Wednesday, January 28, 2009

Battling the Russian Hackers

I've been having an interesting time the past few days dealing with a bot attack on my web site. Don't worry - if you are a customer for my e-learning or anything else that required credit card payment. Your information is not kept on my server. Several months ago I got out of the shopping cart business and went with Volusion is PCI certified and is as secure as it gets.

Also, my Moodle e-learning environment is on a new secure server as well for several months now.

So, here's what happened. I hope this helps someone else defeat these guys.

In early December I noticed that my home page at was no longer an html page, but rather a php page. Also, my htaccess file had been changed to point to this new php file. I called my web host and they didn't know how it had been changed. So, I changed my ftp password and changed things back.

Last week, this happened again and I changed it back again to index.html. The next day the home page was index.php again.

After doing some research I discovered that my old version of Moodle still on the site had vulnerabilities which allowed the attackers to place the first Mad Shell script. So, I deleted every php application on my site. I also got rid of some old cgi scripts.

Then, they messed up. That's why I think it was just script kiddies.

They added a new file, named after one of my other pages, but appended with .php. By listing the main directory in my ftp client, I found the recent change.

I looked at the page source and found an encoded script on the page, which I was able to identify as Mad Shell. Now, this is a powerful script. It allows an attacker to do anything an ftp program can do. If you want to know more about Mad Shell, visit this blog.

I deleted that page, changed my htaccess file back to normal and started watching the server logs.

Sure enough, about 10 hours later, another change!

So I started studying the server logs again. This attack was using a redirect to bounce traffic from Yahoo Slurp through my site and on to a site selling drugs that enlarge things.

I was able to identify exactly when the redirects started happening again in the log and found two deeply embedded files - both newly created as php files. So, I deleted them. They had tried to hide them deep in my folder structure, but sorting by modification date helped find the folders.

Finally, that stopped the attack.

Here are my lessons learned (you may see others - if, please comment):

1) Whenever you introduce an application to a web site you are very likely to also introduce vulnerabilities. This is especially true for php apps and even more true for open source php apps.

2) Don't leave unused apps laying around on the site. I'm the kind of person that doesn't like to throw things away. In this case, I should have!

3) Take those security updates seriously. However, in the case of open source, you may not be notified of a vulnerability. It helps to keep an eye out on the support boards for the apps you use.

4) Keep an eye on your server logs and visitor stats. I have known for some time that bots kept hitting my site, but that's just the deal with bots. Every web site owner deals with bots. However, the server logs can be very revealing.

5) Don't expect much help from the web host. While a couple of people at my web host were informative and helpful, one guy told me to "do a Google search" to learn how to secure my files. I was looking for some specific ideas and his response was one of the most unhelpful. Back in December when I was asking support for reasons why my htaccess file had changed, they didn't have a clue. I would expect a tech support person with about one week of experience to suggest that an attack might be occurring. I think I'm ready to change hosting service providers.

6) Stay vigilant and fight back. These attacks can be defended and defeated.

Now, hopefully, it's on to more productive work!

No comments: