Hacked by Biyo-Security-Team

Posted: Sat Feb 04, 2006 4:25 am

My website has been hacked this morning. The homepage being defaced by Biyo-Security-Team. The url is www.orchardcounty.com. I have phpnuke 7.6 patched with 3.1 - I had a quick search on Google but there is not a lot of reference to this. I have replaced the index.php file which has resolved the issue on a temp bases although a few things are missing.

Posted: Sat Feb 04, 2006 4:48 am

Whilst the 'patched' series goes a long way toward securing the code there are some vulnerabilities that may still be exploited.
I take it from this attack that you did not have Nuke Sentinel installed?

Posted: Sat Feb 04, 2006 7:29 am

First thing I would tell anyone is to take advantage of renaming your admin.php file. I have a suspicion that goes a long way towards preventing a number of these hacks, especially generic script kiddie ones.

-sting

Posted: Sat Feb 04, 2006 7:34 am

I'm running NukeSentinel 2.4.2 but they still got in. i haven't time to look further into it at the moment.

Sells PC To Pay For Divorce Joined: Posts: 5661

well im having a hard time believing this...
it should mean that they bypassed sentinel for the first time..and directly towards the admin?

Posted: Sat Feb 04, 2006 7:59 am

Have any log file entries of the hack? What happened - how did they hack your site (what was changed, etc?)

-sting

Posted: Sat Feb 04, 2006 8:00 am

What version of the phpBB forum are you using?

I noticed the tagline
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:

which seems like it was an older version. . .

-sting

Posted: Sat Feb 04, 2006 8:32 am

Also, although you are using Sentinel, you might want to check all your 'blocker' settings.

Posted: Sat Feb 04, 2006 9:00 am

index.php was replaced defacing the homepage by pointing it to http://www.deranged-genius.net/

I had Sentinel set to email, block and forward in all areas except scripting blocker settings and flood blocker settings which were set to email admin. I only changed the scripting one to this the other day having read something on it, saying this was sufficient. I overwrite Sentinel files recently as i was having problems with AOL users being blocked but i doubt this was the cause. i will look into the forum version.

Posted: Sat Feb 04, 2006 9:34 am

well i have my doubts ardmhacha .
the only qualified person who can say anything about this or what happend is raven and bob(but he's not arount at this moment).
still i dont believe this cause it would mean that they beat sentinel,and thats never happend before...and never will...
but from what your saying is that your index.php is edited,and that can only happen if it was writable..

Posted: Sat Feb 04, 2006 1:16 pm

There have been similar cases in the past where the index.php file has been amended / over written but of all the cases I have seen, none of them were using Sentinel.

Posted: Sat Feb 04, 2006 1:18 pm

I checked the CHMOD on index.php and it's 644. With regards to phpbb I was running 2.0.18 but I have since upgraded to 2.0.19 (is there a way of changing the tagline?) I looked at the logfiles and to be honest I can see anything obvious although I'm not sure exactly sure what I'm looking for. I have also applied the latest sentinel patch so now running NukeSentinel_v2.4.2pl3

Just one other thing, am I right in saying that it is OK to remove the nsnst_installer directory after Sentinel has been installed/upgraded?

I appreciate all your help and advice on this.

Posted: Sat Feb 04, 2006 2:23 pm

Yes you can remove that directory.
Would you be willing to give me admin access to your site/cpanel?
Please PM me.

registered · Posted: Sat Feb 04, 2006 2:26 pm

ardmhacha, yes, yes, yes... remove the installer AND directory immediately upon successful install!

I, too, have a difficult time thinking they got passed Sentinel. It is usually some form of chat tool or a tool / mod which allows uploading files to your site.

HOWEVER, if you find more specific information regarding this hack (such as the exact URL they used to initiate the original break-in), please PM the information instead of posting it out in the open here. Any one of the moderators and/or admins here will pass the info along to those who are very experienced at analyzing these and plugging the holes.

Thanks!

