hacked
- Started
- Last post
- 25 Responses
- ukit
Discovered one of the Mediatemple sites I host was hacked/ exploited earlier this week, and not even a Wordpress site.
Warning to everyone - these people are getting surprisingly elaborate in their approach.
- ae0
script injection?
- monospaced0
"these people"
?
- racist / webbistd_rek
- The hackers, duhukit
- fair enoughmonospaced
- Thanks for looking out for them lolukit
- I wasn't, actually. I thought maybe you knew more.monospaced
- Whois points to a Russian domainukit
- zaq0
probably sql injection http://en.wikipedia.org/wiki/SQL…
- meffid0
a CMS?
- ukit0
In this case yeah, but apparently what hit me can attack any site that has an index.html or index.php page.
I'm not sure of the cause, but I'm starting to suspect that it was malware on my machine that gained access to my FTP passwords.
- ae0
i have seen that happen. i have even been told that pdf reader and flash player in the browser have caused damage by grabbing ftp passwords. worth updating flash player and adobe acrobat reader if installed...
- Yup, and they've acknowledged as much: http://www.dynaplex.…ukit
- ukit0
There was also some talk of the Filezilla FTP program being a common factor in people whose passwords got stolen...which was true in my case.
- monospaced0
what's your site, ukit?
- ukit0
So, assuming that was true, these bastards injected a PC I was using months ago with a trojan...snatched the Filezilla password info. Then used that to FTP up to the site.
Once there, they didn't actually mess with the index.php file like I expected. Instead, they created an entirely new index.html file and had that redirect to the index.php while injecting the code.
- monospaced0
Interesting that this site got such personal hacking attention. They not only got the passwords to access the file servers, they acted on it. Almost seems personal.
- mydo0
It's amazing the lengths hackers go to.
I got black mailed by a hacker into giving him free hosting a few years ago. 17 year old serbian kid. I really had no choice.
A. give me free hosting, and i'll protect your server from hackers and be your useful friend.
B. i'll destroy your business.the kid had a 5 character email address (including the @ and the dots) how cool is that?
He's since disappeared! and I learnt my lesson (without getting hurt)
- ukit0
@monospaced
No, it's not personal at all. Read this, explanation of a similar kind of exploit (not the same one I got, but works similarly).
http://blog.scansafe.com/journal…
It's scary stuff because once they can access your FTP a lot of that security stuff you thought would work goes out the window.
- utopian0
ukit, it is time for you to get off MT all together.
MT is nothing but trouble, whether it is their shitty and slow web servers, getting hacked, or their servers simply off line.
- BattleAxe0
might be worth a read
http://ha.ckers.org/xss.html
- cubanhaze0
what about mac?
- PIZZA0
"In this case yeah, but apparently what hit me can attack any site that has an index.html or index.php page"
Doubt it's possible to attack a site via a .html page because the server is just sending a file there is no processing going on. Definitely possible to hack via .php file though, especially if you use something like wordpress/indexhibit.LOL@mydo sounds like you got played, how exactly would some kid ruin your business? and giving some hacker access to your server is idiotic, they could have used it for all sorts of things.
- PIZZA0
"they may just be able to sniff the FTP info when you connect"
FTP sends passwords in plaintext, but I don't think they can sniff it unless you pass through something they control (corporate network with some infected machines on it then yes highly likely). But it's not like you can just take information out of the ether and a script injection attack is easier.
- What do you make of this then? (second comment)ukit
- I guess a link would be useful
http://forum.filezil…ukit - Well yeah as I said if its going through a compromised machine then all bets are offPIZZA
- comicsans0
Here it is in caps for the uninitiated:
DO NOT USE FTP, IT IS NOT SECURE, USE SFTP OR SCP.
SCP only supports file copying, SFTP like FTP supports operations like file renaming.
If you forced to use FTP (say for client acess) then have a restricted account with privileges locked down to allow uploading to a sheep-dip directory only, use a separate secure account to move files to a deployment area. If you use FTP as part of website management you are simply asking for trouble and this sort of thing will happen to you sooner or later.
- Of course, if your machine is already infected then it is academic.comicsans