NYCPHP Meetup

[mikesz at qualityadvantages.com]

Hello Anirudhsinh,

Friday, October 31, 2008, 12:51:44 PM, you wrote:

> On Thursday 30 October 2008 21:09:18 mikesz at qualityadvantages.com wrote:
>> Hello Ben,
>>
>> Thursday, October 30, 2008, 11:29:27 PM, you wrote:
>> > Hello Mike,
>> >
>> > I think you have your real question here:
>> >
>> > Having been recently hacked and several of my webmaster email account
>> > names being hijacked by spammers, I am looking for viable solutions to
>> > safeguard my websites and the membership of these sites.
>> >
>> > How about fixing the problem, instead of adding new security measures?
>> > Please define "hacked"?
>>
>> Hacked meaning that they, the badguys managed to ftp a folder full of
>> porn to one of my subdirectories and its still a mystery how they did
>> that exactly. The ISP claims they took advantage of an exploit in the
>> php code but has no data to support that claim thus far. So, I can't
>> say that the site authorization was compromised with any certainty.

> To me, this seems manipulation of URL/s on your website that has file 
> uploading feature.
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk

> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com

> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php

> __________ Information from ESET Smart Security, version of virus
> signature database 3571 (20081030) __________

> The message was checked by ESET Smart Security.

> http://www.eset.com


That was essentially what the assumption was by the ISP, they think
that the hacker got in using one of the folders that is required to be
"writable" by the script for stuff like image processing and they
speculated that having gotten in, they simply uploaded their junk to
an obscure folder that contained a single php file. My problem with
that theory is that they can not produce the hack that let them into
the system, like I would normally see something like this in my
logifles - /inc/design.inc.php?dir[inc]=http://www.etc

Hackers try to use this technique on some of my site all the time but
I have plugged that hole and have the script send me an email when
they attempt to piggyback the url. I didn't get one for the hack that
got executed to load the porn onto my site so its still a matter of
speculation about how it actually got accomplished. No new exploits
have been reported against this software either for that matter. I am
reasonably certain that my site isn't the only one that has been
hijacked by porno peddlers but I can only find references to my site
when I do searches for keywords the badguys are using.

I do think it might have been a URL manipulation in spite of the fact
that I don't have a log entry to confirm it.

thanks for the reply.

-- 
Best regards,
 mikesz                            mailto:mikesz at qualityadvantages.com