-
Hood Rich
Web Security Resources
Well. Someone hacked one of my sites. This time, it wasn't an exploit of 3rd party software but a break-in on a custom web page. So, this person knew what they were doing. I found some pre-developed hacker tools installed onto the web location that pretty much gave them carte blanche to do anything possible.
The main problem I have now is in determining how they broke in / where the vulnerability is. I'm pretty sure I had the basics covered (SQL Injection, password includes as .php, etc.).
Does anyone have any links to a good resource for developers that covers standard exploits and how to prevent them?
"We don't estimate speeches." - CBO Director Doug Elmendorf
-
supervillain
It matters on the hack/intrusion device used. Some hacks now are XSS based and it's odd trying to avoid those hacks. I remember when I had my site(s) hacked, backdoored by one page that allowed them to write down to the filesystem by way of buffer overflow. Didn't see that one coming.
I'll see what I can dredge up. There were a few sites that I used to hit, but it's been a while. I can't remember, but one had "eye" in it. I just can't remember the damn site.
-
Senior Member
One of the sites i run was hacked by someone in turkey last month using a WebDAV exploit.
These files were placed on the server:
a.htm
default.cfm
default.htm
default.html
default.swf
GeertWilders.htm
index.cfm
index.htm
index.html
index.swf
Luckily i don't use any of these default file names in my sites, so the site never changed, i just happened to notice that there were new files on the server that i did not create.
These entries were in the web logs:
2008-05-20 16:30:37 W3SVC29518 WIN104 66.36.182.11 PUT /index.cfm - 80 - 88.224.71.15 HTTP/1.0 Microsoft+Data+Access+Internet+Publishing+Provider +DAV+1.2 - - www.website.com 201 0 0 329 2998 734
2008-05-20 16:30:42 W3SVC29518 WIN104 66.36.182.11 PUT /index.htm - 80 - 88.224.71.15 HTTP/1.0 Microsoft+Data+Access+Internet+Publishing+Provider +DAV+1.2 - - www.website.com 201 0 0 329 2998 531
2008-05-20 16:30:45 W3SVC29518 WIN104 66.36.182.11 PUT /index.html - 80 - 88.224.71.15 HTTP/1.0 Microsoft+Data+Access+Internet+Publishing+Provider +DAV+1.2 - - www.website.com 201 0 0 330 2999 546
2008-05-20 16:31:05 W3SVC29518 WIN104 66.36.182.11 PUT /default.htm - 80 - 88.224.71.15 HTTP/1.0 Microsoft+Data+Access+Internet+Publishing+Provider +DAV+1.2 - - www.website.com 201 0 0 331 3000 593
2008-05-20 16:31:07 W3SVC29518 WIN104 66.36.182.11 PUT /default.html - 80 - 88.224.71.15 HTTP/1.0 Microsoft+Data+Access+Internet+Publishing+Provider +DAV+1.2 - - www.website.com 201 0 0 332 3001 562
2008-05-20 16:31:11 W3SVC29518 WIN104 66.36.182.11 PUT /default.cfm - 80 - 88.224.71.15 HTTP/1.0 Microsoft+Data+Access+Internet+Publishing+Provider +DAV+1.2 - - www.website.com 201 0 0 331 3000 593
2008-05-20 16:31:32 W3SVC29518 WIN104 66.36.182.11 PUT /default.swf - 80 - 88.224.71.15 HTTP/1.0 Microsoft+Data+Access+Internet+Publishing+Provider +DAV+1.2 - - www.website.com 201 0 0 331 3000 500
2008-05-20 16:31:37 W3SVC29518 WIN104 66.36.182.11 PUT /index.swf - 80 - 88.224.71.15 HTTP/1.0 Microsoft+Data+Access+Internet+Publishing+Provider +DAV+1.2 - - www.website.com 201 0 0 329 2998 515
2008-05-20 16:32:08 W3SVC29518 WIN104 66.36.182.11 PUT /GeertWilders.htm - 80 - 88.224.71.15 HTTP/1.0 Microsoft+Data+Access+Internet+Publishing+Provider +DAV+1.2 - - www.website.com 201 0 0 336 3005 500
If you want to make an apple pie from scratch, you must first create the universe. Carl Sagan
-
Hood Rich
Thank you. Any leads to a good resource would be appreciated. I've tried googling but I seem to keep ending up on little articles, etc. It just seems like there must be a more comprehensive resource somewhere. Maybe not.
To clarify what happened to me, the hacker had installed a couple files called "indx.php" and "ind5.php" that were basically ftp UI's with a bunch of additional commands for dumping databases and other bad things. Anyone familiar with those files/systems and how they could be planted? They are in english and russian and there are references to some russian sites in the code etc.
"We don't estimate speeches." - CBO Director Doug Elmendorf
-
supervillain
Did you use an older version of PHP Mailer or PHPizapi?
-
Hood Rich
No. I've never used those.
"We don't estimate speeches." - CBO Director Doug Elmendorf
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|