Page 1 of 2

Whole Web Server Hacked!

Posted: Wed Aug 23, 2006 8:15 am
by jayshields
Just woke up (1:30pm) to a text from a client saying his website has been hacked and replaced with some anti-war stuff. So I'm thinking, sh*t, I've got some extra work to do today...

I log on to check it out, it wont load... neither will my website, or anyone elses on my web server, but I'm logged into FTP, and the files are the same...

I download index.php from the website in question:

Code: Select all

<html>

<head>
<meta http-equiv="Content-Language" content="tr">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<title>Mavideniz</title>
</head>

<body bgcolor="#000000" text="#808080">
<meta http-equiv="refresh"content="160;URL=http://www.scubaconsult.at/user">
<p align="center"> 
<embed src="http://www.mmavideniz.org/01.mp3" loop="1" autostart="true" hidden "true" width="128" height="128" align="left"></p>
<p align="center">
<font color="#FFFFFF">
<img src="http://www.mavideniz.org/atam.gif" width="152" height="108"></font></p>
<p align="center" style="margin: 0 1"><b>
<font size="7" face="Courier" color="#FFFFFF">HACKED BY METLAK</font></b></p>
<p align="center" style="margin: 0 1"><b>
<font face="Courier" size="7" color="#FFFFFF">NO WAR </font></b></p>
<p align="center" style="margin: 0 1"><b>
<font size="65" face="Courier" color="#ffffff">!!!!!!!!STOP WAR!!!!!!!!</font></b></p>
<p align="center"><font color="#FFFFFF">&nbsp;

<OBJECT ID="MediaPlayer" WIDTH=468 HEIGHT=374 classid="CLSID:22D6F312-B0F6-11D0-94AB-0080C74C7E95"
codebase="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=6,4,7,1112"
standby="Loading Microsoft Windows Media Player components..."
type="application/x-oleobject">
    <PARAM NAME="FileName" VALUE="http://video.haber7.com/81.wmv">
    <PARAM NAME="ShowControls" VALUE="0">
    <PARAM NAME="ShowDisplay" VALUE="0">
    <PARAM NAME="ShowStatusBar" VALUE="0">
    <PARAM NAME="AutoSize" VALUE="1">
    <Embed type="application/x-mplayer2"
        pluginspage="http://www.microsoft.com/windows/windowsmedia/download/"
        filename="http://video.haber7.com/81.wmv"
        src="http://video.haber7.com/81.wmv"
        Name=MediaPlayer
        ShowControls=0
        ShowDisplay=0
        ShowStatusBar=0
        width=468
        height=351>
    </embed></OBJECT></font></p>
<p align="center"><font face="Courier New, Courier, mono" color="#ffffff">
<img src="http://www.thememoryhole.org/war/gulfwar2/22march-ap.jpg" width="348" height="512"></font></p>
<body onUnLoad="xopentr('http://www.mavideniz.org/forum')">
<Script Language=JavaScript Type="Text/JavaScript">
function xopentr(url_pop)
{
var PopWidth=400;
var PopHeight=300;
var PopLeft = (window.screen.width-PopWidth)/2;
var PopTop = (window.screen.height-PopHeight)/2;
xopenvar=window.open(url_pop,'xopenvar','toolbar=yes,status=yes,menubar=yes,location=yes,
directories=yes,resizable=yes,scrollbars=yes,width='+PopWidth+',
height='+PopHeight+',top='+PopTop+',left='+PopLeft);
}
</Script>
<p align="center"><font color="#00FF00">mavideniz.org/forum açýlmýþtýr.</font></p>
LOL. They've swapped every index.php in my web space for this.

I contact the admin, I told him I can't even view anything on my webspace, he say's we got hacked last night, I *think* oops, thats probably my fault, he says, they replaced every index.php file on the whole webserver with a bogus one!

I didn't actually get to see the page, and I can't be bothered wasting my time in loading it myself, but I'm told it had dead kids on it and stuff, sick b*stards.

Is this a common page that hackers are using now? Seems alot of them refer to war and stuff...

Edit: Put some line breaks in so it doesn't break the forum...

Posted: Wed Aug 23, 2006 8:46 am
by feyd
Antiwar just masks the "I hacked you" showoff.

Defacers are <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span>.

Posted: Wed Aug 23, 2006 9:06 am
by onion2k
Just look at that HTML. It's dreadful. Frontpage 5? Two <body> tags? A <meta> in the main content? Font tags? JavaScript without protective comments? No CSS?

Whoever did that is a scriptkiddie loser. No hacker would upload anything that embarassing.

