Info on script kiddies and hackers

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Info on script kiddies and hackers

Post by matthijs »

One of the sites I maintain had a file somewhere which was put there by some script kiddie. "Hacked by .." etc. The whole site worked normally and if visitors would not type in the url to that single html file they would not have seen it. So there's not too much damage. However, of course I'd like to find out more about how someone would have been able to get that file there.

I can google for the text I found in that file and there's tons of results so my guess it's a script kiddie who exploited a vulnerability in a script. The site had wordpress on it, and with wordpress' security record in mind, my bet it has been wp's fault.

But are there any good websites were there's more info on these hackers/script kids? Like what you have for virus info?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Info on script kiddies and hackers

Post by alex.barylski »

I had someone once upload a file disguised as a gif onto amy server. The script did nothing but hilitre weaknesses on my server (shared at that).

Probably best to share whatever you can with the community and hopefully we all learn something and build awareness. What did the script do? Was it a simple script that said "I'm the best"?

Have you searched for upload vulerabilities on WP forums? Searc secunia for WordPress and other software vulerabilities. It's amazing what those guys find/list as vulnerabilities.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Info on script kiddies and hackers

Post by matthijs »

It was a plain html file with the line "Oops! h4ck3d by W4n73d H4ck3r", a link to an image somewhere and a spanish text. The image didn't exist so there was not much to be seen.

So there was no code in the file. And a quick google search found many sites with the same. I can't find any info on the wordpress site about this specific case. So I'm not sure it is a wordpress problem, because I'm sure if it were there would have been thousands of results. However, I didn't have anything else running on that domain, so I wouldn't know what else would be the problem.
The folder it was put in did have a 777 setting, so that might have played a role in the exploit. Normally I would not set a folder to 777, but often these open source scripts, like wp in this case, just need the 777 to function. Very annoying.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Info on script kiddies and hackers

Post by josh »

"someone who isn't me" has done stuff like this before. Usually the webmaster does something stupid like includes a file based on user input that allows arbitrary PHP code execution. Assuming you had a good password on your FTP and the box wasn't rooted, the first step would be to compare the file creation times to apache log file entries, look for URLs with long query strings or repeated requests by the same range of IPs, once you found out the request that was used to gain access, you can replicate it yourself and hopefully debug

This happens all the time to sites I help maintain. Unfortunately if a client is going to run on free software and then refuse to even pay me to regularly install the security updates.. theres not much hope for em, just keep em on a separate box from your important clients hah. One of them installed on a joomla site and added itself to a repository of "exploits", so yeah there's sites that keep track of it and where the script kiddies can "brag", but theres never really much useful info. Most of them are harmless too, and if you find their IP you can file an abuse complaint to their ISP if they were messy in going about it
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Info on script kiddies and hackers

Post by matthijs »

That's good advice in general. But in this case: as I said there was no single other script on the server. So no other exploit then something in wordpress. Or something else not related to a script on the domain. Maybe something from another domain on the same shared server. Another thing that's also possible is that the client's access to the wordpress admin was compromised. A sniffed password or something. But then I would have expected a bit more damage.

The logs didn't go back far enough to see anything.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Info on script kiddies and hackers

Post by alex.barylski »

The folder it was put in did have a 777 setting, so that might have played a role in the exploit. Normally I would not set a folder to 777, but often these open source scripts, like wp in this case, just need the 777 to function. Very annoying.
If it was 777...could have been another user on the same shared server? Ask your host to look into log files.
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Re: Info on script kiddies and hackers

Post by JAB Creations »

ACCESS LOGS help tremendously. Additionally the only time my site has ever been hacked was when I still had my AW Stats public while I was unaware of a nasty bug. Essentially the hackers (some script kiddie punks in Brazil I think) took advantage of the security hole in AW Stats (which was patched relatively soon after) to use uncommon HTTP commands that stuck out like a sore thumb in my access logs.

I also recommend checking your FTP logs. If you're not well versed with reading log files you're welcomed to send me a chunk of a day's worth within the general hours of when this occurred and I can help you learn how to read the logs. Spotting abuse is just drop dead simple.

Permissions is also another issue and I always CHMOD until I find the lowest possible permissions that will work.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Info on script kiddies and hackers

Post by matthijs »

The thing with the 777. I still find it confusing. I understand perfectly what the numbers stand for and how it works basically (owner, group and world and the permissions read/write/execute). But what makes it so confusing is that at host A you can run wordpress on 755. On Host B you need 777. On host A if you ftp some files to the server the owner is X. On host B the owner is Y. If you have some gallery scripts which creates it's own directories you can even end up with the situation that I can't edit or delete the directories myself anymore!

Some hosts even change in time, probably with upgrades of their server software. I discovered yesterday that the 777 is not needed anymore on that folder. I am 100% sure it used to be. I know for sure, because at the time I had to change it to 777 I was aware of the fact that it would be nicer to have it on a lower permission. So that could either be a change in the way wordpress works or a change in the server config.

And second, who exactly is "world". Some people like to scare you by saying no don't use 777 because anyone can do anything to your files. But that's not true. It's not like someone can just "$ telnet http://www.yoursite.com write hackersfile.htm 80" or something like that. "world" means all users on the server, isn't it? And with shared hosts, aren't the separate accounts somehow isolated from each other? I mean, I know shared hosts aren't the safest, but it's not that easy, isn't it? (maybe I shouldn't ask this :) )

@JAB: thanks for the offer. I'll see if I can find some logs. But the thing is, that file could have been there for a year already.
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Re: Info on script kiddies and hackers

Post by JAB Creations »

But the thing is what? I have all my access logs going back to mid-2005 and if it wasn't for a bad Maxtor hard drive (which forced me to learn about Raid 1 setups and buy four hard drives and a controller) and questionable host practices further back than that. You simply have no clue how much power access logs can give you in these sorts of situations otherwise you wouldn't have to go looking. IMHO keeping track of your access logs comes second in only to ensuring your domain name doesn't expire.

Permissions can be funny...I have encountered a lot of scripts that want CHMOD 757 though typically they tend to work fine with CHMOD 707...though never really 607 or 706. Again that aspect of security isn't forte.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Info on script kiddies and hackers

Post by matthijs »

I manage more then 30 sites, if I were to keep track of the log files of all those I have a full-time job doing just that. An unpaid job to be precise. I have been paid to build the sites, not to stare at a log file all day :wink:

In this particular case the log files only go back a couple of days. Don't know why.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Info on script kiddies and hackers

Post by alex.barylski »

In this particular case the log files only go back a couple of days. Don't know why.
Most shared servers use log rotating to prevent logs from growing to astronomical sizes...
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Info on script kiddies and hackers

Post by josh »

Half of the shared services I've had the pleasure of working with had no open basedir restrictions or any kind of measure in place to prevent me from directly accessing other users files. Even if they are using open basedir you want to make sure your shared host has curl disabled as that can be used to bypass the security restrictions as well. most of the hosting providers unfortunately just don't care
Post Reply