Two days ago my wife was notified by one of her customers of a defacement of their site. Obviously this kinda stuff always happens when I’m ill and the last thing I want to be doing is dealing with some random hacker. This post is about what I found and how this should motivate people to at all times update their websites with the latest security fixes and practices.
As far as I’m aware no sensitive data was access nor was any serious damage done other than a few index.html files over written. The only real loss is the joomla site that was broken into as the owner is on holiday and hadn’t updated it for a while, suffice to say it’s down for the time being.
The defacement was the work of the hacker group 1923turk-grup. The following are some of my findings.
[First activity seen]
/var/log/httpd/ispconfig_access_log_2009_10_20:www.hackedsite.nl||||2639||||220.127.116.11 – - [20/Oct/2009:20:03:30 +0100] “GET /index.php?option=com_user&view=remind HTTP/1.1″ 200 2639 “http://www.google.com.br/search?hl=pt-BR&q=inurl:%3Foption%3Dcom_user++intitle:.nl&start=20&sa=N”
The attacker uses google to find vulnerable site, runs Windows XP uses IE7 and every version of .net known to mankind. That is if the string wasn’t spoofed…
LESSON #1 : Protect admin pages from being spidered, use robots.txt and .htaccess
/var/log/httpd/ispconfig_access_log_2009_10_20:www.hackedsite.nl||||2767||||18.104.22.168 – - [20/Oct/2009:20:03:50 +0100] “GET //index.php?option=com_user&view=reset&layout=confirm HTTP/1.1″ 200 2767 “-”
/var/log/httpd/ispconfig_access_log_2009_10_20:www.hackedsite.nl||||-||||22.214.171.124 – - [20/Oct/2009:20:04:30 +0100] “POST //index.php?option=com_user&task=confirmreset HTTP/1.1″ 301 – “http://www.hackedsite.nl//index.php?option=com_user&view=reset&layout=confirm”
# Another 301
/var/log/httpd/ispconfig_access_log_2009_10_20:www.hackedsite.nl||||2731||||126.96.36.199 – - [20/Oct/2009:20:04:30 +0100] “GET /index.php?option=com_user&view=reset&layout=complete HTTP/1.1″ 200 2731 “http://www.hackedsite.nl//index.php?option=com_user&view=reset&layout=confirm”
/var/log/httpd/ispconfig_access_log_2009_10_20:www.hackedsite.nl||||696||||188.8.131.52 – - [20/Oct/2009:20:04:30 +0100] “GET /templates/avant1/js/ffont-config.js.php?pfad=%2Ftemplates%2Favant1&color1=%236699CC&color2=%2399CCFF&font=font6 HTTP/1.1″ 200 696 “http://www.hackedsite.nl/index.php?option=com_user&view=reset&layout=complete”
/var/log/httpd/ispconfig_access_log_2009_10_20:www.hackedsite.nl||||-||||184.108.40.206 – - [20/Oct/2009:20:04:58 +0100] “POST /index.php?option=com_user&task=completereset HTTP/1.1″ 301 – “http://www.hackedsite.nl/index.php?option=com_user&view=reset&layout=complete”
# There are a few more attempts
[20/Oct/2009:20:04:30] POST //index.php?option=com_user&task=confirmreset HTTP/1.1 301 - http://www.hackedsite.nl//index.php?option=com_user&view=reset&layout=confirm
[20/Oct/2009:20:04:58] POST /index.php?option=com_user&task=completereset HTTP/1.1 301 - http://www.hackedsite.nl/index.php?option=com_user&view=reset&layout=complete
[20/Oct/2009:20:06:36] POST /administrator/index.php HTTP/1.1 301 - http://www.hackedsite.nl/administrator/
[20/Oct/2009:20:07:23] POST /administrator/index.php HTTP/1.1 301 - http://www.hackedsite.nl/administrator/index.php?option=com_users&view=user&task=edit&cid=62
[20/Oct/2009:20:07:33] POST /administrator/index.php HTTP/1.1 200 3766 http://www.hackedsite.nl/administrator/index.php?option=com_templates&task=edit&cid=beez&client=0
[20/Oct/2009:20:07:45] POST /administrator/index.php HTTP/1.1 301 - http://www.hackedsite.nl/administrator/index.php
[20/Oct/2009:20:08:26] POST /templates/beez/index.php HTTP/1.1 200 64506 http://www.hackedsite.nl/templates/beez/index.php
“beez” seems to be the vulnerability. Failing at administrator/index.php, the attacker directs it’s attention directly at beez/index.php and succeeds in changing this file resulting in an r57shell being available to the hacker via beez/index.php. It’s an ingenious file as it contains a gz compressed/encrypted data which executes each time it is accessed. One weakness being all activity shows up in the log files, hence I’m able to track exactly what was parsed to the script and what data was pulled off the system.
