Hacked website

Malcolms · 12-12-2005, 09:29 AM

Hi

Not sure if I have posted this in the correct place??

Somebody has hacked into a site I manage and has put a page on the server that replaces all the other pages, even the index page, I have checked all the original pages and they are all there and untouched. I have a cgi guestbook running on the site, could this have given access to the hacker, I am reasonably sure they could not have access to the password to enter.
I am using cpanel and have noticed that the page appears when I click on cgimail under the cgi scripts heading.
Any ideas??

Thanks

Malcolm

E-Liam · 12-12-2005, 11:19 AM

Hi Malcolm, and welocme to TSF,

I'm not an expert in hacking..

, but my first suspicion would be that somewhere you have set the chmod permission to full read/write/execute (777) on one or more files. That would be the first thing to check. If you want to PM me with a link, to save anybody being curious, I can try and see what access I can get to it.

Or, if you prefer, check the attributes your self, and see which ones are 777. Having set up the site, you'll probably be in a better poition to know if any seem wrong to you.

Cheers
Liam

Skie · 12-12-2005, 11:33 AM

I would check any and all CGI and PHP scripts that you have on your site. If any of them are out dated/old/not updated, please update them ASAP. Old version of these scripts are a HUGE security risk. All someone needs to do is find an old version of a particular script with a known security hole in it, and they can replace your files, upload what they'd like and even attempt attacking other sites or send spam to make it look like you were guilty.

12-12-2005, 09:29 AM	#1 (permalink)
Malcolms Registered User Join Date: Mar 2005 Posts: 16 OS: xp	Hacked website Hi Not sure if I have posted this in the correct place?? Somebody has hacked into a site I manage and has put a page on the server that replaces all the other pages, even the index page, I have checked all the original pages and they are all there and untouched. I have a cgi guestbook running on the site, could this have given access to the hacker, I am reasonably sure they could not have access to the password to enter. I am using cpanel and have noticed that the page appears when I click on cgimail under the cgi scripts heading. Any ideas?? Thanks Malcolm

12-12-2005, 11:19 AM	#2 (permalink)
E-Liam Manager, On the Web Join Date: Jan 2004 Location: Bracknell, UK Posts: 929 OS: XP	Hi Malcolm, and welocme to TSF, I'm not an expert in hacking.. , but my first suspicion would be that somewhere you have set the chmod permission to full read/write/execute (777) on one or more files. That would be the first thing to check. If you want to PM me with a link, to save anybody being curious, I can try and see what access I can get to it. Or, if you prefer, check the attributes your self, and see which ones are 777. Having set up the site, you'll probably be in a better poition to know if any seem wrong to you. Cheers Liam __________________ My Mother suggested a family outing... so I told her Uncle Bob was gay. (Trevor D.) Never argue with an idiot! They'll bring you down to their level and beat you with experience. --------------------------------------------------------------------------------- A member of the Alliance of Security Analysis Professionals since 2004.

12-12-2005, 11:33 AM	#3 (permalink)
Skie Manager, Alternative Comp Join Date: Mar 2003 Location: Chicago burbs Posts: 2,194 OS: Gentoo Linux, CentOS, OS X My System	I would check any and all CGI and PHP scripts that you have on your site. If any of them are out dated/old/not updated, please update them ASAP. Old version of these scripts are a HUGE security risk. All someone needs to do is find an old version of a particular script with a known security hole in it, and they can replace your files, upload what they'd like and even attempt attacking other sites or send spam to make it look like you were guilty. __________________