Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Index.php Injected to Site by Cracker

Hi, folks. I am fairly sure I have been cracked. And yet, quite fortunately,
the damage appears to be minimal. I run Apache 1.3.x on a Red Hat server.
Some observations follow.

I assume the file was only injected to a subdirectory under ~/public_html. It
is a PHP index, which supercedes the HTML index in Apache (default
configurations). How it got there I haven't a clue. Don't know how long for
and whether a file exists elsewhere in the site as well. How can this be
avoided? Could it be associated with some locally-installed software? Other
people with the same host or on the same server? Do the details that follow
remind anyone of a common vulnerability?

A quick check reveals the following:

-rw-r--r--    1 schestow schestow      450 Jun  6  2005 index.htm
-rw-r--r--    1 nobody   nobody       1.5K Aug  5 20:58 index.php
-rw-r--r--    1 schestow schestow      32K Oct  1 20:13 resindex.htm

The injected file is the second one.

File contains:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
<title>HaCKeD By_cl24zY</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">
body {
        background-color: #000000;
body,td,th {
        font-family: Courier New, Courier, mono;
        color: #FF0000;
        font-weight: bold;
.style2 {color: #FFFFFF}
.style3 {font-size: 24px}
.style4 {font-size: 16px}


[[Some Flash stuff omitted ]]]

 <p class="style3">This Page Is Hacked.....!!!!</p>
  <p class="style3">ILLEGAL-ATTACK//TiM</p>
  <p class="style4">HaCKeD By_cl24zY </p>
  <p class="style2"> <span class="style2">~|</span> cl24zY <span
  <p class="style2"> ~| _Ctx_ |~| RocK.HiP |~| El-Nino |~| lsr_cjl |~ ~|
Psikoariza |~</p>
  <p class="style2">&quot;admin@xxxxxxxxxxxx&quot;</p>

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index