Web Hosting Forums

Page 1 of 3 1 2 ... LastLast
Results 1 to 15 of 36

This is a discussion on OKAY! It Isn't Funny Now! Just Got Hacked Due to MySQL 4.x Upgrade... in the Hosting Talk & Chit-chat forum
Yep! My site got defaced this morning thanks to MySQL 4. If your server has recently been upgraded to MySQL 4.x, you had better keep ...

  1. #1
    Yeah, I know a LOT! Vin DSL's Avatar
    Join Date
    Mar 2003
    Location
    Arizona Uplands
    Posts
    10,661

    Angry OKAY! It Isn't Funny Now! Just Got Hacked Due to MySQL 4.x Upgrade...

    Yep! My site got defaced this morning thanks to MySQL 4.

    If your server has recently been upgraded to MySQL 4.x, you had better keep your powder dry and your back against the wall. It took the hackers less than a week to rape my site...

    I've been pouring through the logs for about two hours. The hackers used a 'UNION' exploit to capture my MD5 password hash using the 'Web Links' module in PHP-Nuke. I tried the same 'UNION' exploit as the hackers (captured from the logs) and my password lay naked, for the whole world to see. Once they had my password, the hackers used a sql injection to make themselves the site admin. This whole process took them 52 seconds, BTW.

    Once they were logged in as admin, they had their way with my site for a little over an hour.

    I'm in the process of patching my site now, but I thought I would take a break and warn the rest of you.

    Hahaha! Your time is coming. Have fun!
    DISCLAIMER Any resemblance between the views expressed above and those of the owners and operators of this system is purely coincidental. Any resemblance between these views and my own are non-deterministic. The existence of Vin DSL is questionable. The existence of views in the absence of anyone to hold them is problematic. The existence of the reader is left as an exercise in the second-order coefficient.

    No Guts, No Story! VinDSL 2010

  2. #2
    Ron
    Guest
    I'm sure you've thought about it, but for other's sake, you should ensure you have different passwords for your financial accounts and so forth... Just a word to the wise...

  3. #3
    Yeah, I know a LOT! Vin DSL's Avatar
    Join Date
    Mar 2003
    Location
    Arizona Uplands
    Posts
    10,661
    I think I've hardened my site fairly well now. We'll see. I guess I should try to hack into it myself...

    Gawd! I knew that 'UNION' thing was going to get me. I just didn't think it would happen that fast. Live 'n' learn!
    DISCLAIMER Any resemblance between the views expressed above and those of the owners and operators of this system is purely coincidental. Any resemblance between these views and my own are non-deterministic. The existence of Vin DSL is questionable. The existence of views in the absence of anyone to hold them is problematic. The existence of the reader is left as an exercise in the second-order coefficient.

    No Guts, No Story! VinDSL 2010

  4. #4
    Voltron wannabe tank's Avatar
    Join Date
    Apr 2004
    Location
    Houston
    Posts
    306
    Vin are you running CPGNuke on your site or just a modified version of Nuke?

  5. #5
    Yeah, I know a LOT! Vin DSL's Avatar
    Join Date
    Mar 2003
    Location
    Arizona Uplands
    Posts
    10,661
    On my 'production site' I'm running a mod'ed version of PHP-Nuke 6.5.
    DISCLAIMER Any resemblance between the views expressed above and those of the owners and operators of this system is purely coincidental. Any resemblance between these views and my own are non-deterministic. The existence of Vin DSL is questionable. The existence of views in the absence of anyone to hold them is problematic. The existence of the reader is left as an exercise in the second-order coefficient.

    No Guts, No Story! VinDSL 2010

  6. #6
    Voltron wannabe tank's Avatar
    Join Date
    Apr 2004
    Location
    Houston
    Posts
    306
    would you be willing to offer up some of these code changes?

  7. #7
    Yeah, I know a LOT! Vin DSL's Avatar
    Join Date
    Mar 2003
    Location
    Arizona Uplands
    Posts
    10,661
    Originally posted by tank
    would you be willing to offer up some of these code changes?
    This is the latest: http://nukeresources.com/article628.html
    DISCLAIMER Any resemblance between the views expressed above and those of the owners and operators of this system is purely coincidental. Any resemblance between these views and my own are non-deterministic. The existence of Vin DSL is questionable. The existence of views in the absence of anyone to hold them is problematic. The existence of the reader is left as an exercise in the second-order coefficient.

