hit that, maybe there was some security flaw. WordPress updated, went back to the main page, still hacked.<\/p>\n
Okay, let’s go one step further. I ssh into and start looking at the log files. Crazy, no one got into SSH.<\/p>\n
Okay, how about FTP? Looked through those log files, nothing….<\/p>\n
Scratching my head at this point, I go into the directory with wordpress and do an<\/p>\n
ls -lah<\/p>\n
-rw-r–r– \u00a0 \u00a01 _www \u00a0 \u00a0 _www \u00a0 6.1K Jun 30 20:23 index.html<\/p><\/blockquote>\n
Okay, here we go, there isn’t supposed to be an index.html file in this directory, wordpress uses index.php. Opening this up, yup, it’s some crap html with redirects and pop-ups. Okay, let’s save it:<\/p>\n
mv index.html index.asshat<\/p><\/blockquote>\n
Let’s keep looking<\/p>\n
ls -lah<\/p><\/blockquote>\n
Two more files owned by www and not me:<\/p>\n
-rw-r–r– \u00a0 \u00a01 _www \u00a0 \u00a0 _www \u00a0 124B Jun 22 20:55 jundab.txt<\/p>\n
-rw-r–r– \u00a0 \u00a01 _www \u00a0 \u00a0 _www \u00a0 \u00a028K Jun 29 22:44 file.htm<\/p><\/blockquote>\n
Let’s peek inside the file<\/p>\n
cat\u00a0jundab.txt<\/p>\n
MagelangCyber Was Here-Hacked by Jundab-thx Hmei7, kaMtiEz, k4l0ng666, boebefa, s13doeL, Dr. Cruzz , \u00a0ibl13Z and you~<\/p><\/blockquote>\n
Okay, great, file.htm is still there, feel free to check it out. What a waste of time that must have been to do.<\/p>\n
So how did this happen. Let’s go into \/var\/log and check.<\/p>\n
cd \/var\/log<\/p>\n
grep jundab -ir *<\/p><\/blockquote>\n
Ahah, found it in\u00a0apache2\/access_log<\/p>\n
Here is the line: \u00a0“GET \/favicon.ico HTTP\/1.1” 404 1075 118.96.148.7 – – [22\/Jun\/2011:20:55:39-0700] “PUT \/jundab.txt HTTP\/1.0” 201 308<\/p>\n
Mother Fucker…. so for someone to be able to do this, they used the standard HTTP PUT method. How? Simple:<\/p>\n
curl blog.flirc.tv\/ –upload-file jundab.txt<\/p><\/blockquote>\n
Did that from another machine, bam, transferred. So you can just transfer files to webservers? Yes and no. I made a huge error. For this to be possible, my root directory of the blog was writeable by www. I believe the set permissions were:<\/p>\n
drwxrwxr-x \u00a040 ‘user’ \u00a0_www \u00a0 \u00a01.3K Jun 30 22:34 blog<\/p><\/blockquote>\n
Yeah, that’s bad. How do you fix this? Change it so it’s not writeable by apache.<\/p>\n
chmod 755 blog<\/p>\n
ls -lah<\/p>\n
drwxr-xr-x \u00a040 ‘user’ \u00a0_www \u00a0 \u00a01.3K Jun 30 22:34 blog<\/p><\/blockquote>\n
So this small error could have been a lot of trouble. I found it pretty close after it happened, but that doesn’t matter. Drop a php script on there that has an exploit, call the php script from a browser, and I’m done. There were no php scripts, so thankfully, it was probably a BOT that runs around and try’s putting files on servers. But in any case, the server was hacked and the only way to recover is to assume the system has been compromised, and restore.<\/p>\n","protected":false},"excerpt":{"rendered":"
I went to visit the blog to share some awesome news, flirc is now patent pending. However, when I went to visit the blog, I get a glorious message saying, “fuck you” with a site redirection to some stupid hackors website that was obviously designed in 1994. How did this happen…going to share… Okay, let’s […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[6],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/ppp9g-2R","_links":{"self":[{"href":"https:\/\/blog.flirc.tv\/index.php\/wp-json\/wp\/v2\/posts\/177"}],"collection":[{"href":"https:\/\/blog.flirc.tv\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.flirc.tv\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.flirc.tv\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.flirc.tv\/index.php\/wp-json\/wp\/v2\/comments?post=177"}],"version-history":[{"count":1,"href":"https:\/\/blog.flirc.tv\/index.php\/wp-json\/wp\/v2\/posts\/177\/revisions"}],"predecessor-version":[{"id":1058,"href":"https:\/\/blog.flirc.tv\/index.php\/wp-json\/wp\/v2\/posts\/177\/revisions\/1058"}],"wp:attachment":[{"href":"https:\/\/blog.flirc.tv\/index.php\/wp-json\/wp\/v2\/media?parent=177"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.flirc.tv\/index.php\/wp-json\/wp\/v2\/categories?post=177"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.flirc.tv\/index.php\/wp-json\/wp\/v2\/tags?post=177"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}