NYCPHP Meetup

NYPHP.org

[nycphp-talk] Need some understanding about a hacker attack...

mikesz at qualityadvantages.com mikesz at qualityadvantages.com
Sat Oct 11 08:51:37 EDT 2008 

Hello NYPHP,

  One of my sites went down yesterday with "Out of Bandwidth". When I
  checked into it, a badguy had hijacked an application folder called
  /xml that usually contains one php file that serves the application
  menu system. I have no idea why the software developer chose this
  method. The /xml folder is read only (and has always been read only)
  Yesterday, in addition to the single php file, /xml contained a
  subfolder called odg which contained a porn distribution application
  with thousands of images that it was serving the planet though
  mediacatch.com and myhostdyn.com among others. I have no idea how
  the badguy got in and my ISP doesn't have a clue either. I got them
  to delete the junk because the badguy used a Unix system account to
  create the junk and I was unable to delete with the permissions I
  have.

  Now with that gone, I decided to add a .htaccess file to further
  restrict access to the /xml folder but when I did, the .htaccess
  file does not respond at all. Here is what I put in there:

Options -Indexes

order deny,allow

<files "*.*">
Deny from All
</files>

<files "*.*">
Allow from 127.0.0.1 localhost
</files>

I expected that if I tried to access that folder directly that I would
get a 403 but instead I got the application intro screen?

I checked my test system also and when I do a directory the /xml
folder, it shows me the content of the folder which is yet another
outcome unexpected.

The question I have is Does a folder named /xml have any special
status or significance on a linux box that would cause it to act
differently than say, an /includes folder that usually generates a
blank screen?

Any clues would be greatly appreciated. Notice that I haven't gotten
into the hack at all, no idea how it happened and the ISP is really
vague about what might have happened but is pointing the finger to my
app and, of course, his server is completely secure, btw, its a shared
server. My guess if that the bad guy ripped off the system account and
ran amok on it but nobody is even hinting that this could be a
possibility, to the contrary. Getting back to the /xml, why would I be
getting the bizarre behavior from it?

TIA

-- 
Best regards,
 mikesz                          mailto:mikesz at qualityadvantages.com

More information about the talk mailing list