By Ron Jones on

Hi all. This evening (Sunday about 11PM Central time) I discovered that my site had been defaced yesterday afternoon. After combing through the log files, I found the IP address of the culprit (190.198.254.112).

It's an IP address block in Venezuela. So, I blocked access to the ISP's IP block within my httpd.conf file. Since I'm a belt-and-braces kind of guy, I denied the IP block within my PIX access-list.

Additionally, just for the sake of information, the site that referred the miscreants was zone-h.org (a Drupal powered site lol). I found what looks like proof of their dirty deed on this page http://www.zone-h.org/component/option,com_mirrorwrp/Itemid,160/id,7469311/

So, I added RewriteCond %{HTTP_REFERER} (zone-h\.org) [NC,OR] to my refspam.conf. Where all the naughty referrers traffic gets forwarded to www.pb.org just for fun.

My question is twofold...Can anyone recommend a good cheap/free tool that will help me comb through the log files and try to make sense of how they got in?...secondly, while I've fixed the damage, and no permanent harm was done, I'd like to find out a way to plug this particular hole.

Any suggestions?

Thanks,
Ron Jones

Here's a brief snippet from my access_log file (I can't make heads or tails of it):

jonesfamily.us 190.198.254.112 - - [17/May/2008:10:28:31 -0500] "GET / HTTP/1.1" 301 234 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.14) Gecko/20080404 sdsadsadsadddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssaaaaaaaaaaaaaaaaa"
www.jonesfamily.us 190.198.254.112 - - [17/May/2008:10:28:31 -0500] "GET / HTTP/1.1" 200 6068 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.14) Gecko/20080404 sdsadsadsadddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssaaaaaaaaaaaaaaaaa"
www.jonesfamily.us 190.198.254.112 - - [17/May/2008:10:28:32 -0500] "GET /sites/jonesfamily/files/favicon.png HTTP/1.1" 200 2158 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.14) Gecko/20080404 sdsadsadsadddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssaaaaaaaaaaaaaaaaa"
www.jonesfamily.us 190.198.254.112 - - [17/May/2008:10:28:32 -0500] "GET /modules/book/book.css HTTP/1.1" 200 265 "http://www.jonesfamily.us/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.14) Gecko/20080404 sdsadsadsadddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssaaaaaaaaaaaaaaaaa"
www.jonesfamily.us 190.198.254.112 - - [17/May/2008:10:28:32 -0500] "GET /modules/node/node.css HTTP/1.1" 200 348 "http://www.jonesfamily.us/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.14) Gecko/20080404 sdsadsadsadddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssaaaaaaaaaaaaaaaaa"
www.jonesfamily.us 190.198.254.112 - - [17/May/2008:10:28:32 -0500] "GET /modules/system/defaults.css HTTP/1.1" 200 415 "http://www.jonesfamily.us/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.14) Gecko/20080404 sdsadsadsadddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssaaaaaaaaaaaaaaaaa"
www.jonesfamily.us 190.198.254.112 - - [17/May/2008:10:28:32 -0500] "GET /modules/system/system.css HTTP/1.1" 200 2003 "http://www.jonesfamily.us/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.14) Gecko/20080404 sdsadsadsadddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssaaaaaaaaaaaaaaaaa"
www.jonesfamily.us 190.198.254.112 - - [17/May/2008:10:28:33 -0500] "GET /modules/user/user.css HTTP/1.1" 200 385 "http://www.jonesfamily.us/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.14) Gecko/20080404 sdsadsadsadddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssaaaaaaaaaaaaaaaaa"

Categories: Drupal 6.x

Comments

Ron Jones’s picture

Ron Jones commented

I mistyped (it's late here) Zone-h.org is a Joomla powered site.

gpk’s picture

gpk commented

>find out a way to plug this particular hole.
I'm not clear yet where the hole is. It may have been a person or it may have been a script. If they got in the "front door" (i.e. via Drupal) then you should let the security team know ASAP http://drupal.org/security-team. However, AFAIK there are no known security holes in Drupal core 6.2, and if all your contrib modules are up-to-date then the same would apply. But that doesn't stop someone guessing/stealing the password of a user on the site.