    No Guts, No Story! VinDSL 2010

  8. #8
    Yeah, I know a LOT! Vin DSL's Avatar
    Join Date
    Mar 2003
    Location
    Arizona Uplands
    Posts
    10,661
    Here's an update:

    Piecing it all together - the perps have been trying to hack my site for some time, using the flash clock on my main page. They tried it several times over the last month; possibly longer. Evidently that didn't work. However, the 'UNION' command in MySQL 4.x gave them the hole they needed.

    These guys are from 'Persia'. Where in 'Persia' I don't know, but they are working out of a web hosting service in San Diego, California. They have 76 web sites on their server, all in Arabic, so it's impossible to tell exactly which one of them did it, but I suppose it really doesn't matter. Given enough time, I would probably find out they live the Iran, or whatever.

    Anyway, they used the 'UNION' command in MySQL to cause a string overflow in the 'Web Links' search feature in PHP-Nuke. The resulting error message gave them my user name and MD5 encrypted password. That's all they needed to mount a successful sql injection on my web site, replacing me as the admin with themselves. I found the automated hacker page they used to inject the code. All it amounted to was entering info into forms and clicking the submit button. Pretty ingenious! As stated above, it took them less than a minute to do this, once they had my hash. Once they were logged in as the admin, they had their way with my web site for an hour, then moved on.

    The fix is afforded in the link above. I patched my site using code furnished by ChatServ. Some files were directly replaceable, while with others I had to do file comparisons and replace applicable code.

    In all, it took me about 24 hours to fix the damage and harden my site. Hopefully that will take care of problems for a while.

    I tried to hack my own site every way possible, both before and after the patches were in place. As far as I can tell, I've blocked all the usual avenues of attack. Only time will tell.

    LoL! I guess I'm an expert on hacking PHP-Nuke web sites now, at least ones running with the MySQL 4.x module in place. Ever cloud has a silver lining, no?
    DISCLAIMER Any resemblance between the views expressed above and those of the owners and operators of this system is purely coincidental. Any resemblance between these views and my own are non-deterministic. The existence of Vin DSL is questionable. The existence of views in the absence of anyone to hold them is problematic. The existence of the reader is left as an exercise in the second-order coefficient.

    No Guts, No Story! VinDSL 2010

  9. #9
    Loyal Client
    Join Date
    Sep 2001
    Location
    Wichita, KS
    Posts
    1,523
    /me is glad he hasn't joined the CMS craze yet

  10. #10
    Yeah, I know a LOT! Vin DSL's Avatar
    Join Date
    Mar 2003
    Location
    Arizona Uplands
    Posts
    10,661
    That's life on the edge...
    DISCLAIMER Any resemblance between the views expressed above and those of the owners and operators of this system is purely coincidental. Any resemblance between these views and my own are non-deterministic. The existence of Vin DSL is questionable. The existence of views in the absence of anyone to hold them is problematic. The existence of the reader is left as an exercise in the second-order coefficient.

    No Guts, No Story! VinDSL 2010

  11. #11
    Yeah, I know a LOT! Vin DSL's Avatar
    Join Date
    Mar 2003
    Location
    Arizona Uplands
    Posts
    10,661

    Question AM I BORING YOU???

    Well, well! The story gets more interesting...

    These are the dirtbags that hacked my site:Specifically, it was a hacker named 'mahdi_hexboy'. I saw his 'nick' several times in my logs.

    Now, I don't know if you've been following the news lately, but the US-led coalition in Iraq has vowed to defeat the Mahdi militia of Shiite cleric Moqtada al-Sadr. So what?

    I was looking at my referers tonight when I noticed this:Evidently, my site comes up in the #1 spot when you do a search for "Patton's Speech." Cool!

    So, I clicked the Google link, and guess what... "General George S. Patton's Speech to the Third U.S. Army" was missing from my website. As a matter of fact, it was the only 'story' missing from my site.

    Aha! Now it's making more sense!

    Luckily, I do regular backups. All I had to do was drop my 'nuke_stories' db and do a dump of the backup.

    What is it 'they' didn't want you to see?Why don't you go read it, just to piss off these [ethnic Iraqi cyber terrorists]?
    Last edited by Vin DSL; 04-26-2004 at 10:42 PM.
    DISCLAIMER Any resemblance between the views expressed above and those of the owners and operators of this system is purely coincidental. Any resemblance between these views and my own are non-deterministic. The existence of Vin DSL is questionable. The existence of views in the absence of anyone to hold them is problematic. The existence of the reader is left as an exercise in the second-order coefficient.

