homepage Welcome to WebmasterWorld Guest from 54.226.213.228
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
My Site Was Hacked
Did this happen to anybody else out there?
aramanujan




msg:670025
 2:18 pm on Dec 21, 2004 (gmt 0)

I've been running a decent-sized content site (about 500 unique visitors a day) for about 2 years now. This morning I found the site was hacked -- the hacker pretty much replaced all php and htm/html files with his own message saying "this site was defaced." He did not change or delete any other types of files. Nor did he touch the MySql database.

I'm trying to determine how we was able to hack in. I implemented a phpBB message board a few weeks ago and based on other threads on these forum, that seems to have been the problem. But is he was able to get my username and password, I'm wondering why he did not delete the mySQL database. It's a given that I have to change my username/password and I will also remove phpBB from my site. But what else do I need to look out for to ensure that this doesn't repeat itself?

I would appreciate any and all advice.

Thanks,

 

IanTurner




msg:670026
 2:35 pm on Dec 21, 2004 (gmt 0)

Is this the defacement you have on your site?

This site is defaced!

--------------------------------------------------------------------------------

NeverEverNoSanity WebWorm generation 8.

A client of ours who doesn't host on our servers (thank goodness) reported this to me, earlier today.

If it is a worm it could be very, very malicious.

IanTurner




msg:670027
 2:36 pm on Dec 21, 2004 (gmt 0)

Their server was Windows 2K with MySQL and PHP also installed.

Were you running Windows servers?

Receptional




msg:670028
 2:40 pm on Dec 21, 2004 (gmt 0)

Look at [webmasterworld.com...]

Maybe a security patch needed?

Receptional




msg:670029
 2:55 pm on Dec 21, 2004 (gmt 0)

Also
[webmasterworld.com...]

With woprkaround at:
[phpbb.com...]

Dixon.

aramanujan




msg:670030
 3:30 pm on Dec 21, 2004 (gmt 0)

Ian -- That is exactly what the message on my site said. To the word.

My hosting service uses Apache/Linux/Php/MySQL.

How malicious exactly is this worm? I don't want to restore my site if this can affect visitors to my site....

txbakers




msg:670031
 5:25 pm on Dec 21, 2004 (gmt 0)

I don't mean disresepct, but it's nice to see an Apache/Linux configuration hacked into.

I host on a Windows server and am well aware of all the grief and security issues, and my friends all tell me I'm crazy because Apache/Linux is so much more secure.

You are the second person to report about a hack and defacement on a Linux server.

All I can offer is to make sure patches are up to date and you have a solid password to slow them down.

aramanujan




msg:670032
 7:16 pm on Dec 21, 2004 (gmt 0)

No offense taken :-) Two-and-half years on Apache/Linux and this is the first problem I've faced. And I probably contributed to it by installing phpBB and not downloading a security patch. I will still take Unix over Windows anyday...;-)

kpaul




msg:670033
 7:26 pm on Dec 21, 2004 (gmt 0)

could also be php related? i hear there's a problem with the serialize command...

[hardened-php.net...]

[news.zdnet.com...] -1009_22-5496086.html

Josefu




msg:670034
 11:50 am on Dec 23, 2004 (gmt 0)

This is a PHP problem and nothing but a PHP problem.

cziffra




msg:670035
 1:28 pm on Dec 23, 2004 (gmt 0)

More accurately, this is a problem with phpBB. The NeverEverNoSanity worm affects any version of phpBB prior to 2.0.11. It should be noted that this is completely unrelated to recently discovered exploits within PHP itself.

trees




msg:670036
 2:19 pm on Dec 23, 2004 (gmt 0)

cziffra & Josefu, you're confusing my brain cell just a lot 8-).

If the PHP application has security issues (ie root exposure), are you saying the PHP environment does not?

Regardless of there being one security issue or two, and regardless of either, are you saying there's justification for fixing one problem but not the other?

This is a PHP problem and nothing but a PHP problem.

More accurately, this is a problem with phpBB. The NeverEverNoSanity worm affects any version of phpBB prior to 2.0.11. It should be noted that this is completely unrelated to recently discovered exploits within PHP itself.

[edited by: engine at 11:06 am (utc) on Jan. 14, 2005]
[edit reason] formatting [/edit]

cziffra




msg:670037
 2:38 pm on Dec 23, 2004 (gmt 0)

Regardless of there being one security issue or two, and regardless of either, are you saying there's justification for fixing one problem but not the other?

No, both problems need to be fixed. I was just trying to clear up some confusion. There is a lot of bad information out there about the NeverEverNoSanity worm. I've seen it mentioned on most of the forums I read and many people are falsely attributing it to the vulnerabilities in PHP instead of phpBB.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved