Teams Webpages and Security
(25 posts, started )
Teams Webpages and Security
hi Guys,

Just a quick note, for all you who have Team websites. Please make sure your security is upto date, i.e. no Flaws, or Holes or anything like this. The T7R website has been tampered with, as you can see, so this is just to inform you all, check your software.

Regards

Fordie
#2 - P1lot
These meddlers are scum of the earth!
Thanks to Lippy, we are back up and running now. The index.php file had been changed, as well as a strange modification date to another file. Again, just a heads up on check your software for updates.
Quote from P1lot :These meddlers are scum of the earth!

Hmm, what's up with your teampage then, Link doesnt work in your sig there...
:ices_rofl
Quote from Vykos69 :Hmm, what's up with your teampage then, Link doesnt work in your sig there...

It does
Quote from Fordman :It does

I think he was refering to p1lots sig
Quote from noemfie :I think he was refering to p1lots sig

:doh:
#9 - P1lot
Ah, but ours is planned maintenance... Honest
Well, at least things are fixed and all fine now
Wanna see a hacked teampage, have a look at ours now. :bigeyes2::thumbsdow:mad::evil::bananadea
At least the freak spent us a nice picture.

Some people have too much time.
the T7R site says 'hacked by shadow' to me, unlucky lads
Quote from Vendetta :Well, at least things are fixed and all fine now

I still see a hacked page. Bummer.
it's hacked again.....
Heh, mister shadow has lame html skills; infact, isn't 'MSHTML' MSWord or Frontpage? Haha, 1337 h4xx0r!!!1!oneone

It was fixed earlier, cos I visited it, but it appears you are still vulnerable Fordy.

<HTML><HEAD><TITLE>( PAGE NOT FOUND) ERROR 404</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1106" name=GENERATOR></HEAD>
<BODY bgColor=#000000>
<CENTER>
<P align="center"><IMG height=542 src="http://img225.imageshack.us/img225/9677/shadow2hg.jpg" width=800>
</P>
<P align="center"> </P>
<P align="center"><font face="fantasy"><STRONG><FONT color=#666666 size=+4>Hacked By Shadow</FONT></STRONG></font></P>
<P align="center"><font color="#666666" face="fantasy"><STRONG><FONT size=+3>Thanx - Thehacker</FONT></STRONG></font></P>
<div align="center"><br />

</div>

Presuming mister 1337 h4xx0r reads this; I mean, really dude, for a start you could at least use xhtml, and at the absolute minimal close your bloody tags... Where the hell is your closing HTML tag?
Not to mention STRONG and FONT are so 1997. Get with the times mate, go lookup some CSS, and do some research on semantically correct markup.
Sheesh.

I recommend changing all FTP / file management & admin script passwords. Whoever did this is a script kiddie with as much technical ability as my rather tasty spicy chicken wing. If it is a hole phpnuke, upgrade it after changing password and see if the little prat does it again.
Hahaha, and the proper term is "cracked" anyway, not "hacked". Foo.
-
(KiDCoDEa) DELETED by KiDCoDEa
Quote from Anarchi-H :Heh, mister shadow has lame html skills; infact, isn't 'MSHTML' MSWord or Frontpage? Haha, 1337 h4xx0r!!!1!oneone

It was fixed earlier, cos I visited it, but it appears you are still vulnerable Fordy.

<HTML><HEAD><TITLE>( PAGE NOT FOUND) ERROR 404</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1106" name=GENERATOR></HEAD>
<BODY bgColor=#000000>
<CENTER>
<P align="center"><IMG height=542 src="http://img225.imageshack.us/img225/9677/shadow2hg.jpg" width=800>
</P>
<P align="center"> </P>
<P align="center"><font face="fantasy"><STRONG><FONT color=#666666 size=+4>Hacked By Shadow</FONT></STRONG></font></P>
<P align="center"><font color="#666666" face="fantasy"><STRONG><FONT size=+3>Thanx - Thehacker</FONT></STRONG></font></P>
<div align="center"><br />

</div>

Presuming mister 1337 h4xx0r reads this; I mean, really dude, for a start you could at least use xhtml, and at the absolute minimal close your bloody tags... Where the hell is your closing HTML tag?
Not to mention STRONG and FONT are so 1997. Get with the times mate, go lookup some CSS, and do some research on semantically correct markup.
Sheesh.

I recommend changing all FTP / file management & admin script passwords. Whoever did this is a script kiddie with as much technical ability as my rather tasty spicy chicken wing. If it is a hole phpnuke, upgrade it after changing password and see if the little prat does it again.

Cheers Anarchi-H
Anarchi-H,

What do you make of this?
Attached files
attack.txt - 2.3 KB - 603 views
Thanks for the pointers guys. This is just what you need on a Wednesday!

Would have found the first exploit earlier, but the provider had just rolled the raw access log into the site stats system.

As we have all the data, I'm reading lots to make sure I dont break anything more important to us while upgrading the phpbb stuff.

Lippy
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=348139
Quote :There appears to be a new worm on the loose. If your phpBB has been defaced, please do the following:

1. Immediately get full backups of your entire website including phpBB
2. Immediately get full backups of your database
3. Get log files
4. Do not delete anything!
5. Do not use these backups to restore your site.
6. These backups are to be used to send to the Incident Investigation Team, and only the Incident Investigation Team. If the poster asking for logs or backups does not have a Support Team rank, do not do anything they tell you to do.
7. PM NeoThermic or myself to tell us you need assistance. Do not post in support asking for help.
8. Close your website (including phpBB!) until the IIT tells you it is okay to reopen.

I guess that affects users of PHP-Nuke too, isn't it based on phpBB?
Quote from Fordman :What do you make of this?

Looks like the Ronin-style attack. This file which is part of phpBB allows a user to remotely execute code. Usually they apply a wget command to download a file, and then run it. I cant see this in the provided log extract, but you never know.

Check your server for additional files, rootkits, etc. You can use chkrootkit, and rkhunter for this (presuming its debian, run apt-get install chkrootkit rkhunter, as root, or a user with similar privs). Check the rest of your logs, including syslog. Its also a good idea to run the rootkit checkers on a cron. Also check the currently running processes for anything funny (ps aux).

I believe theres a patch for this.

Edit: A suggestion would be to run a non-standard package to manage your websites. The more popular site management tools do attract crackers, and its easier to look through the code for vulnerabilities. I'm no fan of security through obsecurity, but custom written websites are harder to crack if you dont provide the source.
Quote from the_angry_angel :I believe theres a patch for this.

It's already been said, ver. above 2.0.15 do not have this vulnerability. Most of phpbb hacks are a result of people using code, which is sometimes even several years old.
Quote from Rumiko :It's already been said, ver. above 2.0.15 do not have this vulnerability. Most of phpbb hacks are a result of people using code, which is sometimes even several years old.

See, now thats the problem with forums/mailing lists. You read past what everyone says and say the same thing. You dont get that issue with IRC.


Teams Webpages and Security
(25 posts, started )
FGED GREDG RDFGDR GSFDG