Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

hacked?!

Comments

  • Banned (with Prison Access) Posts: 16,659 ✭✭✭✭dahamsta


    How do you mean you traced it to there. That site looks like a regular defacement mirror to me. And the only reason you'd search for IE domains there is to find other ones that have been defaced! Your time might be better spent tracking down how they defaced your site so it doesn't happen again.

    adam


  • Registered Users, Registered Users 2 Posts: 4,479 ✭✭✭wheres me jumpa


    Ken Shabby wrote:
    How do you mean you traced it to there. That site looks like a regular defacement mirror to me. And the only reason you'd search for IE domains there is to find other ones that have been defaced! Your time might be better spent tracking down how they defaced your site so it doesn't happen again.

    adam

    The site appeared in my stats. Searched the site for my domain and found my hacker. A 777 setting seems to be the problem, I know the pages they exploited, both had forms.

    I was just posting as I thought others might be interested as I was in seeing what other sites had been defaced. Apologies.


  • Closed Accounts Posts: 7,563 ✭✭✭leeroybrown


    Occasionally these sites can be useful for establishing a start point for trail. One day while bored I managed to trace down a defacement that caused a lot of hassle for me to a script kiddie in Cork. I had a copy of his CV and all his personal details. It was about 18 months after the event and he appeared to have copped on an awful lot so I didn't bother having any more fun.

    Obviously that was an exceptional case but...


  • Registered Users, Registered Users 2 Posts: 4,479 ✭✭✭wheres me jumpa


    HOw did you get his cv?


  • Banned (with Prison Access) Posts: 16,659 ✭✭✭✭dahamsta


    No offense intended, but you didn't find the "hacker", you found his or her handle on a generic mirroring site via a referer in your logs. Which was probably already somewhere on the defacement.

    I'm pretty sure most hackers in the world would be slightly miffed by your use of the word too. The word you're looking for is "cracker", although in this case "script kiddy" would probably be more accurate.

    adam


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 4,479 ✭✭✭wheres me jumpa


    Ken Shabby wrote:
    No offense intended, but you didn't find the "hacker", you found his or her handle on a generic mirroring site via a referer in your logs. Which was probably already somewhere on the defacement.

    I'm pretty sure most hackers in the world would be slightly miffed by your use of the word too. The word you're looking for is "cracker", although in this case "script kiddy" would probably be more accurate.

    adam


    Again apologies.

    What I should have said was, I found a portfolio of sites the cracker had defaced which I found interesting.


  • Banned (with Prison Access) Posts: 16,659 ✭✭✭✭dahamsta


    No need to apologise to me, I was just making a point. I thought it important to note that the site is just a defacement mirror, and not the home of a single hax0r muppet that probably can't code for toffee.

    adam


  • Registered Users, Registered Users 2 Posts: 4,479 ✭✭✭wheres me jumpa


    Ken Shabby wrote:
    No need to apologise to me, I was just making a point. I thought it important to note that the site is just a defacement mirror, and not the home of a single hax0r muppet that probably can't code for toffee.

    adam

    I was aware there was more than one "haxor muppet" on the site.


  • Closed Accounts Posts: 7,563 ✭✭✭leeroybrown


    HOw did you get his cv?
    My memory is a bit sketchy but I used some extra details I found (which most people are clueful enough to conceal) on one of the mirror sites to trace back via some other forums, etc to his personal web page with CV, and a load of other stuff. There was enough breadcrums along the way to be sure it was him.

    The mirror site probably appears in your logs due to a link directly after your site was added. The real culprit is generally buried in your apache logs somewhere. The last time I traced one back fully it was from a DHCP IP address in a South American ISP's netblock.

    As a matter of interest was the site running off any of the usual PHP CMS or Bulletin Boards packages?


  • Registered Users, Registered Users 2 Posts: 1,086 ✭✭✭Peter B


    Just out of interest how can a site be defaced through a form.

    Just wanna fix my sites against these defacings as best as possible


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 706 ✭✭✭DJB


    Peter B wrote:
    Just out of interest how can a site be defaced through a form.

    Just wanna fix my sites against these defacings as best as possible
    I'm not 100% sure how your site was hacked but I'm guessing it has something to do with XSS (Cross Site Scripting). Here's a definition on the net I found:
    XSS:An abbreviation of cross-site scripting. XSS is a security breach that takes advantage of dynamically generated Web pages. In an XSS attack, a Web application is sent with a script that activates when it is read by an unsuspecting user’s browser or by an application that has not protected itself against cross-site scripting. Because dynamic Web sites rely on user input, a malicious user can input malicious script into the page by hiding it within legitimate requests. Common exploitations include search engine boxes, online forums and public-accessed blogs. Once XSS has been launched, the attacker can change user settings, hijack accounts, poison cookies with malicious code, expose SSL connections, access restricted sites and even launch false advertisements. The simplest way to avoid XSS is to add code to a Web application that causes the dynamic input to ignore certain command tags. Scripting tags that take advantage of XSS include <SCRIPT>, <OBJECT>, <APPLET>, <EMBED> and <FORM>. Common languages used for XSS include JavaScript, VBScript, HTML, Perl, C++, ActiveX and Flash.

    Here's a good site to refer to for testing your site for XSS vulnerabilities:

    http://ha.ckers.org/xss.html

    It can be quite scary the first time you execute one of these on your site and see the potential JS that can be initialised by a hacker. So, if a hacker inputs one of these into your form (or a more dangerours one) and you save it to the database and your website is pulling that record out of your database and display it on your home page, the script will be executed by all your visitors.

    wheres_my_jumpa... do you know how your site was hacked?

    Dave


  • Registered Users, Registered Users 2 Posts: 4,479 ✭✭✭wheres me jumpa


    DJB wrote:

    wheres_my_jumpa... do you know how your site was hacked?

    Dave

    Not entirely sure but I have an idea. My host was very helpful and pointed this out...

    "IPs from the Sudan POSTing (submitting) information to your guestbook and news.php scripts. Not sure if you made them yourself but this will be the point of exploit. Notice how the hostmasks are different even though it's the same IP.
    "

    So an attack on my php scripts.


    Host has also some "additional security systems to hopefully negate some of the possible exploits".


Advertisement