Hacked by CyberLord

Billybob

Member #3,136

January 2003

Well I found one of my sites hacked tonight. The config.php file had been overwritten with "

Hacked by CyberLord

". What I'm trying to figure out is the extent and type of the attack. From the looks of it, it was a scripted attack. Nothing else was hit but that one, very common, file. So at first it seems like a harmless, non-personal attack.
But, the site is entirely coded by me, and there is no part of it that could lead to someone overwriting a file. For that there'd need to be some file writing mechanism or something that uses system commands, of which there are none. Now I do have WordPress installed, related to that site, but it is in a different directory. How could a script have gone from that directory to the other? And why were no other config files touched? I've got a beta version of that site setup in another directory with the exact same layout of files, but it's untouched.
One small mistake on my part is that the config.php file had 777 file permissions (rsync problem). Perhaps that has something to do with it. If the script searched for all config files and tried to overwrite them this would be the only config file it could have overwritten.

In any case, I highly suspect WordPress being the culprit. Does anyone have any info on vulnerabilities in WordPress? I installed it about a month ago. Or any info in general about what may have caused this.

GullRaDriel

Member #3,861

September 2003

"Your WebSite died because it wasn't pretty enough."

"Code is like shit - it only smells if it is not yours"
Allegro Wiki, full of examples and articles !!

Peter Hull

Member #1,136

March 2001

Looks like he's been a busy fellow:
link
Pete

Richard Phipps

Member #1,632

November 2001

It was for a good cause though.

Chaos Groove Development Blog
Free Logging System Code & Blog

James Stanley

Member #7,275

May 2006

One of the Google entries said Cyberlord was here for Islam. His religion told him to hack a website? Cool...

Elverion

Member #6,239

September 2005

Which site was that? I'd like to take a look, if you don't mind. Is the config file the only one with 777 privileges?

--
SolarStrike Software - MicroMacro home - Automation software.

Thomas Fjellstrom

Member #476

June 2000

Probably some retard 13 year old using on old hole and a tool.

--
Thomas Fjellstrom - [website] - [email] - [Allegro Wiki] - [Allegro TODO]
"If you can't think of a better solution, don't try to make a better solution." -- weapon_S
"The less evidence we have for what we believe is certain, the more violently we defend beliefs against those who don't agree" -- https://twitter.com/neiltyson/status/592870205409353730

Matthew Leverton

Supreme Loser

January 1999

Is register globals on? If so, Wordpress is vulnerable to bad cookies.

--
RTFM | Follow Me on Google+ | I know 10 people

Thomas Fjellstrom

Member #476

June 2000

if PhpBB is used, theres all sorts of bugs that let people replace index files with messages. Lots of PHP software is like that for somereason. Can't quite fathom why ::)

Billybob

Member #3,136

January 2003

ML: Yes, I believe it is ON for WordPress. I disable it on my custom sites, but I don't have a global htaccess installed yet for every site. What kind of vulnerability is that? Does it apply to a month old version and allow the execution of shell commands?

Michael Jensen

Member #2,870

October 2002

Actually most of them say something about Islam... Your website must be a victim of the jihad.

Matthew Leverton

Supreme Loser

January 1999

http://www.securiteam.com/unixfocus/5BP0G00GLK.html

--
RTFM | Follow Me on Google+ | I know 10 people

Billybob

Member #3,136

January 2003

ML: Thank you for the link. I stopped keeping up on BugTraq a long time ago. Too much work.

Matthew Leverton

Supreme Loser

January 1999

Me too, I just typed "Wordpress exploit" in google. (And pressed the search button.)

--
RTFM | Follow Me on Google+ | I know 10 people

BAF

Member #2,981

December 2002

You could also press enter.

BAF.zone | SantaHack!

Thomas Fjellstrom

Member #476

June 2000

In fact, google suggests that

Billybob

Member #3,136

January 2003

Quote:

(And pressed the search button.)

Genius!

James Stanley

Member #7,275

May 2006

I always get stuck with submit buttons.

ImLeftFooted

Member #3,935

October 2003

I only use the feeling lucky button, I'm just that good.

How is my posting?

kazzmir

Member #1,786

December 2001

I never use the "im feeling lucky button". I dont even understand the point of it really. Are people so lazy they cant be bothered to click "search" and then click on the first link? I like to see all my options( at least the first page ) before clicking on something.

Michael Faerber

Member #4,800

July 2004

Quote:

Are people so lazy they cant be bothered to click "search" and then click on the first link?

Just asking such questions shows you don't know how lazy people can get.

--
"The basic of informatics is Microsoft Office." - An informatics teacher in our school
"Do you know Linux?" "Linux? Isn't that something for visually impaired people?"

BAF

Member #2,981

December 2002

If I want to feel lucky, I enter my search term into Firefox's address bar and let FF do the dirty work for me. I'm just that much better than you.

BAF.zone | SantaHack!

Thomas Fjellstrom

Member #476

June 2000

I only use the im feeling lucky feature in konqueror. typing a couple words into (or sometimes a non url) the address bar goes to I'm Feeling Lucky. so it has its uses, sometimes. though that feature doesn't work all that well anymore.

CGamesPlay

Member #2,559

July 2002

For the longest time I thought the "I'm feeling lucky" button was some sort of advert, and never clicked it. I figured it was some gambling-related site or something

--
Tomasu: Every time you read this: hugging!

Ryan Patterson - <http://cgamesplay.com/>

Archon

Member #4,195

January 2004

I use I'm Feeling Lucky if I know which site I want to go to, but not the domain/URL of it... It just means less clicking and waiting.

Though, the only problem with IFL is if the websites' popularity changes...