Famous Bloggers - You’ve Been Hacked! |
Posted: 28 Apr 2011 07:53 PM PDT If you are one of the many computer users or web hostmasters who think that they have not been hacked before, you should think again! And if you truly believe you are invincible or unsusceptible to attacks, well, let's just say, "There is wishful thinking in Hell as well as on Earth" – C.S. Lewis Getting hacked is one thing and not being aware of it is another. I can go on and on talking about the many incidents I personally experienced with clients I consulted with, who were totally unaware of their network or data compromise for months, but for now, I'll just stick to an incident we had last night. Last night, I was asked by Hesham to help him look into some strange server behaviors he has been witnessing. The server had been requesting connections to a couple of unrecognized domains; mainly though, airschk.com. We had to dig deeper into Hesham's web files to finally find a php script added at the very top of many of the apache .php files of Hesham's sites. Apparently, the attacker gained access somehow to those particular domains' FTP, downloaded the .php code, added the malicious script and uploaded the files back into the server. Before we all roll up our sleeves here, let's first discuss what airschk attack (or web-bug) does. What does the airschk attack do exactly?The malicious code embeds an IMG SRC tag into your web pages that would normally be interpreted by browsers as a .gif image hosted in a remote address. In reality however, the script is actually collecting a lot of information about the target site and the site visitors like visitor location, IP, etc.; moreover, the code is sending massive distributed requests back to Google for possible future alterations of page/domain rankings. How do I check if I have been attacked by airschk?You can use “grep” or “find” Unix commands to look for the infected files, From your main web server documents' directory, Use the following grep command to list the files and the lines containing the script,
Or, for a more extensive search (the entire machine), listing only the infected files, use the find command with the grep together as follows (searching from the root directory "/"). Replace "public_html" with your web server document base directory name.
The output of the command above will show you all filenames infected. How can I remove it?First of all, you need to change your login password NOW. Choose a hard-to-guess password, preferably at least 10 characters long that contain small and capital letters, at least one numeric character and at least one punctuation character. I am currently working on a Linux script that would clean-up the infected files. I will post another blog article with details on that as soon as I finish. How did this happen anyway?Do you ever use Telnet to remotely manage your server? Or may be FTP to upload files? If you do, then you may want to check your php files now; especially if you are using WordPress or similar CMS. Both Telnet and FTP use clear-text to authenticate, it is very likely that your password has been compromised by the attacker during one of your FTP/Telnet sessions. There are many possibilities on which your password could have been compromised, without getting into many technical details, one possibility is that telnet or FTP traffic was captured in transit between your server and your workstation. Another possibility is that another server/machine in the hosting company's network was compromised and used as a launching pad for sniffing traffic within your hosting company's network. We actually examined the server's log file /var/log/messages Here is a snippet from what we found:
As you see above, the IP address (76.26.91.229) which comes from West Virginia (not necessarily where the actual hack originated from, it could be another machine that has been compromised and used as a divert for launching attacks to remote servers) successfully gained FTP access to the machine, downloaded the WordPress files and then uploaded the files back into the server. From the timestamp of the logs, you can easily tell that this is an automated script ran by the attacker. This process has continuously repeated itself for many other files in other domains running on the server. Can I prevent similar incidents from happening again?I hate to break it to you, but the answer is "No", but the good news is that there are a few precautions you could take to protect yourself from similar attacks.
Hope this article was helpful. As always, your comments and suggestions are welcome. |
You are subscribed to email updates from Famous Bloggers To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
Google Inc., 20 West Kinzie, Chicago IL USA 60610 |
0 comments:
Post a Comment