H4cked!

21 February 2008 - 10:36

Yesterday I (somewhat belatedly) updated the version of Pivot in use at The PC Guru to the last version, 1.40.4. In the process I discovered that the site had been hacked. A hacker had exploited a vulnerability in the image uploader present in an older version of the software to upload PHP files containing exec commands, which they had then executed to hack the site. I had not noticed this before, because the calling card they left was simply a file called "hacked.html" leaving the hacker's details and a rude message, and didn't overwrite any other file. In fact, the hack had probably occurred prior to the previous update I did that fixed the vulnerability.

I have a couple of directory sites, Tech Directory and Ham Directory, that use Index Script. Last year many sites using this script were hacked, and in many cases destroyed. The hackers exploited a bug in the script that enabled the MD5 hash of the admin password to be displayed. They then looked up the password itself using one of the many sites that provide this service, after which they were able to log in and trash the directory. My sites were hit dozens of times by would-be hackers. They avoided damage due to a) a modification I had made to the script to show a friendly message in the event of an error, and b) my use of randomly generated passwords that could not be looked up using the reverse-MD5 sites.

These examples show a couple of important points that should be taken on board by anyone setting up a site using an off-the-shelf script. Security sites publish discovered vulnerabilities in scripts, thereby handing the "keys" to any would-be hackers. They only need to use Google to search for the "Powered by xxxx" copyright message that the script author usually insists is left in place, to find targets to hack. Therefore you need to be constantly on the ball and in touch with the community that supports your chosen script, so that you know about and install any updates as soon as they occur. Script-based sites may seem like an easy, install-and-forget option, but they are not. If, like me, these sites tend to have a low priority and you are always too busy to update them, they can become something of a liability.

The other point is that using words to generate your passwords is a bad idea. Computers are now powerful enough that an MD5 hash is not secure. A password that uses recognized words is vulnerable to a dictionary based attack. It is a hassle having to use a secure password safe application to look up the gobbledygook password every time I need admin access to a site, but it certainly saved my two directory sites.

Used tags: , , , , , , , , ,

« Budget web hosting | Home | EU is not fine for Mi… »

no comments

Trackback link:

Please enable javascript to generate a trackback url

Leave a comment
  
Remember personal info?

Emoticons / Textile
  (Register your username / Log in)

Notify:
Hide email:

Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.

Archives

September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008

Topics

Business
Computers
Internet
News
Other stuff
Soapbox
Software
Tips and tricks
Web development
Windows