Whole Web Server Hacked!

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Whole Web Server Hacked!

Post by jayshields »

Just woke up (1:30pm) to a text from a client saying his website has been hacked and replaced with some anti-war stuff. So I'm thinking, sh*t, I've got some extra work to do today...

I log on to check it out, it wont load... neither will my website, or anyone elses on my web server, but I'm logged into FTP, and the files are the same...

I download index.php from the website in question:

Code: Select all

<html>

<head>
<meta http-equiv="Content-Language" content="tr">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<title>Mavideniz</title>
</head>

<body bgcolor="#000000" text="#808080">
<meta http-equiv="refresh"content="160;URL=http://www.scubaconsult.at/user">
<p align="center"> 
<embed src="http://www.mmavideniz.org/01.mp3" loop="1" autostart="true" hidden "true" width="128" height="128" align="left"></p>
<p align="center">
<font color="#FFFFFF">
<img src="http://www.mavideniz.org/atam.gif" width="152" height="108"></font></p>
<p align="center" style="margin: 0 1"><b>
<font size="7" face="Courier" color="#FFFFFF">HACKED BY METLAK</font></b></p>
<p align="center" style="margin: 0 1"><b>
<font face="Courier" size="7" color="#FFFFFF">NO WAR </font></b></p>
<p align="center" style="margin: 0 1"><b>
<font size="65" face="Courier" color="#ffffff">!!!!!!!!STOP WAR!!!!!!!!</font></b></p>
<p align="center"><font color="#FFFFFF">&nbsp;

<OBJECT ID="MediaPlayer" WIDTH=468 HEIGHT=374 classid="CLSID:22D6F312-B0F6-11D0-94AB-0080C74C7E95"
codebase="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=6,4,7,1112"
standby="Loading Microsoft Windows Media Player components..."
type="application/x-oleobject">
    <PARAM NAME="FileName" VALUE="http://video.haber7.com/81.wmv">
    <PARAM NAME="ShowControls" VALUE="0">
    <PARAM NAME="ShowDisplay" VALUE="0">
    <PARAM NAME="ShowStatusBar" VALUE="0">
    <PARAM NAME="AutoSize" VALUE="1">
    <Embed type="application/x-mplayer2"
        pluginspage="http://www.microsoft.com/windows/windowsmedia/download/"
        filename="http://video.haber7.com/81.wmv"
        src="http://video.haber7.com/81.wmv"
        Name=MediaPlayer
        ShowControls=0
        ShowDisplay=0
        ShowStatusBar=0
        width=468
        height=351>
    </embed></OBJECT></font></p>
<p align="center"><font face="Courier New, Courier, mono" color="#ffffff">
<img src="http://www.thememoryhole.org/war/gulfwar2/22march-ap.jpg" width="348" height="512"></font></p>
<body onUnLoad="xopentr('http://www.mavideniz.org/forum')">
<Script Language=JavaScript Type="Text/JavaScript">
function xopentr(url_pop)
{
var PopWidth=400;
var PopHeight=300;
var PopLeft = (window.screen.width-PopWidth)/2;
var PopTop = (window.screen.height-PopHeight)/2;
xopenvar=window.open(url_pop,'xopenvar','toolbar=yes,status=yes,menubar=yes,location=yes,
directories=yes,resizable=yes,scrollbars=yes,width='+PopWidth+',
height='+PopHeight+',top='+PopTop+',left='+PopLeft);
}
</Script>
<p align="center"><font color="#00FF00">mavideniz.org/forum açýlmýþtýr.</font></p>
LOL. They've swapped every index.php in my web space for this.

I contact the admin, I told him I can't even view anything on my webspace, he say's we got hacked last night, I *think* oops, thats probably my fault, he says, they replaced every index.php file on the whole webserver with a bogus one!

I didn't actually get to see the page, and I can't be bothered wasting my time in loading it myself, but I'm told it had dead kids on it and stuff, sick b*stards.

Is this a common page that hackers are using now? Seems alot of them refer to war and stuff...

Edit: Put some line breaks in so it doesn't break the forum...
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Antiwar just masks the "I hacked you" showoff.

Defacers are <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span>.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

Just look at that HTML. It's dreadful. Frontpage 5? Two <body> tags? A <meta> in the main content? Font tags? JavaScript without protective comments? No CSS?