Posted: Wed Aug 23, 2006 9:29 am
by Oren
Actually, most hackers that do these things are just bored kiddies who read on some tutorial: do this, go there, then do this...
and such, they don't have the slightest idea as to how it works and what they are actually doing - they just follow tutorials, read posts on forums etc...

Posted: Wed Aug 23, 2006 9:46 am
by shiznatix
Oren wrote:Actually, most hackers that do these things are just bored kiddies who read on some tutorial: do this, go there, then do this...
and such, they don't have the slightest idea as to how it works and what they are actually doing - they just follow tutorials, read posts on forums etc...
if your webserver is so easily hacked that someone who has no idea what they are doing can click a few button and follow a quick tutorial that they don't understand then I think you should get a new webserver.

Posted: Wed Aug 23, 2006 9:53 am
by onion2k
Oren wrote:Actually, most hackers that do these things are just bored kiddies who read on some tutorial: do this, go there, then do this...
and such, they don't have the slightest idea as to how it works and what they are actually doing - they just follow tutorials, read posts on forums etc...
People who do that aren't hackers.

Posted: Wed Aug 23, 2006 9:59 am
by Oren
shiznatix wrote:if your webserver is so easily hacked that someone who has no idea what they are doing can click a few button and follow a quick tutorial that they don't understand then I think you should get a new webserver.
shiznatix: I was talking generally. I don't have my own server, and the servers I've been on have never been hacked :wink:

onion2k: What's your definition for "hacker"?

Posted: Wed Aug 23, 2006 10:17 am
by AngusL
Oren wrote:onion2k: What's your definition for "hacker"?
I, of course, am not onion2k - but check out the Jargon File's hacker entry. Lots of folk who take their programming and computing in general seriously use that definition - using hacker as a good term, meaning someone who knows their way around the computer and can program themselves out of the corner and reserving the derogatory terms cracker and scriptkiddie for the kind of idiots that do this sort of thing (the implication being the hacker could do it better, faster, slicker - but has no interest in doing so). I think it makes for quite a nice distinction, and in fact returns the original meaning of the word.

</rhetoric>

Posted: Wed Aug 23, 2006 10:18 am
by shiznatix
Hacker is a term used to describe different types of computer experts. The media and the general populace typically use the term to mean "computer criminal"; however, in many computer subcultures it simply means "clever programmer", with no connotation of computer security skill. It is also sometimes extended to mean any kind of expert, especially one who has particularly detailed knowledge or cleverly circumvents limits.
i think we qualify as a 'computer subculture' :D

Posted: Wed Aug 23, 2006 10:21 am
by Luke
Image script kiddies irritate me to no end

Posted: Wed Aug 23, 2006 10:41 am
by daedalus__
AngusL wrote:
Oren wrote:onion2k: What's your definition for "hacker"?
I, of course, am not onion2k - but check out the Jargon File's hacker entry. Lots of folk who take their programming and computing in general seriously use that definition - using hacker as a good term, meaning someone who knows their way around the computer and can program themselves out of the corner and reserving the derogatory terms cracker and scriptkiddie for the kind of idiots that do this sort of thing (the implication being the hacker could do it better, faster, slicker - but has no interest in doing so). I think it makes for quite a nice distinction, and in fact returns the original meaning of the word.

</rhetoric>
Thanks for mentioning that. ^^

Posted: Wed Aug 23, 2006 10:45 am
by Oren
AngusL wrote:I, of course, am not onion2k - but check out the Jargon File's hacker entry. Lots of folk who take their programming and computing in general seriously use that definition - using hacker as a good term, meaning someone who knows their way around the computer and can program themselves out of the corner and reserving the derogatory terms cracker and scriptkiddie for the kind of idiots that do this sort of thing (the implication being the hacker could do it better, faster, slicker - but has no interest in doing so). I think it makes for quite a nice distinction, and in fact returns the original meaning of the word.

</rhetoric>
Agree, but hey... Don't get mad on me only because I don't care much about the hackers' terminology :P

Posted: Wed Aug 23, 2006 12:49 pm
by AngusL
Oren wrote:Agree, but hey... Don't get mad on me only because I don't care much about the hackers' terminology :P
I'm not mad (well, maybe slightly crazy, but that's a different story... :lol:), sorry to come across that way! :oops: Was just trying to help :)

Posted: Wed Aug 23, 2006 1:06 pm
by Grim...
Maybe he knows this guy...

Posted: Wed Aug 23, 2006 1:34 pm
by Ambush Commander
So, did you find out how he did it? It might be a good idea to make your PHP scripts non-writable by other PHP scripts.