Xiulin IM me urgently that someone defaced her blog last night. “OMG! Her blog is on my machine!” as I started to work to find how “dodo”1 managed to do it. My biggest concern is that if he managed to break other stuff I have on my machine! So after helping her to restore her website and making sure nothing else is broken, I started my investigation work2.
The first thing that comes to mind is somehow dodo managed to break into MovableType or guess her password. But that turn out to be a false start because nothing in MT or the access log matches the time dodo defaced xiulin’s blog (4th Sept 2:50SGT). The next thing I did was to check system log and apparently, he didn’t break into the machine either. Then I started to look at the apache log which is filled with usual script kiddies buffer overflow URLs. Of course those won’t work but it is irriating because it slowed the investigation. But as I scrolled through the logs, I learnt that dodo frequent CyberWarrior and also Cehennem where he boost about his defacement achievement. Apparently, it is also recorded in Zone-H, a site that keep tracks of website defacement.
And this catch my eye:
81.214.26.244 – – [04/Sep/2004:02:42:13 +0800] “GET /drupal/files/public/yahoo.php?c=img&name=fon&r= HTTP/1.1” 200 831 “http://james.seng.sg/drupal/files/public/yahoo.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
Hmm, I don’t remember having any yahoo.php in my system at all! So I tried to access yahoo.php and bingo! it brings up a sophisticated file manager with the ability to upload files too. And he managed to upload this yahoo.php onto the system via the D4B demo site where I allow public to play with the blogging features, including the upload function.
Ah, silly me. Of course people would try to do that if I open my upload feature. I should taken a hint when someone tried to upload an .asp file. Apparently, dodo tried uploading a dodo885.asp on 26th Aug file but unfortunately for him, it doesn’t work on my machine.
I took a quick look at the .asp and .php files and find it is extremely well-written. And given dodo didn’t even know the differences between IIS and Apache and makes no attempts to cover his track, I concluded that these are unlikely to be written by him. In other words, he is just a script kiddie.
Luckily for me, my webserver is running under a different userid so the damages isn’t a lot. All my other websites and services are intact and I don’t have any confidential stuff either on this machine. Neither did he has any access to the development D4B (phew) although he did spend sometime looking thru it.
So I closed the loophole in upload.module, remove the .asp and .php, reverse all other changes he made and call it a day. Wasted 90mins but at least I feel so much better knowing I have close the door he used to get in.
Oh yea, thanks for the asp and php file browser! Definately comes handy sometime. :-)
1 “dodo” is a handle of the script kiddie so not i give him one hor. For those who don’t know Singlish, we use the term “gondo” and “dodo” to refer to an idiot.
2 this is the 2nd time I got a defacement on the Internet. The last time was back in 1995 where my pobox service was defaced. But back then, the damages is larger and the guy is a solid hacker (not just a script kiddie) using some pretty impressive X-windows technique.