+1 (646) 536-9268 VJakimov@Gmail.com

It is really sad that some times even the techies get hacked and its even worse when they don’t know it.! I’ll give you my story

In general I’m considering myself as Internet Security literate as I have some previous experience in misc software development and took a course in University dedicated to Cryptography and Computer Security. But, eventually I get too involved with other things that I forgot the real value of Security.

Today one of my main websites was defaced by some Hacker that really is most probably a young kid in his mid teenage years that didn’t know what to do and found it funny to print his own Graffiti all over my website. In general this type of action is not really considered as Hacking as the hacker ideology is primary concentrated on exploration rather than destruction. Cracker is more likely the correct definition for this type of person.

It was quite embarrassing to see my website defaced and it made me realize that I forgot about the bad side of the internet as it was right in front of me.

It was not the end of the world since I had backup of the whole web hosting account and I was able to restore few days old data to get the site back online.

After I got the website running it was pretty clear that security needed to be increased and the best way to do so is to install Intrusion Detection System (IDS) on my VPS server. The one I found is actually a new product from ConfigServer called eXploit Scanner. This software used regular expressions pattern matching to look for common hacking type of script commands inside my website account space.

What I found was that there were two different PHP based Trojan Horses one sitting right in my image files and one inside my Coppermine Photo Gallery in my Album Userpics. They were both interesting piece of software since they both implemented some type of php-to-shell console script that allowed the attacker to do pretty much everything with your web hosting account not to mention website files.

The file on the first place contained:

#            SuB-ZeRo ShElL               #
#              SuB-ZeRo                   #

//Change User & Password

$tacfgd['uname'] = '';
$tacfgd['pword'] = '';

// Title of page.
$tacfgd['title'] = 'SuB-ZeRo ShElL';

// Text to appear just above login form.
$tacfgd['helptext'] = 'SuB-ZeRo ShElL';

// Set to true to enable the optional remember-me feature, which stores encrypted login details to 
// allow users to be logged-in automatically on their return. Turn off for a little extra security.
$tacfgd['allowrm'] = true;

// If you have multiple protected pages, and there's more than one username / password combination, 
// you need to group each combination under a distinct rmgroup so that the remember-me feature 
// knows which login details to use.
$tacfgd['rmgroup'] = 'default';

// Set to true if you use your own sessions within your protected page, to stop txtAuth interfering. 
// In this case, you _must_ call session_start() before you require() txtAuth. Logging out will not 
// destroy the session, so that is left up to you.
$tacfgd['ownsessions'] = false;

Note that I won’t list the whole code because I don’t want to risk to push your curiosity further than you needed.

The second file very strange as it showed a “JFIF” file header — pretended to be Image file when it was a Trojan Horse. See below some code:

'eng_text1' =>'Executed command',
'eng_text2' =>'Execute command on server',
'eng_text3' =>'Run command',
'eng_text4' =>'Work directory',
'eng_text5' =>'Upload files on server',
'eng_text6' =>'Local file',
'eng_text7' =>'Aliases',
'eng_text8' =>'Select alias',
'eng_butt1' =>'Execute',
'eng_butt2' =>'Upload',
'eng_text9' =>'Bind port to /bin/bash',
'eng_text11'=>'Password for access',
'eng_butt3' =>'Bind',
'eng_butt4' =>'Connect',
'eng_text15'=>'Upload files from remote server',
'eng_text17'=>'Remote file',
'eng_text18'=>'Local file',
'eng_text21'=>' New name',
'eng_text23'=>'Local port',
'eng_text24'=>'Remote host',
'eng_text25'=>'Remote port',
'eng_butt5' =>'Run',
'eng_text28'=>'Work in safe_mode',
'eng_text29'=>'ACCESS DENIED',
'eng_butt6' =>'Change',
'eng_text30'=>'Cat file',
'eng_butt7' =>'Show',
'eng_text31'=>'File not found',
'eng_text32'=>'Eval PHP code',
'eng_text33'=>'Test bypass open_basedir with cURL functions',
'eng_butt8' =>'Test',
'eng_text34'=>'Test bypass safe_mode with include function',
'eng_text35'=>'Test bypass safe_mode with load file in mysql',
'eng_text40'=>'Dump database table',
'eng_butt9' =>'Dump',
'eng_text41'=>'Save dump in file',
'eng_text42'=>'Edit files',
'eng_text43'=>'File for edit',
'eng_text44'=>'Can\'t edit file! Only read access!',
'eng_text45'=>'File saved',
'eng_text46'=>'Show phpinfo()',
'eng_text47'=>'Show variables from php.ini',
'eng_text48'=>'Delete temp files',
'eng_butt11'=>'Edit file',
'eng_text49'=>'Delete script from server',
'eng_text50'=>'View cpu info',
'eng_text51'=>'View memory info',
'eng_text52'=>'Find text',
'eng_text53'=>'In dirs',
'eng_text54'=>'Find text in files',
'eng_text55'=>'Only in files',
'eng_text56'=>'Nothing :(',
'eng_text57'=>'Create/Delete File/Dir',
'eng_text61'=>'File created',
'eng_text62'=>'Dir created',
'eng_text63'=>'File deleted',
'eng_text64'=>'Dir deleted',
'eng_text71'=>"Second commands param is:\r\n- for CHOWN - name of new owner or UID\r\n- for CHGRP - group name or GID\r\n- for CHMOD - 0777, 0755...",
'eng_text72'=>'Text for find',
'eng_text73'=>'Find in folder',
'eng_text74'=>'Find in files',
'eng_text75'=>'* you can use regexp',
'eng_text76'=>'Search text in files via find',
'eng_text77'=>'Show database structure',
'eng_text78'=>'show tables',
'eng_text79'=>'show columns',
'eng_text83'=>'Run SQL query',
'eng_text84'=>'SQL query',

'find suid files'=>'find / -type f -perm -04000 -ls',
'find suid files in current dir'=>'find . -type f -perm -04000 -ls',
'find sgid files'=>'find / -type f -perm -02000 -ls',
'find sgid files in current dir'=>'find . -type f -perm -02000 -ls',
'find config.inc.php files'=>'find / -type f -name config.inc.php',
'find config.inc.php files in current dir'=>'find . -type f -name config.inc.php',
'find config* files'=>'find / -type f -name "config*"',
'find config* files in current dir'=>'find . -type f -name "config*"',
'find all writable files'=>'find / -type f -perm -2 -ls',
'find all writable files in current dir'=>'find . -type f -perm -2 -ls',
'find all writable directories'=>'find /  -type d -perm -2 -ls',
'find all writable directories in current dir'=>'find . -type d -perm -2 -ls',
'find all writable directories and files'=>'find / -perm -2 -ls',
'find all writable directories and files in current dir'=>'find . -perm -2 -ls',
'find all service.pwd files'=>'find / -type f -name service.pwd',
'find service.pwd files in current dir'=>'find . -type f -name service.pwd',
'find all .htpasswd files'=>'find / -type f -name .htpasswd',
'find .htpasswd files in current dir'=>'find . -type f -name .htpasswd',
'find all .bash_history files'=>'find / -type f -name .bash_history',
'find .bash_history files in current dir'=>'find . -type f -name .bash_history',
'find all .mysql_history files'=>'find / -type f -name .mysql_history',
'find .mysql_history files in current dir'=>'find . -type f -name .mysql_history',
'find all .fetchmailrc files'=>'find / -type f -name .fetchmailrc',
'find .fetchmailrc files in current dir'=>'find . -type f -name .fetchmailrc',
'list file attributes on a Linux second extended file system'=>'lsattr -va',
'show opened ports'=>'netstat -an | grep -i listen',
'----------------------------------------------------------------------------------------------------'=>'ls -la'

No need to comment what the second script allows since this text pretty much describes that this is a bad ass Trojan horse that does some nasty things to the infected system.

It was a bit shocking to find that those hacks were more than 4 months old which meant that only God knows how many hackers visited my website! Very bad news!

Anyway, after setting up the IDS system and new anti-virus monitor I hope I don’t have more hacker issues soon.

Now the question is, Is your website secure?