Posted: Sat Feb 04, 2006 2:36 pm

lol...montego,they use or did used a chat...
btw..remember spchat?
Look here:http://www.spchat.org/modules.php?name=Content&pa=showpage&pid=1

Posted: Sat Feb 04, 2006 3:03 pm

Guardian,

I have pm'd you.

Hitwalker/Montego,

You may not be too far off the mark. i have spchat installed but I never use it, although there was no reference to it in todays logs. i will remove it but only after Guardian has had a look.

Thanks for everything.

Barry

Posted: Sat Feb 04, 2006 3:05 pm

ardmhacha, you're in good hands...

Posted: Sat Feb 04, 2006 3:06 pm

yeah i figured that...i looked and searched in your forum is chat was mentioned and it was.
you should realy delete it,that doesnt have to be verified by anyone....

Posted: Sat Feb 04, 2006 3:29 pm

Quote:

I, too, have a difficult time thinking they got passed Sentinel. It is usually some form of chat tool or a tool / mod which allows uploading files to your site.

To paraphrase...

"Don't be so proud of this technological terror you've constructed... the ability to protect a website is insignificant next to the power of bored script kiddies."

Sentinel is the best package I have seen to date at blocking out the wannabes, but there are some things even Sentinel won't protect against. To say a site will never be hacked with Sentinel is certainly wrong - especially if they go behind the scenes at the *nix level.

Don't get me wrong. I LOVE Sentinel. You MUST have Sentinel if you have Nuke.

I would be very interested in seeing the log files from the box itself...

-sting

Posted: Sat Feb 04, 2006 6:06 pm

sting, I was just "playing the odds" here in that we usually find some other module, like spchat, coppermine, etc. that is "vulnerable" and "active"... as you can see, we were, most likely, dead on.

However, as sting says, there is nothing better than slinging through your raw logs and finding out exactly how they got in!

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

ardmhacha wrote:

index.php was replaced

Can you explain how this was done? Was the index.php file itself altered? Was some data (e.g. a footer message) changed?

Also, I noticed you are using admin authentication, which has proven to be very effective against attacks on admin.php. Was this on prior to the attack?

Posted: Sun Feb 05, 2006 12:14 pm

kguske,

Sorry I don't know how it was done. I had the admin authentication in place before this happened.

The content of the index.php file following the hack was as follows:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<HTML><HEAD><TITLE>[Biyo-Security] Group</TITLE>
<META http-equiv=Page-Enter content=RevealTrans(Duration=5,Transition=12)>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2722" name=GENERATOR></HEAD>
<BODY text=#777777 bgProperties=fixed bgColor=#000000 topMargin=0 rightMargin=0>
<CENTER> 
 
 
 
 
 
 
 </CENTER>

<CENTER>[Biyo-Security-Team]</CENTER>

<CENTER>bst@bsdmail.com</CENTER>
<CENTER>CodeXpLoder'tq </CENTER></BODY></HTML>
<CENTER>www.biyosecurity.be 
 
 
 
 
 
 
 </CENTER>


I just replaced this with the index.php file from chatserv's 7.6, 3.1 patched and everything was back to normal.

Guardian,

I emailed the zipped log files to you but they bounced back.

Posted: Sun Feb 05, 2006 1:23 pm

Without seeing the logs, it looks like FTP / cPanel access. I'd suggest changing your cPanel, database passwords and make sure you have an additional database user and pw for Nuke - don't use the account user and pw.

It doesn't appear to be database access, which is what NukeSentinel protects (unless, as others have pointed out, there are modules / functions that do not use standard PHP-Nuke database access.

Posted: Sun Feb 05, 2006 1:27 pm

Also, check to see if other files were changed (look at file dates).

Did you contact the "team" to see if they would tell you how they did it? It looks fairly benign (i.e. not the typical immature script kiddie), except possibly to drum up some security business. Depending on the response, you can deteremine whether or not to contact the appropriate authorities with the information you have from your logs and the file itself.

Posted: Sun Feb 05, 2006 1:29 pm

Sorry for the multiple replies, but I was rereading the earlier discussion and noticed SPCHAT... It's quite possible that they could have accessed it that way. Check your referers to see if anyone found your site by searching on that...