Alternatively it may have been a back-door hack - someone may have gained access to your account on the server, or to the database - and modified that directly.

You dont' say what they did - "defaced" could mean that they posted a comment, or that they gained access to the admin account of the site and changed various settings and posted new content ..

Also have a look in the {watchdog} table. If the user logged in or created a new post then you should see the evidence there.

The exctract from your server access log implies that the first hit at 17/May/2008:10:28:31 -0500 had no referrer (see the "-" after 301 234 (which meansthere was a 301 redirect to www.... which contained 234 bytes of data). The only thing looking a bit odd is that the user agent string contains that lond sdsasddddd... etc string at the end.. maybe the attacker had been messing around with a plugin to Firefox that lets you modifiy the user agent. Gecko 20080404 is, I think, Firefox 2.0.0.14.

HTH

gpk
----
www.alexoria.co.uk

gpk
----
www.alexoria.co.uk

Ron Jones’s picture

Ron Jones commented

That is what I haven't been able to figure out yet...It's still got me stumped.

ssh isn't enabled from outside, and there aren't any new users (the server's here at my house, so I have full control).

While I am inclined to believe that there was some sort of configuration/permissions error on my part I can't point to something and say "aha!"

It's possible that it was a weak password issue, though if it was, I'd like to have a copy of that cracking script for a .zip I'm working on ;) as it is pretty fast (password was an 8 letter word with 2 numbers followed by 4 letters again like so: xxxxxxxxNNxxxx).

By "defaced" I mean:

They replaced the title/slogan of the site with their "tag" (KX-T33 Was Here | We are: KX-T33 _ Pablin77 _ 0x0c _ Furtivo _ Sys7ech)

Then, they replaced the title/contents of a blog post with the same sort of stuff, and a nifty little "we hate Bush, we hate Chavez" message (did I mention the IP was from Venezuela).

Thanks,

Ron Jones

gpk’s picture

gpk commented

So did you find anything in {watchdog}? It records all logins and changes to content. Also the {accesslog} table may have clues if statistics.module is enabled. e.g. as you know the site name is stored at admin/settings/site-information ... so can you see references to that URL in {accesslog}? Or in your server's access_log file? If not then suggests the attacker wasn't logged in so maybe they modified the database in a different way, e.g. by directly accessing the MySQL server remotely.

You need to start sniffing ... interrogate your witness. Ask yourself questions. Is PHP properly patched? What about Apache? What about the OS etc. etc. There are many possible routes in, you need to gather evidence and identify the most likely options.

gpk
----
www.alexoria.co.uk

gpk
----
www.alexoria.co.uk

vm’s picture

vm commented

you really shouldn't be making this kind of thing publicly known as if there is a security problem you've just let everyone know where they can go to exploit it.

HOW To: Report a Security Issue

_____________________________________________________________________
My posts & comments are usually dripping with sarcasm.
If you ask nicely I'll give you a towel : )

Ron Jones’s picture

Ron Jones commented

Besides, learning from the mistakes of others, is (or should be) part of the human condition.

My little family site has no personal information, or financial records. If someone were to break in and do damage, it would not negatively affect the financial well being of thousands, or alter the geopolitical landscape. It is, rather ordinary and unimportant as far as sites go; and thus, probably not a high-priority target.

However, perhaps the astute observer might be smart enough to make changes to his own policies in order to avoid the same hassles.

Ron Jones

vm’s picture

vm commented

Ok, if you don't want to worry about your own site then think about other users of Drupal 6.2 if someone has managed to find a core vulnerability that you are exposed to, you are now exposing every one else.

Ignoring the best practice for reporting security issues affects the entire community not just you.

_____________________________________________________________________
My posts & comments are usually dripping with sarcasm.
If you ask nicely I'll give you a towel : )