Site Was Hacked

#1
[eluser]Jay Logan[/eluser]
I use CodeIgniter on Site A and recently I have used the FTP library to connect to Site B and upload a graphic whenever a change is made through a basic, password protected admin area. Today, Site B was hacked. Every file on the server has a JS script attached to it.


The script is "bgadf DOT cn". We just changed our FTP password yesterday so I want to know if the FTP library could have transmitted the server log in information somehow. Also, is anyone familiar with that malicious script? Site B is run on ColdFusion FYI. Thanks for any help.

#2
[eluser]skunkbad[/eluser]
You should check your server logs, and see if the host could possibly provide some information. I'd guess somebody hacked the server, and it was'nt directly related to your code. Windows server? From .... cough .... experience, I can tell you that if the server was a Windowds server, and wasn't set up right, you can do anything you want to any account or system file on that server.

#3
[eluser]pmoroom[/eluser]
J-Slim,

I'm sorry to hear about this. I did some googling and really couldn't find much on the script you mentioned. My browser did light up with some of the results though as most of the results were adult websites so imagine this script is used a lot there to get victims etc. This must be pretty new as the virus db's I searched didn't make any mention of it.

Good luck and again sorry to hear this.

#4
[eluser]Jay Logan[/eluser]
I'm slowly recovering everything now. I'll have to check the logs tomorrow and see what's been going on. I'm convinced it's not CI though. Probably just some malware on a computer that FTP's to the site. Switching to a Linux next week for sure.

#5
[eluser]n0xie[/eluser]
[quote author="J-Slim" date="1250846395"]I'm slowly recovering everything now. I'll have to check the logs tomorrow and see what's been going on. I'm convinced it's not CI though. Probably just some malware on a computer that FTP's to the site. Switching to a Linux next week for sure.[/quote]
I'm a big Linux advocate but statements like these give people a false sense of security and that is the most dangerous form of security. Yes, Linux is by default more secure, but it's only as secure as you make it. Because you have full control over just about anything, it's easy to shoot yourself in the foot when it comes to security. Don't think Linux just magically solves all security issues for you: it can after a lot of tweaking and configuring, but it's not a 'install and be done' with it kind of thing.

Even though Windows is less secure by default, it can be made secure as well by configuring it properly. Especially Win2008 has a pretty good record so far.

#6
[eluser]Jay Logan[/eluser]
Thanks n0xie. But I wasn't saying that I was switching to Linux because I think it's more secure. I'm actually just switching so that we can redo the site in PHP (hopefully CodeIgniter). I'm not even familiar with what servers are more/less secure. But I do know that someone wouldn't be able to attach a JS script to 1,996 of my pages in PHP. That's what happened in CF though. Every HTML file and JS file had it inserted.

But thanks for the tips!

#7
[eluser]Unknown[/eluser]
J-Slim,

Maybe it is gumbler, take a look at that, it's a virus that installs on your own computer and get's the FTP-accounts from your computer and puts javascript in every file on the webserver.

Good luck.

#8
[eluser]John_Betong[/eluser]
 
http://www.justjoolz.com/blog/?p=58#comments
 
I just helped my son remove a virus from his sites.
 
After a bit of research three of us came to the conclusion that the virus came from an old copy of Adobe. The virus caused a buffer overload error and managed to get access to the local Windows operating system. The virus nicked server access login details, still not sure how the details were transmitted to the virus host but the result was virus code inserted and frequently truncated the original code.
 
The virus was removed by replacing the PHP corrupt files.
 
 
 110

#9
[eluser]Jay Logan[/eluser]
Very interesting. But we use Mac's to FTP files. Thought that made us a little more safe. Still talking with host and they are suggesting we should upgrade to CF8 because out CF7 has a vulnerability that allows injections.


Now thinking about it, I have Parallels running on my Mac. I guess it's possible it jumped from Window's to Mac to retrieve the FTP password. I hoping it was just a CF vulnerability though. Because I have about 20 sites created in CodeIgniter that haven't been hit so far.

When my host said "injections", does that mean SQL injections? If so, how can they access FTP information?

#10
[eluser]Johan André[/eluser]
Injection can be SQL - or "file" injection.
Image a uploadform that does not block scripts (.php/.php3/.php4/.php5/.exe/.bat etc.)...
A user can easily upload a malicious file and then (when the actual upload-path is figured out) execute it through the browser...

I guess you could even write a script that accesses the webroot and you should be able to download / upload however you want...


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme ¬© 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.