Categories:
-
3d 96 articles
-
animations 16 articles
-
architecture 47 articles
-
blender 98 articles
-
bédé 19 articles
-
techdrawing 24 articles
-
freecad 190 articles
-
gaming 1 articles
-
idsampa 8 articles
-
inthepress 8 articles
-
linux 57 articles
-
music 1 articles
-
nativeifc 31 articles
-
opensource 267 articles
-
orange 4 articles
-
photo 16 articles
-
projects 35 articles
-
receitas 176 articles
-
saopaulo 18 articles
-
sketches 163 articles
-
talks 25 articles
-
techdrawing 24 articles
-
textes 7 articles
-
trilhas 3 articles
-
urbanoids 1 articles
-
video 47 articles
-
webdesign 7 articles
-
works 151 articles
Archives:
-
2007 22 articles
-
2008 32 articles
-
2009 66 articles
-
2010 74 articles
-
2011 74 articles
-
2012 47 articles
-
2013 31 articles
-
2014 38 articles
-
2015 28 articles
-
2016 36 articles
-
2017 41 articles
-
2018 46 articles
-
2019 59 articles
-
2020 18 articles
-
2021 20 articles
-
2022 7 articles
-
2023 25 articles
-
2024 15 articles
Site defacement
Site defacement
Yesterday morning my site got hacked by a script kiddie. He just changed the homepage to this nice piece of art:
I found it almost imediately, and it was just a matter of removing the index.htm file the guy put there. No big harm. I changed all the passwords, fearing that the guy had ftp access and read all my php files, and checked again the file permissions of everything to make sure no directory had 777 ( = rwxrwxrwx, writable-by-anyone) permission.
Now to the interesting bits. There is appearently some competition between that kind of hackers, and as soon as they hack a site, they put it online so they can raise their ranking. Our hacker did put our hacked site online. So we already had his nickname: syrianspider. Other people talk about him. I of course downloaded his index file for study. It is made with Microsoft Word (that's a good hacker, isn't it?). Inside, you find this:
<o:documentProperties><o:Author>Yousef Alnamli</o:Author><o:Template>Normal</o:Template><o:LastAuthor>Yousef Alnamli</o:LastAuthor><o:Revision>12</o:Revision><o:TotalTime>33</o:TotalTime><o:Created>2009-12-19T10:56:00Z</o:Created>
A hacker who puts his own name inside his hack files??? I couldn't believe the guy was so idiot. But wait. I have access logs for my site. At the time of the hack, I found several lines of this type:
78.110.96.5 - - [05/Apr/2010:15:54:58 +0000] "GET /test/sp.php?dir=/domains/54193/web/yorik HTTP/1.0" 200 34926 "http://yorik.uncreated.net/test/sp.php?dir=/domains/54193/web/yorik/test" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3)Gecko/20100401 Firefox/3.6.3"
It is weird, because I'm sure there is no test/sp.php file on my site. After googling a bit, I found several places mentioning that filename to add a new user to a database. That new user can then use the database to create new files. It is likely a very common site hacking method. So, I have the IP address from where the hacking occured. It is indeed the IP address of a proxy server located in Syria. My friend Fabio did some more research, and found out the complete identity of the hacker. He has a large identity on the net, and even a facebook page... Indeed the guy seems to have signed his file with his own name!!! I found that entire experience extremely funny. Now I still need to find out how to protect the site against such attacks, but Fabio will surely come up with a good solution...