Website hacked

[v2k]

I am running my website on a Fedora 7 machine.. might be 8.

I wrote my site from scratch, it's about 2 years of work. Someone has copied the entire site and put it up somewhere else.

1. How do I figure out how they got in?
2. How do I prevent this from happening?

I'm looking through ftp logs as that's the most likely entry point.

[Dangermouse]

Hi dont know how you can stop someone copying your site, but one way to make a website completely nonhackable is to run the site off a dvd or cd,(quite common now) only problem is if you regulary make changes you can get through alot of discs.

[Dan]

1) They didn't have to get in. Firefox provides all the tools you need to copy an entire site. The only things they would have missed are pages which are not linked or otherwise visible. To find out if they got in otherwise, try loading something that wasn't visible, but still present, on your original site.

2) There really is no means to stop it, if the thief is determined enough. However, if you really want to put a stop to it, sue the b*stard who did it, then publicize the devil out of the whole ugly mess.


If it makes you feel any better, been there ... done that. Only in my case, they verbatim copied the site, then changed the copyright notices. But failed to read, notice or change the little tell-tales I inserted into the code.

Oooopsy! Expensive mistake!


Dan

[Zero-Override]

websites can easily be copied without hacking anything, http is a redundant technology!!
thing is, you can make it look like you are just requesting a page and by doing so it will be downloaded to view it for you, but instead of viewing it you can also redirect it to a local download (thus downloading the page to the harddrive)

like Dan said, try to access a page that isn't linked anywhere (for example if you have an index.html which you normally use, but also have a index.html.backup which isn't linked anywhere. then type in your browser: <address of supposed hacker>/index.html.backup and see what happens, or wget the same thing

good luck!!

[stevea]

The other point is this. You have (assuming you are US) a valid copyright on YOUR website pages, even if you didn't put a copyright notice in there. If he's using a web service they'll probably take him down if you make your case to them. Do a lookup (see the IANA website) on his IP.

If he's operating his own website then it will be harder and more expensive. You could have a lawyer write him a forceful letter for a couple hundred $$. Of course the guy IS a low-life and if he/she is living in a scummy country that has no respect for copyright then you have no real recourse. Suing is probably prohibitively expensive unless you really make money from the website.

[v2k]

My site is completely dynamic. It's all generated via php - they stole the source and were generating new pages based off of a new database.

[pete_1967]

Are you sure they just didn't copy the generated pages' content/ html? From there it's easy to strip stuff to db/ php files etc. Unless you can see their actual source-code, you can't say how they did it.

What you can do, however, is to send them cease and desist email/ letter and inform their ISP/ hosting company about the use of copyrighted (stolen) material.

Same thing has happened to me couple of times. One was done as described above and converted to use SSI, otherwise 100% copy of the real thing and hosted in Korea. After I contacted the hosting company and owner of the site that copied mine, giving them a week to comply, the site was gone (actually rebuilt with someone else's content of whom I informed immediately after I noticed that).

In another case, the lot was uploaded as static HTML and was closed down in a day by hosting company.

If you suspect that source code and your DB was 'physically' stolen, it's time for you to go through your logs to find out how and when.

[v2k]

Yes. They are generating new content with my code.

I've gone through the secure logs and I don't see any logins into ssh or ftp from other IPs. (numerous failed attempts though) I could really use some advice on how to track this down.

I used:
cat /var/log/secure | grep "Login s"
cat /var/log/secure | grep "Accepted pass"

To find all the ssh and ftp logins. I'm now running denyhosts and have shutdown ftp -- using sftp for myself now.

I'm also going to set

hosts.allow:
http: ALL
sshd: <my ip>

hosts.deny:
ALL: ALL

I did send them an email and they have taken it down without a response... (for now)

So, that leaves me with an apache security flaw? I'm going through this guide:
http://www.petefreitag.com/item/505.cfm

I really don't know how to verify it's working, nor how to hack apache.

[v2k]

Here is my Nikto report:

Code:

