My Site Was Hacked

Forum Moderators: phranque

Message Too Old, No Replies

My Site Was Hacked

Did this happen to anybody else out there?

aramanujan

2:18 pm on Dec 21, 2004 (gmt 0)

I've been running a decent-sized content site (about 500 unique visitors a day) for about 2 years now. This morning I found the site was hacked -- the hacker pretty much replaced all php and htm/html files with his own message saying "this site was defaced." He did not change or delete any other types of files. Nor did he touch the MySql database.

I'm trying to determine how we was able to hack in. I implemented a phpBB message board a few weeks ago and based on other threads on these forum, that seems to have been the problem. But is he was able to get my username and password, I'm wondering why he did not delete the mySQL database. It's a given that I have to change my username/password and I will also remove phpBB from my site. But what else do I need to look out for to ensure that this doesn't repeat itself?

I would appreciate any and all advice.

Thanks,

IanTurner

2:35 pm on Dec 21, 2004 (gmt 0)

Is this the defacement you have on your site?

This site is defaced!

--------------------------------------------------------------------------------

NeverEverNoSanity WebWorm generation 8.

A client of ours who doesn't host on our servers (thank goodness) reported this to me, earlier today.

If it is a worm it could be very, very malicious.

IanTurner

2:36 pm on Dec 21, 2004 (gmt 0)

Their server was Windows 2K with MySQL and PHP also installed.

Were you running Windows servers?

Receptional

2:40 pm on Dec 21, 2004 (gmt 0)

Look at [webmasterworld.com...]

Maybe a security patch needed?

Receptional

2:55 pm on Dec 21, 2004 (gmt 0)

Also
[webmasterworld.com...]

With woprkaround at:
[phpbb.com...]

Dixon.

aramanujan

3:30 pm on Dec 21, 2004 (gmt 0)

Ian -- That is exactly what the message on my site said. To the word.

My hosting service uses Apache/Linux/Php/MySQL.

How malicious exactly is this worm? I don't want to restore my site if this can affect visitors to my site....

txbakers

5:25 pm on Dec 21, 2004 (gmt 0)

I don't mean disresepct, but it's nice to see an Apache/Linux configuration hacked into.

I host on a Windows server and am well aware of all the grief and security issues, and my friends all tell me I'm crazy because Apache/Linux is so much more secure.

You are the second person to report about a hack and defacement on a Linux server.

All I can offer is to make sure patches are up to date and you have a solid password to slow them down.

aramanujan

7:16 pm on Dec 21, 2004 (gmt 0)

No offense taken :-) Two-and-half years on Apache/Linux and this is the first problem I've faced. And I probably contributed to it by installing phpBB and not downloading a security patch. I will still take Unix over Windows anyday...;-)

kpaul

7:26 pm on Dec 21, 2004 (gmt 0)

could also be php related? i hear there's a problem with the serialize command...

[hardened-php.net...]

[news.zdnet.com...] -1009_22-5496086.html

Josefu

11:50 am on Dec 23, 2004 (gmt 0)

This is a PHP problem and nothing but a PHP problem.

cziffra

1:28 pm on Dec 23, 2004 (gmt 0)

More accurately, this is a problem with phpBB. The NeverEverNoSanity worm affects any version of phpBB prior to 2.0.11. It should be noted that this is completely unrelated to recently discovered exploits within PHP itself.

trees

2:19 pm on Dec 23, 2004 (gmt 0)

cziffra & Josefu, you're confusing my brain cell just a lot 8-).

If the PHP application has security issues (ie root exposure), are you saying the PHP environment does not?

Regardless of there being one security issue or two, and regardless of either, are you saying there's justification for fixing one problem but not the other?

This is a PHP problem and nothing but a PHP problem.

More accurately, this is a problem with phpBB. The NeverEverNoSanity worm affects any version of phpBB prior to 2.0.11. It should be noted that this is completely unrelated to recently discovered exploits within PHP itself.

[edited by: engine at 11:06 am (utc) on Jan. 14, 2005]
[edit reason] formatting [/edit]

cziffra

2:38 pm on Dec 23, 2004 (gmt 0)

Regardless of there being one security issue or two, and regardless of either, are you saying there's justification for fixing one problem but not the other?

No, both problems need to be fixed. I was just trying to clear up some confusion. There is a lot of bad information out there about the NeverEverNoSanity worm. I've seen it mentioned on most of the forums I read and many people are falsely attributing it to the vulnerabilities in PHP instead of phpBB.