    No Guts, No Story! VinDSL 2010

  12. #12
    Loyal Client
    Join Date
    Sep 2001
    Location
    Wichita, KS
    Posts
    1,523
    are you happy now vin?

    i don't want this to blow up just yet

  13. #13
    Yeah, I know a LOT! Vin DSL's Avatar
    Join Date
    Mar 2003
    Location
    Arizona Uplands
    Posts
    10,661
    Originally posted by mattsiegman
    are you happy now vin?

    i don't want this to blow up just yet
    Well, Matt, I dunno... This is a very odd thing - getting hacked. I've noticed it's sort of a taboo subject.

    Ppl are only interested in things, in so much as it effects them. When 'you' get hacked, everyone wants to shy away from 'your' situation. It's like you have AIDS or Leprosy. It makes ppl nervous.

    Put another way, it's like saying you saw a flying saucer last night. Ppl wanna believe in UFO's, but they want to see one for themselves, you know? When 'you' see one, they think you are exaggerating.

    I guess all I'm trying to say here is beware of MySQL 4.x, at least the 'UNION' command security hole. This upgrade is a mixed blessing, at best.

    BTW, I'm NOT making this sh!t up. I got hacked by [Iraqi nationals], pure and simple. The only question is why. My best guess is because I come up in the #1 spot on Google for "Patton's Speech." That's my crime. The fact that the Patton speech is the only thing they deleted on my web site is all the substantiation I need.

    If you don't believe me, I'll be happy to copy 'n' paste my log files right here, and show you how 'Persians' can hack PHP-Nuke websites on JagPC using holes in MySQL 4.x. No big deal. I got my [posterior] covered for the time being!

    Pardon the pun, but if you wanna stick your head in the sand and lock this thread, go ahead. It isn't going anywhere anyway. Ppl could care less until there is a mass defacement, then it's gonna be 9/11 all over again.

    I'm just sounding the alarm. Do you really think it's wise to kill the messenger?
    Last edited by Vin DSL; 04-26-2004 at 10:37 PM.
    DISCLAIMER Any resemblance between the views expressed above and those of the owners and operators of this system is purely coincidental. Any resemblance between these views and my own are non-deterministic. The existence of Vin DSL is questionable. The existence of views in the absence of anyone to hold them is problematic. The existence of the reader is left as an exercise in the second-order coefficient.

    No Guts, No Story! VinDSL 2010

  14. #14
    Yeah, I know a LOT! Vin DSL's Avatar
    Join Date
    Mar 2003
    Location
    Arizona Uplands
    Posts
    10,661
    LoL! If anyone cares, I installed software on 'my' web server, last night, that detects hacking attempts. I just snagged a bogie!

    Here are the details:
    Code:
    195.222.51.211  
    
    OrgName:    RIPE Network Coordination Centre
    OrgID:      RIPE
    Address:    Singel 258
    Address:    1016 AB
    City:       Amsterdam
    StateProv:
    PostalCode:
    Country:    NL
    
    ReferralServer: whois://whois.ripe.net
    
    NetRange:   195.0.0.0 - 195.255.255.255
    CIDR:       195.0.0.0/8
    NetName:    RIPE-CBLK3
    NetHandle:  NET-195-0-0-0-1
    Parent:
    NetType:    Allocated to RIPE NCC
    NameServer: NS-PRI.RIPE.NET
    NameServer: NS2.NIC.FR
    NameServer: SUNIC.SUNET.SE
    NameServer: AUTH03.NS.UU.NET
    NameServer: SEC1.APNIC.NET
    NameServer: SEC3.APNIC.NET
    NameServer: TINNIE.ARIN.NET
    Comment:    These addresses have been further assigned to users in
    Comment:    the RIPE NCC region. Contact information can be found in
    Comment:    the RIPE database at http://www.ripe.net/whois
    RegDate:    1996-03-25
    Updated:    2004-03-16
    
    TechHandle: RIPE-NCC-ARIN
    TechName:   RIPE NCC Hostmaster
    TechPhone:  +31 20 535 4444
    TechEmail:  [email protected]
    
    OrgTechHandle: RIPE-NCC-ARIN
    OrgTechName:   RIPE NCC Hostmaster
    OrgTechPhone:  +31 20 535 4444
    OrgTechEmail:  [email protected]
    
    
    
    DOCUMENT_ROOT : /home/[account]/public_html
    HTTP_ACCEPT : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/x-shockwave-flash, */*
    HTTP_ACCEPT_ENCODING : gzip, deflate
    HTTP_ACCEPT_LANGUAGE : en-us
    HTTP_CONNECTION : Keep-Alive
    HTTP_COOKIE : lang=english
    HTTP_HOST : www.lenon.com
    HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)
    PATH : /usr/local/bin:/bin:/usr/bin
    REMOTE_ADDR : 195.222.51.211
    REMOTE_PORT : 3119
    SCRIPT_FILENAME : /home/[account]/public_html/[hacker script]
    SERVER_ADDR : 69.73.147.61
    SERVER_ADMIN : [email protected]
    SERVER_NAME : www.lenon.com
    SERVER_PORT : 80
    SERVER_SIGNATURE : Apache/1.3.29 Server at www.lenon.com Port 80
    