/var/log/httpd/ispconfig_access_log_2009_10_20:www.hackedsite.nl||||10721||||220.127.116.11 – - [20/Oct/2009:20:07:30 +0100] “GET //templates/beez/template_thumbnail.png HTTP/1.1″ 200 10721 “http://www.hackedsite.nl/administrator/index.php?option=com_templates”
/var/log/httpd/ispconfig_access_log_2009_10_20:www.hackedsite.nl||||3097||||18.104.22.168 – - [20/Oct/2009:20:07:31 +0100] “GET /administrator/index.php?option=com_templates&task=edit&cid=beez&client=0 HTTP/1.1″ 200 3097 “http://www.hackedsite.nl/administrator/index.php?option=com_templates”
/var/log/httpd/ispconfig_access_log_2009_10_20:www.hackedsite.nl||||1330||||22.214.171.124 – - [20/Oct/2009:20:07:31 +0100] “GET /administrator/templates/khepri/images/toolbar/icon-32-preview.png HTTP/1.1″ 200 1330 “http://www.hackedsite.nl/administrator/index.php?option=com_templates&task=edit&cid=beez&client=0″
/var/log/httpd/ispconfig_access_log_2009_10_20:www.hackedsite.nl||||3766||||126.96.36.199 – - [20/Oct/2009:20:07:33 +0100] “POST /administrator/index.php HTTP/1.1″ 200 3766 “http://www.hackedsite.nl/administrator/index.php?option=com_templates&task=edit&cid=beez&client=0″
/var/log/httpd/ispconfig_access_log_2009_10_20:www.hackedsite.nl||||-||||188.8.131.52 – - [20/Oct/2009:20:07:45 +0100] “POST /administrator/index.php HTTP/1.1″ 301 – “http://www.hackedsite.nl/administrator/index.php”
/var/log/httpd/ispconfig_access_log_2009_10_20:www.hackedsite.nl||||3202||||184.108.40.206 – - [20/Oct/2009:20:07:47 +0100] “GET /administrator/index.php?option=com_templates&client=0&task=edit&cid=beez HTTP/1.1″ 200 3202 “http://www.hackedsite.nl/administrator/index.php”
# A quick google for “joomla beez template hack” turned up the following fro july/09: http://news.maiahost.com/warning-beez-joomla-template-found-to-have-hack-inside
In short :
template/beez/index.php contained a compressed version of r57shell 1.40
r57shell was used to create a new file template/beez/10.php which contained a compressed version of a shell written by 1923turk-grup member Enes_60 and called “c100″.
The second shell offers to the hacker single button access to “multi-site defame” scripts and other tools, each of these trying to exploit vulnerabilities in the servers code or sysadmin misconfiguration of said server.
The whole hack did not take long and must have been fairly easy to do given the fact that the joomla site hadn’t been looked after for a prolonged time. The purpose seems to primarily have been to post Turkish nationalistic propaganda. I couldn’t find any proof of any serious root kit attempts or attempts to find sensitive data.
- Ensure that customers who run php script regularly check for vulnerabilities. Packages like joomla, drupal and wordpress make this very easy these days
- Always use .htaccess files. For example forward requests to index.html to index.php even if there is no index.html, a hacker might somehow manage to upload one
- Ensure that permissions are appropriately set
- Raise the priority of upgrading my server to a chroot enabled setup, this will ensure that next time a site gets hacked only that site will suffer
- Even themes can be vulnerable to attack, remove all unused plugins and themes from dynamic sites
- Put dummy index.html & index.php files in place with 444 permissions making it harder to upload a new file
None of this will give 100% security but every extra hurdle helps.
The thing that makes me laugh most is that this was not a distributed attack, no apparent attempt was made to hide the hackers identity. The used IP address is owned by TurkTelekom and belongs to a dynamic pool for TTnet ADSL users in Istanbul. I’m not sure if this is the actual idiot himself or if some poor Turkish soul got abused for this. I wrote an email to TurkTelekom but am not holding my breath. Will update this post if I ever hear back from them, like I said don’t stick around waiting…
Strangely no attempt has been made to connect to either shell from any other IP address. Does it need mentioning that my server now dislikes the IP address used in the attack? All altered files have been removed. The scripts have been moved to a safe location for further inspection and possibly personal use. Further safety measures have been taken and all possible fixes & patches done and dusted.
I really do not see the point these guys are trying to make. Do they honestly believe they are going to reach their target group in this way? I read the page they posted and it’s a nationalistic rant about how Turkey should be defended from goodness knows who. They’d have more success writing a nice website somewhere where it won’t be taken down by disgruntled sysadmins. Then they can work on getting to the top in Google searches for something like “Turkish national front”. Do these guys honestly believe they’re achieving anything by comparing sizes of private parts -erm, defame list size- with other hacker groups?
http://ddanchev.blogspot.com/2007/11/overperforming-turkish-hacktivists.html (mentions Turks vs Swedes online war)
http://ip-address-lookup-v4.com/lookup.php?ip=220.127.116.11 (Source address of the attacker, as seen by my server)
inetnum: 18.104.22.168 - 22.214.171.124 netname: TurkTelekom descr: TT ADSL-TTnet Alc dynamic_aci