.

When my Web Site defaced? - Sharing a real experience

<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Wed Nov 15, 2006 12:38 pm

When my Web Site defaced? - Sharing a real experience

HI All,

After my previous article named – When I was phished – which was based on a real life experience, I am writing a similar articled named – When my website was defaced – which is again based on a true life experience.

I am running a web site named The Admins – http://www.theadmins.info – . One fine morning, when I opened the site, I noticed that the title bar of the web site changed to some pseudo code like sentences. I realized that my site was defaced. Now what? The pseudo code was indicating that my site is vulnerable to some SQL injection. I did some research and I got the answer immediately. I thought I would like to share it with the EH-Net community so that we all are aware of the latest happenings. The message of the story is
  • The importance of patch management,
  • The importance of a contingency plan,
  • The importance of backup,
  • The importance of secure coding practices, and
  • The truth that there is nothing known as 100 percent security.

Lets get into the real life example. Some info – Vulnerable Application – PHP 7.8

Go to the Search Module as shown in the below screen shot:

Image

Enter the below mentioned string and press enter

  Code:
p0hh0nsee%') UNION ALL SELECT 1,2,aid,pwd,5,6,7,8,9,10 FROM nuke_authors/*


You will get the result which will show you the encrypted password and the admin user name as shown in the screenshot.

Image

Go to http://gdataonline.com/seekhash.php and enter the encrypted password. You should will get the password in plain text (decrypted format). That’s all, go to http://www.targetsite.com/admin.php and enter the obtained login credentials – you are inside the website control panel.

Preventive measures

1. If you cannot upgrade to the latest version, disable the search module.
2. Upgrade to PHP Nuke 7.9 or 8.0

Conclusion

The above example shows how a person can get into the admin panel without any programming or technical knowledge in just less than 1 minute. This brings us to the very important concept of Information Security and its related domains. Had the programmer and the project manager followed the secure coding standards, such critical errors could have been avoided.

Please comment on your similar experiences.

Regards,

Morpheus
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
<<

LSOChris

Post Wed Nov 15, 2006 4:19 pm

Re: When my Web Site defaced? - Sharing a real experience

damn man...bummer
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Thu Nov 16, 2006 1:57 pm

Re: When my Web Site defaced? - Sharing a real experience

What I've realized is the huge tradeoff you make by going with a popular product like wordpress, phpnuke, mamba, etc. You pick it because of the good support and large userbase, however then you are constantly forced to upgrade month after month or else be subject to attack from the skriddies. It becomes a major headache once you make customizations to your site, which may or maybe not be wiped out by an upgrade. Just something to think about. I made my choice, however if I had to do over again, I may have gone with something less popular so I wouldn't have to upgrade constantly. I may have had to spend more time getting it configured, but only had to update it once a year or even 2 years. I had to upgrade 6 times in 1.5 years with my product and I hated it, because many of the upgrades break stuff and you have to roll back and wait for the next upgrade. And the one time you slack or go on vacation, you come back and your site is p0wn3d.
<<

Kev

Post Fri Nov 17, 2006 11:04 am

Re: When my Web Site defaced? - Sharing a real experience

I agree with oleDB as far as the problems you run into with scripts like PHP.  It really is better to use the least popular script that will work for you, but unfortunately that doesn’t always solve the problem.  However, if you run a web forum it’s hard to resist not using PHP because of its ease of use and style. The only solution if you use it is to keep a watchful eye and patch whenever there is an upgrade. If the upgrade breaks some things, just be willing to adjust as needed. It’s better to be willing to revamp the site than have some big message painted on your home page displaying that you just go owned!

The hack that The Morpheus displayed is one of the most common methods to deface that I encounter.  There are many skiddies that do nothing but surf the net hours and hours hoping to find a site that is vulnerable to the SQL attack that their group or ICQ channel just announced.  A lot of times the site was just a random encounter and was not a specific target. Kind of like a “drive by” defacement. Although I would say hacking or security sites are often the target. Some hacking sites get so frustrated by the constant assaults, so they just finally pull the site down.

  Once they plant their “flag” they go back to their little group and post the URL they attacked in order to win some minor admiration.  Obviously, this is total kid stuff because you would never see a high end hacker wasting his time doing something like that.  It really is the same mentality of the kid that “tags” walls with his spray can. 

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software