NYCPHP Meetup

NYPHP.org

[nycphp-talk] Need some understanding about a hacker attack...

matt at atopia.net matt at atopia.net
Sat Oct 11 08:53:19 EDT 2008


Are allowoverride and options set correctly in httpd.conf for that directory?


-----Original Message-----
From: mikesz at qualityadvantages.com

Date: Sat, 11 Oct 2008 20:51:37 
To: NYPHP Talk<talk at lists.nyphp.org>
Subject: [nycphp-talk] Need some understanding about a hacker attack...


Hello NYPHP,

  One of my sites went down yesterday with "Out of Bandwidth". When I
  checked into it, a badguy had hijacked an application folder called
  /xml that usually contains one php file that serves the application
  menu system. I have no idea why the software developer chose this
  method. The /xml folder is read only (and has always been read only)
  Yesterday, in addition to the single php file, /xml contained a
  subfolder called odg which contained a porn distribution application
  with thousands of images that it was serving the planet though
  mediacatch.com and myhostdyn.com among others. I have no idea how
  the badguy got in and my ISP doesn't have a clue either. I got them
  to delete the junk because the badguy used a Unix system account to
  create the junk and I was unable to delete with the permissions I
  have.

  Now with that gone, I decided to add a .htaccess file to further
  restrict access to the /xml folder but when I did, the .htaccess
  file does not respond at all. Here is what I put in there:

Options -Indexes

order deny,allow

<files "*.*">
Deny from All
</files>

<files "*.*">
Allow from 127.0.0.1 localhost
</files>

I expected that if I tried to access that folder directly that I would
get a 403 but instead I got the application intro screen?

I checked my test system also and when I do a directory the /xml
folder, it shows me the content of the folder which is yet another
outcome unexpected.

The question I have is Does a folder named /xml have any special
status or significance on a linux box that would cause it to act
differently than say, an /includes folder that usually generates a
blank screen?

Any clues would be greatly appreciated. Notice that I haven't gotten
into the hack at all, no idea how it happened and the ISP is really
vague about what might have happened but is pointing the finger to my
app and, of course, his server is completely secure, btw, its a shared
server. My guess if that the bad guy ripped off the system account and
ran amok on it but nobody is even hinting that this could be a
possibility, to the contrary. Getting back to the /xml, why would I be
getting the bizarre behavior from it?

TIA

-- 
Best regards,
 mikesz                          mailto:mikesz at qualityadvantages.com

_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php


More information about the talk mailing list