+ Target Port:     80
+ Start Time:      Mon Mar 24 19:46:17 2008
---------------------------------------------------------------------------
- Scan is dependent on "Server" string which can be faked, use -g to override
+ Server: Apache
- Retrieved X-Powered-By header: PHP/5.2.3
- /robots.txt - retrieved but it does not contain any 'disallow' entries, which is odd. This should be checked manually.(GET)
+ /?mod=<script>alert(document.cookie)</script>&op=browse - Sage 1.0b3 is vulnerable to Cross Site Scripting (XSS). CA-2000-02. (GET)
+ / - TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details (TRACE)
+ /a?<script>alert('Vulnerable')</script> - Server is vulnerable to Cross Site Scripting (XSS) in the error message if code is passed in the query-string. This may be a Null HTTPd server. (GET)
+ /catinfo?<u><b>TESTING - The Interscan Viruswall catinfo script is vulnerable to Cross Site Scripting (XSS). CA-2000-02. (GET)
+ /index.php?action=storenew&username=<script>alert('Vulnerable')</script> - SunShop is vulnerable to Cross Site Scripting (XSS) in the signup page. CA-200-02. (GET)
+ /index.php?dir=<script>alert('Vulnerable')</script> - Auto Directory Index 1.2.3 and prior are vulnerable to CSS attacks. (GET)
+ /index.php?err=3&email=\"><script>alert(document.cookie)</script> - MySQL Eventum is vulnerable to XSS. OSVDB-12606. (GET)
+ /index.php?file=Liens&op=\"><script>alert('Vulnerable');</script> - Nuked-klan 1.3b is vulnerable to Cross Site Scripting (XSS). CA-2000-02. (GET)
+ /index.php?option=search&searchword=<script>alert(document.cookie);</script> - Mambo Site Server 4.0 build 10 is vulnerable to Cross Site Scripting (XSS). CA-2000-02. (GET)
+ /index.php?rep=<script>alert(document.cookie)</script> - GPhotos index.php rep Variable XSS. OSVDB-25497 (GET)
+ /index.php?vo=\"><script>alert(document.cookie);</script> - Ralusp Sympoll 1.5 is vulnerable to Cross Site Scripting (XSS). CA-2000-02. (GET)
+ /index.php/\"><script><script>alert(document.cookie)</script>< - eZ publish v3 and prior allow Cross Site Scripting (XSS). CA-2000-02. (GET)
+ /index.php/content/advancedsearch/?SearchText=<script>alert(document.cookie)</script>&PhraseSearchText=<script>alert(document.cookie)</script>&SearchContentClassID=-1&SearchSectionID=-1&SearchDate=-1&SearchButton=Search - eZ publish v3 and prior allow Cross Site Scripting (XSS). CA-2000-02. (GET)
+ /index.php/content/search/?SectionID=3&SearchText=<script>alert(document.cookie)</script> - eZ publish v3 and prior allow Cross Site Scripting (XSS). CA-2000-02. (GET)
+ /phpmyadmin/db_details_importdocsql.php?submit_show=true&do=import&docpath=../../../../../../../etc - Needs Auth: (realm "Restricted Files")
+ /search/?SectionIDOverride=1&SearchText=<script>alert(document.cookie);</script> - Redirects to, ezPublish 2.27 is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ /styles/ - May be able to view web styles directory. (GET)
+ /phpmyadmin/ - Needs Auth: (realm "Restricted Files")
+ 2673 items checked - 16 item(s) found on remote host(s)
+ End Time:        Mon Mar 24 19:47:39 2008 (82 seconds)

[Zotter]

Likely a brute force ssh dictionary attack - gained root access that way.

Then edited logs to erase evidence.

Denyhosts can help prevent such things.

[v2k]

I wish I could prove that's what it was.

I've closed off ftp and I'm only allowing ssh connections from my IP.

I've disabled http TRACE and installed mod_security. Putting me down to:

Code:

+ Target Port:     80
+ Start Time:      Mon Mar 24 20:30:22 2008
---------------------------------------------------------------------------
- Scan is dependent on "Server" string which can be faked, use -g to override
+ Server: Apache
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /phpmyadmin/db_details_importdocsql.php?submit_show=true&do=import&docpath=../../../../../../../etc - Needs Auth: (realm "Restricted Files")
+ /phpmyadmin/ - Needs Auth: (realm "Restricted Files")
+ 2052 items checked - 0 item(s) found on remote host(s)
+ End Time:        Mon Mar 24 20:30:45 2008 (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

[pete_1967]

Just curious: How do you know they're using your source code?

You don't need to hack the box to hack your application and get the source code - if your application is insecure, e.g. allows unverified query strings (sql injection attack), or your include scripts are not set executable/ are not outside webserver's document root, your box is as secure as a sieve. Just to mention couple most common security flaws.

You should pull down your site until you've done proper security audit, and fixed problems in it.

To check for sql injection vulnerabilities: http://sqlmap.sourceforge.net/
To help you find out if there was a break in: http://www.porcupine.org/forensics/tct.html
Tips on Apache security: http://httpd.apache.org/docs/2.0/mis...rity_tips.html
There is plenty of info how to write secure php (I assume that's language you're using), here's one: http://www.securephpwiki.com/index.php/Main_Page

Imho, if your server itself was broken into, they wouldn't have gone through all the trouble covering their tracks just to copy your site and publish in on their own servers (well, highly unlikely - unless you know the person who did it), your box would be now part of a botnet serving more serious purpose than being a source for someone's website.

[v2k]

Thanks, I spent all of yesterday going through suchs things. I'll continue with your list.

I had various security flaws. I've cleaned up the bulk of them. I think I'm still vulnerable to SQL injection attacks on some levels -- I didn't think this could be used to get the source.

I found out because my code emails me when various things happen. They had a complete copy of my code running on another server -- I started getting updates from their server. They had already modified the login stuff; it looked like they were trying to bridge it with their forums.

I haven't taken my site offline, but I've blocked ftp and ssh via iptables. It only allows my IP to connect. Otherwise, only port 80 is open and 110 outgoing is open as well.

I will be looking to cover the SQL items today.

[pete_1967]

Quote:

Originally Posted by v2k

I think I'm still vulnerable to SQL injection attacks on some levels -- I didn't think this could be used to get the source.

No it can't usually - unless you store your page code in database, but it can be used to get all the data (and then some) you are storing and using.

All it takes is for you to use, for example, header.inc php include file in your page templates and not to have set .inc files to be a type of php file in your httpd.conf so that it gets parsed when accessed instead of showing up in plain text.

Either move all files that are not set to be parsed by Apache via AddHandler and AddType directives outside your document root or rename them to, for example, header.inc.php

Never forget that security should be built in right from the start and never, ever trust the user, always validate the input you receive (be that via form fields (hidden or not) or variables parsed on url and client-side validation is always just cosmetic, real validation has to be made on applciation level - always.

[v2k]

Quote:

Originally Posted by pete_1967

To check for sql injection vulnerabilities: http://sqlmap.sourceforge.net/

This doesn't seem to work for me.

All my urls are mangled by apache. So instead of example.com/index.php?q=5 I'm using example.com/5 say.

sqlmap is unable to test against this.. ie
[10:24:32] [ERROR] sqlmap got 100 results for your Google dork expression, but n
one of them has parameters to test for SQL injection

I'm concerned about user data in POST scenarios. Are there any tools for testing those?