Hacked on Sep 26 ~ 8:04 AM EST
Posted: Wed Sep 27, 2006 1:54 pmHello everyone,
It looks like there may be some newly exploited vulnerabilities out there. This morning, before going to work, I did some maintenance of my forum (cleaned out spam users, etc.). I then went to work. Later in the day, I got an e-mail from a friend saying he couldn't get to the forum. I checked, and I was only getting blank pages. At lunch, I submitted a help ticket to my host (wb-hosting), and they got everything working.
What they found was interesting: every chmod 666 or 777 php file had had the "?>" removed from the end. They were able to patch everything back up fairly quickly.
I then found that it is very easy to use tools hacking tools to find writable files. It is even easy to use it to modify those files, like making them all write protected again.
So, a word to the wise, make sure _ALL_ of your permissions are set correctly.
BTW, it looks like they hit a bunch of sites on that host.
- John
It looks like there may be some newly exploited vulnerabilities out there. This morning, before going to work, I did some maintenance of my forum (cleaned out spam users, etc.). I then went to work. Later in the day, I got an e-mail from a friend saying he couldn't get to the forum. I checked, and I was only getting blank pages. At lunch, I submitted a help ticket to my host (wb-hosting), and they got everything working.
What they found was interesting: every chmod 666 or 777 php file had had the "?>" removed from the end. They were able to patch everything back up fairly quickly.
I then found that it is very easy to use tools hacking tools to find writable files. It is even easy to use it to modify those files, like making them all write protected again.
So, a word to the wise, make sure _ALL_ of your permissions are set correctly.
BTW, it looks like they hit a bunch of sites on that host.
- John