July 07, 2004

Curious, George: I've been H@x0red! Two of my websites were hacked last week. As far as I can tell, the hackers just changed the index.html file; they didn't alter any other file in my directory. How did they get access to my index file? Should I be worried? How can I prevent this in the future?

One of my sites was a Movable Type site, and all I had to do to fix it was go to MT and click "rebuild site"; all my data was still intact. My other site will take a tiny bit more work to fix, and I haven't yet gotten around to it. A google search for the phrase the hackers displayed ("H4ck3rsBR Ownz - Now FreeBSD 4.10-BETA - S8ldier") turned up a huge list of other, similarly defaced sites, so clearly, this is some massive attack, and not just a personal assault on me.

  • Keep a mirror of your entire site locally, and keep it current. Back up your database regularly, use an unusual password. Report it to your ISP and see if it was actually something at your level or higher up on the actual server (for example, if they got root or admin control and replaced all the scripts in a home directory). Naturally some of this isnt preventable, but having complete and regular backups of everything will make your life much easier in the long run. Its kind of like insurance against this and negligent ISPs (i have had some freak catastrophes with admins mirroring and doing regular tasks where only half of my files were moved or a critical directory was left behind). Also, after doing a google and an nslookup, it appears that several of those sites have the same IP as the one you linked, making me think it was an ISP level attack, and not something specifically against you. Maybe consider a different provider. Hope that helps.
  • More specificially, from this search: (results edited) Name: pamandrob.co.uk Address: 212.159.8.1 Name: romfordraiders.co.uk Address: 213.239.42.130 Name: timandkathy.co.uk Address: 212.159.8.1 Name: cgi.plus.net Address: 212.159.3.3 Aliases: www.dartingtonmorrismen.org.uk, cgi.bmar Name: londonfilter.com Address: 212.159.8.1 Name: criticalmass.plus.net Address: 212.159.3.3 Aliases: www.scarboroughguide.com Name: cgi.plus.net Address: 212.159.3.3 Aliases: cgi.parapadakis.plus.com Name: cgi.plus.net Address: 212.159.3.3 Aliases: www.abortionrights.org.uk (sorry for the denseness) Notice anything? 3 IPs for all those sites, the romfordraiders one is from a messageboard. The other 2 ips are very similar. My guess is either some local user with a shell account might have been compromised by having an easy to guess password. My advice in the first post is still good to follow, just in case.
  • I saw the damage before you fixed it, jacob, and I assumed that the heavies from Toblerone had finally tracked you down.
  • After reading LKC's post, I looked in my ISPs support forum, and found a discussion thread from others who have been hacked. It was indeed an attac on my ISP rather than on me personally. There is some debate in the forum over whether the ISP is to blame, or individual users. I know nowhere near enough about the subject to judge, but I'm guessing the asnwer is "both"--I think the ISP's CGI server has some serious design flaws, but we users should have known that, and therefore taken better security precautions (or taken our business elsewhere.) Looks like it's time to educate myself about properly setting directory permissions. My ISP is plus.net, by the way. I've found them to be an excellent provider of home DSL service, but a poor provider of webhosting services. Any, LKC, thanks for the sound advice and the excellent detective work. Henceforth, I shall picture you with a pipe and a deerstalker cap.
  • Oh, and for the uninitiated, Plegmun is referencing (WARNING: SELF LINK) this.
  • egad, toblerone is ubiquitous, ain't it? the tiny shop across from my house sells it, as does the shop in the basement of my office building. should we be worried about this? oh, and bummer about your being hacked. which sounds worse than a hacking cough. or something like that. hope your sites feel better soon!
  • MmMmmMmM Toblerone.
  • I've now fixed my site. If you want to see what the (not-very-interesting) hacked page looked like, here's somebody else's identically hacked page, which hasn' yet been fixed. Sorry about all the typos in my previous posts. I think I need more sleep.
  • dammit.. now I'm going to have to buy a Toblerone later today.
  • Just a dumb question -- why does H@x0red = hacked? I know it's a valid 1337-speak word, but this looks more like "haxored". Even "hackered" isn't a word.
  • roly, i was afraid if i asked that i'd look like a doofus. thank you for looking like a doofus instead. heh.
  • (Oh, stewardess? I speak l33t.) Originally, it comes from phonetically spelling "hacks" as "HAX" or "HAXX" on bulletin boards. (Usage example: DUDEZ COME TO THE MAD PIRATEZ LAIR 4 PIXX AND KOOL HAXX!!!) "Hackers" thus became "HaX0rz" by extension from this (the 0 replacing a phonetic "o" for schwa). Then, pidgin-backwards, "hax0r" became a verb describing the activity of a noun. (Pirates pirate software, I mean, war3z. Hax0rz hax0r sites.) And then from that, the "x0r" seems to have lost its final apparent syllable so that "hax0r" could be pronounced "hak" once again; thus by extension, "sux0r" is pronounced "suk," as in u r t3h sux0r!!! Sometimes you'll see hax0r explained as the x denoting a phonetic chi (χ). I think that's a bit of a reach, considering the source.
  • rolpolyman: obviously you're just not at the linguistic proficiency of most contemporary crackers.
  • goetter: don't forget the rest of my favorite x0r'd words, such as "fux0r", "wanx0r", and my personal favorite, "asshatx0r".
  • And my personal favourite, r0x0r. ^_^
  • Boy, back when I was 133+x0rzed, it was a completely different jargon, before all the x0r'd stuff. We still used 3133+, and a's were done with a 4. Ah, the good old days.
  • goetter, that was rad.
  • curiouas, geroge: i'v3 been h@x0red!!!!!!!!!11~ tw0 0F my ewbsites werw 4hX0rEd 7as w3ek AZ FAR ASI CAN T3LL,, THE HAX0RZ JUST CCHaNGED tEH INEDEX!!!!!!!!!!!!!!!!!!!!!!!!111~~~~~~~ LOLOOOLOLOLOLOLOLOL!!!!!!!!!!!!!!!!!!11 u r lame!!!!!!!!!!!!!!!1~~~ OLOLOLOLO~~~~~ html file; Tehy didn't alter 4nuy toher ilE in my direcTory!!!!!!!!!1 h0w d1d the ygfeet access t0 my index file???????????????? sohuld 1 be \\\\////\\\\////rorrid??????????????? how can ipreveNt this in teh futurr!?!?!?!? ahCk the plannett cause u r lam3~ oollo!!!!!!!!!!!!!!!!!!!!!!!!~~~~~~~ Thanks, Wedge!
  • \/\/3d93 \/\/1|\|5 !!!111!!
  • asshatx0r Oh, that's most excellent. I'm guessng that one doesn't pronounce any of the "x0r" in that. The x0r's like a bay leaf, giving the whole a subtle l33t fl4\/0r. Or maybe not so subtle.
  • Google gets H@x0red, 2 "technology" journalists demonstrate they don't know the difference between a search engine and a server farm.