    SERVER_SOFTWARE : Apache/1.3.29 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2
    mod_bwlimited/1.4 PHP/4.3.4 FrontPage/5.0.2.2634 mod_ssl/2.8.16 OpenSSL/0.9.6b
    GATEWAY_INTERFACE : CGI/1.1
    SERVER_PROTOCOL : HTTP/1.1
    REQUEST_METHOD : GET
    QUERY_STRING :
    name=Reviews&rop=showcontent&id=-1%20UNION%20%20SELECT%200,0,aid,pwd,email,email,100,pwd,url,url,10000,name%20FROM%20nuke_authors/*
    REQUEST_URI :
    /[hacker script]?name=Reviews&rop=showcontent&id=-1%20UNION%20%20SELECT%200,0,aid,pwd,email,email,100,pwd,url,url,10000,name%20FROM%20nuke_authors/*
    SCRIPT_NAME : /[hacker script]
    PATH_TRANSLATED : /home/[account]/public_html/[hacker script]
    PHP_SELF : /[hacker script]
    argv : Array
    argc : 1
    Anybody else interested in this kind of stuff, or do you want to wait until it happens to you?
    DISCLAIMER Any resemblance between the views expressed above and those of the owners and operators of this system is purely coincidental. Any resemblance between these views and my own are non-deterministic. The existence of Vin DSL is questionable. The existence of views in the absence of anyone to hold them is problematic. The existence of the reader is left as an exercise in the second-order coefficient.

    No Guts, No Story! VinDSL 2010

  15. #15
    Yeah, I know a LOT! Vin DSL's Avatar
    Join Date
    Mar 2003
    Location
    Arizona Uplands
    Posts
    10,661
    Here's the perp:
    Code:
    195.222.51.211
    
    	
    Record Type: 	IP Address
    IP Location: 	Bosnia And Herzegowina - Federation Of Bosnia And Herzegovina
     - Sarajevo - Open Society Fund Bh - The Soros Foundations
    Reverse IP: 	No websites hosted using this IP address
    % This is the RIPE Whois server.
    % The objects are in RPSL format.
    %
    % Rights restricted by copyright.
    % See http://www.ripe.net/ripencc/pub-services/db/copyright.html
    
    inetnum:      195.222.51.0 - 195.222.51.255
    netname:      OSF-SOROS-BA
    descr:        Open Society Fund BH - The SOROS Foundations
    descr:        Sarajevo, Bosnia and Herzegovina
    country:      BA
    admin-c:      TR3840
    tech-c:       AVA4
    status:       ASSIGNED PA
    notify:       
    mnt-by:       BIHNET-DNS
    changed:       19981203
    source:       RIPE
    
    route:        195.222.48.0/21
    descr:        BiHNet subnet #3
    origin:       AS9146
    mnt-by:       BIHNET-DNS
    changed:       20030523
    source:       RIPE
    
    person:       Tomo Radovanovic
    address:      Open Society Fund-The SOROS Foundations
    address:      Djenetica Cikma 2a
    address:      Sarajevo, 71000
    address:      Bosnia and Herzegovina
    phone:        +387 71 666 132
    phone:        +387 71 444 488 ext. 123
    fax-no:       +387 71 472 580
    e-mail:       
    nic-hdl:      TR3840
    notify:       
    changed:       19980619
    source:       RIPE
    
    person:       Azur Ajanovic
    address:      Open Society Fund-The SOROS Foundations
    address:      Djenetica Cikma 2a
    address:      Sarajevo, 71000
    address:      Bosnia and Herzegovina
    phone:        +387 71 666 132
    phone:        +387 71 444 488 ext. 123
    fax-no:       +387 71 472 580
    e-mail:       
    nic-hdl:      AVA4
    notify:       
    changed:       19980619
    source:       RIPE
    DISCLAIMER Any resemblance between the views expressed above and those of the owners and operators of this system is purely coincidental. Any resemblance between these views and my own are non-deterministic. The existence of Vin DSL is questionable. The existence of views in the absence of anyone to hold them is problematic. The existence of the reader is left as an exercise in the second-order coefficient.

    No Guts, No Story! VinDSL 2010

Page 1 of 3 1 2 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •