| Author | Thread |
|
|
11/23/2006 04:03:17 PM · #1 |
I wonder if any geeks here may be able to shed some light on this.
I maintain company website, which is hosted at Network Solutions. This morning it appeared to be non-functioning, only a white page showed up in IE.
I could still FTP in, so I pulled the entire site down into a temporary directory. I found that a tag had been added to our index.htm page and our home.htm page. The tag was:
If you paste that into your browser you'll see that it resolves to //lahere.com/counter/index.php. If you back up to the root you'll see "UNDER CONSTRUCTIONS", not very good english, although the domain appears to be registered to a guy in Tennesee.
I fixed the site by removing the iframe tag and re-uploading the two pages.
I called Network Solutions to tell them I think they've been hacked, and the guy said they'd had several other calls to that effect already. I was given an email to send the iframe to, but I doubt they'll get back to me.
Can anybody tell me what's up? Do you think someone got access to our space through one of our accounts, or from another way?
This website is for a public company, and there may be some nutjobs targeting it in particular. But also, from my experience with Network Solutions as a host, they have a lot of odd problems and the general IQ seems pretty low.
|
|
|
|
11/23/2006 04:22:42 PM · #2 |
You have been compromised.
First two things to do:
Check transfer-log files to see when the index.htm was last uploaded and from where.
Check all input forms to see if they have appropriate sanity checking of input data (ie - I expect a phone number in the phone number field, anything else is junk, but for all fields).
|
|
|
|
11/23/2006 04:26:28 PM · #3 |
Originally posted by alfresco:
You have been compromised.
First two things to do:
Check transfer-log files to see when the index.htm was last uploaded and from where.
Check all input forms to see if they have appropriate sanity checking of input data (ie - I expect a phone number in the phone number field, anything else is junk, but for all fields). |
Thanks, but of course I don't have access to any of this, as far as I know, as Network Solutions is the host. It's their server.
|
|
|
|
11/23/2006 04:27:58 PM · #4 |
As an aside, the last forensics I did on a similar case (last week) the bad apple exploited a security hole in phpBB, a common bulletin board script.
The bad apple uploaded a php file that acted as a terminal window, this gave them access to the whole box. From there they were able to snag down the user accounts from the passwd file, after that it was brute force to get in.
Sooooooooo --- if you're on a shared box (more than likely) it may not have been your site that they got in through but your username was available for them to abuse your site.
I've simplified, but that's the gist of it.
Any q's PM me. |
|
|
|
11/23/2006 04:31:23 PM · #5 |
Originally posted by Strikeslip:
Thanks, but of course I don't have access to any of this, as far as I know, as Network Solutions is the host. It's their server. |
Demand them. Seriously, demand them. You *must* know why your business was broken in to, they have the information. |
|
|
|
11/23/2006 04:33:21 PM · #6 |
I'll be you're right. We don't have any bulletin board, but we are on a shared box, and our hosting company probably isn't swift enough to update their software.
I'll give them a call tomorrow. >:-(
Message edited by author 2006-11-23 16:36:29.
|
|
|
|
11/23/2006 04:37:40 PM · #7 |
| It doesn't have to be a BB, it can be any form asking for input. Guest books, contact us, order forms, etc ... anything can be compromised if the code monkey didn't do any form validation. |
|
|
|
11/23/2006 04:40:18 PM · #8 |
| Ohhh --- extremely important: change your password ASAP!!! |
|
|
|
11/25/2006 07:29:24 AM · #9 |
Google led me to this page. I have no relation to the main web site, but my own site (also hosted on Network Solutions) had the same problem as the original poster. I have no forms on my site at all, so it wasn't based on that.
Also, the index.php on that site ends up trying to install several ActiveX controls (I ended up allowing the first few since I was in the process of testing out some things with the NS web page maker and I thought it had to do with that) -- starting off innocently enough with a Microsoft database control, going through some ones named "outlook.exe" and finally "unknown control" from "unknown publisher" -- red flags went up with my security software after that with things trying to modify my registry and startup items (i.e. hack my PC) -- after disallowing them, I bluescreened.
So, yes this definitely looks like a hack to me, and is unlikely to be specifically targeting your website (mine gets approximately zero traffic)
I'll be following up with network solutions myself. I don't have anything else to add solution-wise, so this is mostly an FYI. |
|
|
|
11/25/2006 08:32:33 AM · #10 |
Originally posted by noirsoft:
Google led me to this page. I have no relation to the main web site, but my own site (also hosted on Network Solutions) had the same problem as the original poster. I have no forms on my site at all, so it wasn't based on that.
Also, the index.php on that site ends up trying to install several ActiveX controls (I ended up allowing the first few since I was in the process of testing out some things with the NS web page maker and I thought it had to do with that) -- starting off innocently enough with a Microsoft database control, going through some ones named "outlook.exe" and finally "unknown control" from "unknown publisher" -- red flags went up with my security software after that with things trying to modify my registry and startup items (i.e. hack my PC) -- after disallowing them, I bluescreened.
So, yes this definitely looks like a hack to me, and is unlikely to be specifically targeting your website (mine gets approximately zero traffic)
I'll be following up with network solutions myself. I don't have anything else to add solution-wise, so this is mostly an FYI. |
Thank you very much for taking the time to register and post. At least it's 'good' to know we're probably not a target of some nutjob investor or competition. Just a hack.
I've had a couple of emails back and forth with Network Solutions, but they obviously didn't take the time to read my original emails, and I have no interest in taking the time to help them out. With the cost of hosting, money isn't a consideration for us, just time. I'm going to look into an alternate for our hosting, as these guys seem to have a disproportionate amount of 'problems'. Our site is down for a while every month or so, and when I called last time they told me they were under a DoS attack. That seems very odd and quite unlikely to me.
I changed our FTP usernames and passwords, for what that's worth.
|
|
|
|
11/25/2006 10:39:46 AM · #11 |
If you do not have your web html file permissions set up correctly, anyone can get into your html files and change them. A lot of times, people that set up their own web site will have the permissions for a file or directory set wide open (read, write, execute), which allows someone to overwrite one of your files, adding their own, which has links and re-directs that take people elsewhere without the person knowing. This is done for two main reasons, identify thief, where they can get logins and passwords or even more personal information and infecting the users computers with software that will let them gain access to control it and/or harvest information off of it.
Mike
|
|
|
|
12/02/2006 02:41:51 PM · #12 |
I have four sites hosted at Network Solutions that were compromised in the same way. They sent me an email saying they changed my ftp password, but did not let me know about the potential hack. I figured that out by reading this thread. I think we all need to call them and ask for a manager and supervisor and demand to know what happened here and what they're going to do about it.
One of the hacks was slightly different...there was a u (underline) tag after the closing |
|