Whoever did that is a scriptkiddie loser. No hacker would upload anything that embarassing.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Actually, most hackers that do these things are just bored kiddies who read on some tutorial: do this, go there, then do this...
and such, they don't have the slightest idea as to how it works and what they are actually doing - they just follow tutorials, read posts on forums etc...
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

Oren wrote:Actually, most hackers that do these things are just bored kiddies who read on some tutorial: do this, go there, then do this...
and such, they don't have the slightest idea as to how it works and what they are actually doing - they just follow tutorials, read posts on forums etc...
if your webserver is so easily hacked that someone who has no idea what they are doing can click a few button and follow a quick tutorial that they don't understand then I think you should get a new webserver.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

Oren wrote:Actually, most hackers that do these things are just bored kiddies who read on some tutorial: do this, go there, then do this...
and such, they don't have the slightest idea as to how it works and what they are actually doing - they just follow tutorials, read posts on forums etc...
People who do that aren't hackers.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

shiznatix wrote:if your webserver is so easily hacked that someone who has no idea what they are doing can click a few button and follow a quick tutorial that they don't understand then I think you should get a new webserver.
shiznatix: I was talking generally. I don't have my own server, and the servers I've been on have never been hacked :wink:

onion2k: What's your definition for "hacker"?
AngusL
Forum Contributor
Posts: 155
Joined: Fri Aug 20, 2004 4:28 am
Location: Falkirk, Scotland

Post by AngusL »

Oren wrote:onion2k: What's your definition for "hacker"?
I, of course, am not onion2k - but check out the Jargon File's hacker entry. Lots of folk who take their programming and computing in general seriously use that definition - using hacker as a good term, meaning someone who knows their way around the computer and can program themselves out of the corner and reserving the derogatory terms cracker and scriptkiddie for the kind of idiots that do this sort of thing (the implication being the hacker could do it better, faster, slicker - but has no interest in doing so). I think it makes for quite a nice distinction, and in fact returns the original meaning of the word.

</rhetoric>
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

Hacker is a term used to describe different types of computer experts. The media and the general populace typically use the term to mean "computer criminal"; however, in many computer subcultures it simply means "clever programmer", with no connotation of computer security skill. It is also sometimes extended to mean any kind of expert, especially one who has particularly detailed knowledge or cleverly circumvents limits.
i think we qualify as a 'computer subculture' :D
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

Image script kiddies irritate me to no end
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

AngusL wrote:
Oren wrote:onion2k: What's your definition for "hacker"?
I, of course, am not onion2k - but check out the Jargon File's hacker entry. Lots of folk who take their programming and computing in general seriously use that definition - using hacker as a good term, meaning someone who knows their way around the computer and can program themselves out of the corner and reserving the derogatory terms cracker and scriptkiddie for the kind of idiots that do this sort of thing (the implication being the hacker could do it better, faster, slicker - but has no interest in doing so). I think it makes for quite a nice distinction, and in fact returns the original meaning of the word.

</rhetoric>
Thanks for mentioning that. ^^
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

AngusL wrote:I, of course, am not onion2k - but check out the Jargon File's hacker entry. Lots of folk who take their programming and computing in general seriously use that definition - using hacker as a good term, meaning someone who knows their way around the computer and can program themselves out of the corner and reserving the derogatory terms cracker and scriptkiddie for the kind of idiots that do this sort of thing (the implication being the hacker could do it better, faster, slicker - but has no interest in doing so). I think it makes for quite a nice distinction, and in fact returns the original meaning of the word.

</rhetoric>
Agree, but hey... Don't get mad on me only because I don't care much about the hackers' terminology :P
AngusL
Forum Contributor
Posts: 155
Joined: Fri Aug 20, 2004 4:28 am
Location: Falkirk, Scotland

Post by AngusL »

Oren wrote:Agree, but hey... Don't get mad on me only because I don't care much about the hackers' terminology :P
I'm not mad (well, maybe slightly crazy, but that's a different story... :lol:), sorry to come across that way! :oops: Was just trying to help :)
Grim...
DevNet Resident
Posts: 1445
Joined: Tue May 18, 2004 5:32 am
Location: London, UK

Post by Grim... »

Maybe he knows this guy...
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

So, did you find out how he did it? It might be a good idea to make your PHP scripts non-writable by other PHP scripts.
Post Reply