You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Don O'Neil <do...@lizardhill.com> on 2006/05/19 08:46:28 UTC
[users@httpd] Hacked Web Site
A customer of mine recently had their web site hacked and the index file
defaced by Milli-Harekat...
http://www.zone-h.org/en/search/what=Milli-Harekat.Org/
Does anyone know the exploit used for this and where to find out about
fixing it? I have a feeling it's a brute force attack of some sort, but I
can't find anything.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Hacked Web Site
Posted by Bill Jones <te...@gmail.com>.
On 5/19/06, Don O'Neil <do...@lizardhill.com> wrote:
> Well I would tend to agree with you, except for the fact that the 3 sites
> did not use any SQL, they were all simple html sites with very little
> content.
>
> I did find something that referenced hidden field injections as well, but
> again, none of the sites had hidden fields.
>
> This is why I am puzzled as to what could be going on here.
What apache version is being used and what modules are loaded while
the site is in operation?
Is ssh available or is the server "advertising" other services besides http?
Overall there isnt enough informastion about the "site which was
hacked" to really come up with a attack path or methodolgies.
HTH/Sx
--
WC (Bill) Jones -- http://youve-reached-the.endoftheinternet.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Hacked Web Site
Posted by Jaqui Greenlees <ja...@yahoo.ca>.
--- Don O'Neil <do...@lizardhill.com> wrote:
> Well I would tend to agree with you, except for the
> fact that the 3 sites
> did not use any SQL, they were all simple html sites
> with very little
> content.
>
> I did find something that referenced hidden field
> injections as well, but
> again, none of the sites had hidden fields.
>
> This is why I am puzzled as to what could be going
> on here.
I wasn't looking at the sites you arehosting, I was
looking at the 3000+ sites listed as being hacked by
them. Most of them are database driven sites, making
sql injection the most propable vector.
for static html, apache configuration for the hosting
server will very much dictate what happened and how,
the server logs for the time the hack happened will
contain a lot of data to point you at where they found
entry to hack the site.
The error log to show the fails, the access log to
show sucessful traffic, look for ip numbers in the
error log that are requesting action that is not
appropriate, then look in the access log for the same
ones. this will show what they tried, and how they
succeded.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Hacked Web Site
Posted by Don O'Neil <do...@lizardhill.com>.
Well I would tend to agree with you, except for the fact that the 3 sites
did not use any SQL, they were all simple html sites with very little
content.
I did find something that referenced hidden field injections as well, but
again, none of the sites had hidden fields.
This is why I am puzzled as to what could be going on here.
-----Original Message-----
From: Jaqui Greenlees [mailto:jaqui_greenlees@yahoo.ca]
Sent: Friday, May 19, 2006 12:04 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Hacked Web Site
--- Don O'Neil <do...@lizardhill.com> wrote:
> A customer of mine recently had their web site hacked and the index
> file defaced by Milli-Harekat...
>
>
http://www.zone-h.org/en/search/what=Milli-Harekat.Org/
>
> Does anyone know the exploit used for this and where to find out about
> fixing it? I have a feeling it's a brute force attack of some sort,
> but I can't find anything.
>
A look at the zone-h.org/en/filters links for milli-harekat.org gives a
large list of sites they have defaced. a google search will also give a list
of sites defaced.
they all seem to be sql injection attacks, which is bad site scripting. Have
your script sanitise all user supplied data to stop sql injections from
working.
The best way, rebuild the scripts with an abstraction layer between the
actual db calls and the served documents, make sure what comes from the
served documents is not executed as queries, but is inserted as data, then
you can see where the actual attack comes from and charge that person for
their illegal activities.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Hacked Web Site
Posted by Jaqui Greenlees <ja...@yahoo.ca>.
--- Don O'Neil <do...@lizardhill.com> wrote:
> A customer of mine recently had their web site
> hacked and the index file
> defaced by Milli-Harekat...
>
>
http://www.zone-h.org/en/search/what=Milli-Harekat.Org/
>
> Does anyone know the exploit used for this and where
> to find out about
> fixing it? I have a feeling it's a brute force
> attack of some sort, but I
> can't find anything.
>
A look at the zone-h.org/en/filters links for
milli-harekat.org gives a large list of sites they
have defaced. a google search will also give a list of
sites defaced.
they all seem to be sql injection attacks, which is
bad site scripting. Have your script sanitise all user
supplied data to stop sql injections from working.
The best way, rebuild the scripts with an abstraction
layer between the actual db calls and the served
documents, make sure what comes from the served
documents is not executed as queries, but is inserted
as data, then you can see where the actual attack
comes from and charge that person for their illegal
activities.
Jaqui
Jeff Henager: "If the average user can put a CD in and boot the system and follow the prompts, he can install and use Linux. If he can't do that simple task, he doesn't need to be around technology."
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org