hacked!!

[snooper]

i have a site on win 5 that was hacked today, looks like access via FTP. all kinds of default and index pages were uploaded.

did anyone else experience anything strange in the last few hours?

this is an example of what we had on our site:
http://www2.virtualjerusalem.com



and more to the point: what can be done to prevent this kind of thing?

 

[Stephen]

That is an ASP hack, someone was able to upload an ASP tool to cause this, that is the classic symptoms of these hacks. Most of the time turkish.

 

[Stephen]

To prevent this secure any and all ASP upload scripts to limit them to ONLY jpg/gif/bmp/png uploads.

 

[snooper]

To prevent this secure any and all ASP upload scripts to limit them to ONLY jpg/gif/bmp/png uploads.

i hear you, but -

1) how did they find the location of the script?
2) how do they make it go to the root of the site?

 

[Stephen]

Location, I have analyzed this about 40-50 times in the last 3 months, it seems google is the tool of choice, don't ask me how google finds it.

As for the root of the site, it can get there easily using asp scripting, it can only go up to the root level of the user in the path, many times when this happens every domain in the users account is affected, that is why it is so important to have the asp upload capabilities secured.

Once I sw the hack becasue someone left an install file for an asp based portal, with that install file they were able to issue some commands that allowed them to find other files something like:
site.com/install.asp?=../../index.asp etc, so there was some file searchbrowse function to the installer that they knew about and exploited.

 

[snooper]

interesting.
i have now noticed, that it isnt in fact just the root - they managed to get their stuff into ALL the folders (and subfolders) in the site, including the default ones installed with a new site.

 

[Stephen]

Yes, the script does that all, in just a few seconds.

 

[Dave96]

lame...

 

[Stephen]

Yes, some people seem to have nothing better to do with their time than to ruin other people

 

[Yash]

snooper, I hope you have requested a restore from the support team. If you do this too late, your hacked files could become a part of our backup images

 

[snooper]

snooper, I hope you have requested a restore from the support team. If you do this too late, your hacked files could become a part of our backup images

Thanks Yash, i havent actually asked, most of the files i deleted myself.

but i did submit a ticket to find out what happened, and i havent heard anything yet...[RS #BOU-80294-773]

 

[JoCald]

hehe, the hackers even put a copyright notice
...they have way too much free time

 

[Stephen]

Snooper,

I have replied with a full detail analysis of the hack and how it happened and what the hackers did to attempt to cover their tracks.

 

[snooper]

Thanks, got it. inteersting stuff. and scary!!

 

[InTheMarket]

I just never could understand the mentality of proving a point and destroying (or attempting to) someone's work. Maybe these people are just sick..I wonder why they don't use their "talent" to try and earn some honest money.

I am happy to hear the way Jodo is helping out with this though for you snooper!

 

[Stephen]

They get a sick joy out of it