I had a customer report today that their website was down and had the following message

HACKED BY TURKISH HACKERS..
M.K.A

Upon closer inspection I found that they were redirecting the site from the orignal website to http://desertciler.netfirms.com/mka.html

I did not have any file changes on the site in the last couple of days and dug around the Apache configuration files looking for how they accomplished this and ulitmatly found that the content manager system my customer is using allows a person to set metatag in their configuration, which they re-wrote and included a re-redirect.

Has anyone else here had problems with this folks and if so, maybe have a dirty laundry list of things they locked down to prevent the hacks?

Thanks in advance

Zeus

What CMS is your client using? I'd prohibit use of that CMS on your server.

I am not sure what system it is (it kinda looks like a home built one) but I ddint design the site. I went and password protected the folder that the administration stuff is in for him which should hopefully fix the issue for now.

It was only down for like 30 mins, so I am worried they are going to come back with and poke around more since I had it corrected so quickly to see what else they can get into. I was just wondering if anyone else had a problem with these folks specifiily that I should be on the lookout for.

Z

Look into the domlogs of apache to see what string/bug/exploit they used and tweak it on your mod_security.

Suggest to your client a re-moduled our update there cms system (but prove it how they exploited digging up the logs).

Any way good luck!

As an added layer of security I would chmod 700 wget, curl, lynx (i think on this last one), so that the kiddie hackers dont load up an IRC Bot on your box. Additionally I would look into: http://www.gotroot.com/tiki-index.php?page..._security+rules for your mod_security rules, they have some good stuff.

I have saw that message before and its just silly script kiddies.

You will have a old version of open source software installed, ie phpNuke, phpBB and so on. mod_security generally blocks these but if you have not updated your installation then you only have yourself to blame.

Sign up to whoever provides you the open source softwares mailing list and update as soon as they announce it. People who leave their installations out of date for months at a time are just asking for things like this to happen.

I am not trying to have a go at you or anything but its all too common now adays, simple protection in place would have prevented this.

The admin section of the content manager was supposed to have been password protected. Aparently when the customer moved the site over, the chmod the folder to 777 and didnt setup any login authenficiation.

Basicly if you knew the folder to hit, they could get in and change any of the cm settings

They of course thought it was my servers fault, until I showed them what had occured.....along with $75 bill for troubleshooting their cm system

Thanks for the other suggestion as well. I am a window guy, dipping into the unix world for the first time and *think* I have done a pretty good job locking down the system (I have followed all the FAQ on this site, done my homework on the web, picked up a few Unix Security books).

Z

I contacted netfirms last night, and they terminated the account for that website

How did you discover that?

Well the website was re-directing to this turkish hackers site, but none of the files in the customers root folder had been changed in days.

The only other place to perform a re-direct is in the metadata, which for this site was set via the content managment system they used, I went to the folder with the admin stuff and POOF, Im logged in, full access, no password protection or anything

Resetting the metatags was easily done via the database and I locked the folder down

Z