MASSIVE Server Hack OMG!!!!

[FreeFall]

So i was just doing some routine stuff on my website, when i got a 500 internal server error.

I now checked some files, they had been updated today, which i thought was very strange, because i know i didnt update them.

I downloaded these files and seen this inside:

<u style=display:none><a href='http://new-hidden-object-games.blogspot.com/2008/02/download-mystery-case-files-madame-fate.html' title='mystery case files madame fate'>mystery case files madame fate</a></u>

WTF!?!?!? What the hell is this??

Not only that, it looks like many of my files have been replaced with this.

p.s. do not open that url!! I believe it turns off your internet security settings.


Please check your accounts!!!!!!!!!!! let me know if you have been hit or if i am the only one.

[jason]

What kind of software (blogs, galleries, CMS, etc.) are you running on your site?

--Jason

[FreeFall]

OScommerce, Wordpress, up-to-date versions.

I have just found a shell.php file in a dir.

i never use ssh, shell

I am now looking round for weird files; lets hope jag or someone can tell me how it happened.

[FreeFall]

i checked my access logs and found this which was at the same time:

128.121.123.31 - - [28/Feb/2008:02:48:57 -0500] "POST /spamit.php HTTP/1.1" 200 63 "-" "GoogleBot 2.1"

i googled spamit.php and there was nothing!

[FreeFall]

anyone else shed any like on this?

Why would a hack only modify some php files and not others, and some html files?

It happened on my whole account, on some wordpress pages, but also on some static html pages in different dirs.

Its really weird

[Vin DSL]

Hrm...

Only thing I can see that isn't working is the home page itself.

Looks like your average run-of-the-mill defacement, not a MASSIVE server hack...

[FreeFall]

lol...

sorry, my homepage (dunno how you know it ) will be down cos i am basically deleting everything, all my old sites (static html) and all my files and re uploading all the essential stuff.

It is massive to me! I havent seen anything like it first hand, all the files were edited, and it all happened so quickly, but i am glad i have spotted it the day it happened, its the only plus point i guess. I have seen the odd index.html file defaced, but nothing like this, i have multi-hosts and their files are damaged, static html files and everything

Any ideas how this person could of done this? Apart from a rogue script i mean.

I found a "main.php" file in my root, its the file for the shell script i think.

[JPC-Masood]

Pretty routine stuff. Please go through this security guideline: http://www.jaguarpc.com/support/kbase/731.html to keep yourself protected.

[FreeFall]

can nobody at Jagpc tell me what the cause of this is? Isnt it logged? I posted above what i can find, but i'm no network admin.

If someone had ssh acess how? I thought it was turned off by default? i certainly wouldnt want it on.

[Frank Broughton]

I had my site broken into months ago. I never did find the exact culprit, but I was able to secure the server by making sure all scripts on the site were up to date INCLUDING plugins. I also tweaked the server some and installed some other security apps. If this is a shared server then that will be done already and you just need to check all your installed scripts.

And be careful - just because a script is up to date does not mean it is safe!

[Connie]

can nobody at Jagpc tell me what the cause of this is? Isnt it logged? I posted above what i can find, but i'm no network admin.

If someone had ssh acess how? I thought it was turned off by default? i certainly wouldnt want it on.

SSH should be on by default. If you don't have SSH access open a ticket. Support will turn it on for you.

[jason]

SSH, weather on or off, is only one of many ways to access the system's shell. Another (much more common) way to do it in the case of defacements like this is to exploit a weakness in one of the scripts you are running. for example, someone will scan your site and find out that you are running ABC app, knowing that certain versions of the xyz.php script of that app have a hole whereby sending certain parameters to the script allow unfiltered access to commands such as exec(). So they send those parameters to the script, along with a long list of shell commands that they want to run and the server runs them exactly the same way as it would have if the culprit somehow managed to get direct SSH access.

It is impossible to stop this kind of thing from happening at the server level because the shell is required to do anything with the server. No shell means no file access whatsoever--no PHP, no Apache, no email...nothing.

The way to avoid these kinds of problems is to ensure that no user-provided data is ever send, without strict filtering first, to any of the shell access functions.

If you are able to figure out how the culprit managed to get in to your system, you should report it to the developers of whatever app was the cause so that they can check the code and patch it before it happens to too many people.

--Jason