Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: Hacked by aLpTurkTegin, help patching this hole
.

  • To: Mifa <[EMAIL PROTECTED]>
  • Subject: Re: Hacked by aLpTurkTegin, help patching this hole
  • From: Danux <[EMAIL PROTECTED]>
  • Date: Thu, 22 May 2008 11:45:45 -0500
  • Cc: [EMAIL PROTECTED]
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=WZVrpftCaxmkuu46HOGiowlewRQHqH6JHsKEob5pK+A=; b=AF+hIvRfUyFHQQcrjfPsMcTUKCkT8iZ/5jSqyS0sqpo/w4XVJYsJyiyrkTYFaH2GqfMCi6Dr5GLZrqQJNgvOuX/NmZmhu00jkSjXyU0nIbmWrHwZ+FF6GD+4HZB9NjF6O2Hs2D9N9h1v69BpXM0y9FMVWyf8mnLnm73/XWHuQvY=
  • In-reply-to: <[EMAIL PROTECTED]>
  • References: <[EMAIL PROTECTED]>
.
 
Hi,

Well, when using, php apps, its common to find flaws related to what
is called LFI (Local File Inclusion), there are a lot of cases in
phpmyadmin, mambo, joomla, so on, also if you have your own
applications written in php you should try to avoid this.

There are a lot of flaws related to PHP, and as i mentioned if you
have LFI bugs, its almost a fact that your site will be hacked.
Try to see in your error_log from apache if there is php code inserted
into it. its common to insert things like <?
stripslashes(passthru($cmd)) ?> to bypass magic_quotes_gpc

But, the best thing to do is to analyze your sites with some tools
like Acunetix, nikto, code review  and patch all bugs founded.

Hope this helps.


On Tue, May 20, 2008 at 7:46 AM, Mifa <[EMAIL PROTECTED]> wrote:
> Our website was defaced by aLpTurkTegin.  We are running apache, php ect.  Does anyone know how this hacker is getting in and what I can do to prevent this?
>
> Our main web directory had all but one file deleted and hackedIndex.php, a.asp(a 0 byte file) and trustscn_put_test2 were placed into the main directory.  The fact that the webserver served hackedindex.php makes me think its a apache web server flaw.
>
> Any comments, suggestions?
> Thanks, -D
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes
> in Securing Web Applications
> Find out now! Get Webinar Recording and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------
>
>



-- 
Danux, CISSP, OSCP, ISO27001
Offensive Security Consultant
Macula Security Consulting Group
www.macula-group.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.