The story of one hack
I am the administrator of one not very large site. I want to tell you one interesting story.
Yesterday our site was infected. The hacker, using the exploit, uploaded the resident script and attributed the code calling it to each executable file. The problem was in the Coppermine gallery of the old version - a leaky script (mea culpa, did not keep track). A hacker applied classic Google hacking to find a gallery.
The sequence of actions is very thought out and it is difficult to prove a hacker crime. From the German IP (217.20.118.150, apparently a rented server), the gallery version was probed, then the script loader is poured through a hole in the script. From the same German IP, this script is requested via HTTP, which leads to its execution on the side of our site. The executing script loader draws in the IP 78.157.140.3 IP-server resident script (access is via IP) copper.txt, packs / writes it to one of the folders where recording is allowed (already in php form) and writes all php files on the first line the code calling it (also packed). After that, the script loader self-cleans (I don’t know if this script is visible on the German server from an Internet, there is no copy left on our server). Then, when opening any page where php is used, a resident script is launched that requests executable code from the server at nomcen.biz (the domain now corresponds to the same IP 78.157.140.3). There was a syntax error in the postscript in each file, so the site simply gave out blank pages (the error message was eaten up as a result of using ob_start). If it weren’t, the resident script would quietly work out the necessary thing for the hacker.
And now the most interesting: I have little evidence that they infected from a German server (there are only two entries in the log, the script itself is unknown and of course it is not known where to look for it on the network). With IP 78.157.140.3, the executable code was taken by our server (the bootloader script worked). Accessing the domain was also a script working on our site (the work of a resident script). The domain registrar accepts claims only for spam; they recommend contacting the hoster regarding the distribution of exploits.
Total: we see hacker technology with a certain degree of protection against criminal prosecution.
PS: This text is not intended to be new and is not written for teaching. The main idea with which he wrote "let him lie here, maybe someone will be interested."
Yesterday our site was infected. The hacker, using the exploit, uploaded the resident script and attributed the code calling it to each executable file. The problem was in the Coppermine gallery of the old version - a leaky script (mea culpa, did not keep track). A hacker applied classic Google hacking to find a gallery.
The sequence of actions is very thought out and it is difficult to prove a hacker crime. From the German IP (217.20.118.150, apparently a rented server), the gallery version was probed, then the script loader is poured through a hole in the script. From the same German IP, this script is requested via HTTP, which leads to its execution on the side of our site. The executing script loader draws in the IP 78.157.140.3 IP-server resident script (access is via IP) copper.txt, packs / writes it to one of the folders where recording is allowed (already in php form) and writes all php files on the first line the code calling it (also packed). After that, the script loader self-cleans (I don’t know if this script is visible on the German server from an Internet, there is no copy left on our server). Then, when opening any page where php is used, a resident script is launched that requests executable code from the server at nomcen.biz (the domain now corresponds to the same IP 78.157.140.3). There was a syntax error in the postscript in each file, so the site simply gave out blank pages (the error message was eaten up as a result of using ob_start). If it weren’t, the resident script would quietly work out the necessary thing for the hacker.
And now the most interesting: I have little evidence that they infected from a German server (there are only two entries in the log, the script itself is unknown and of course it is not known where to look for it on the network). With IP 78.157.140.3, the executable code was taken by our server (the bootloader script worked). Accessing the domain was also a script working on our site (the work of a resident script). The domain registrar accepts claims only for spam; they recommend contacting the hoster regarding the distribution of exploits.
Total: we see hacker technology with a certain degree of protection against criminal prosecution.
PS: This text is not intended to be new and is not written for teaching. The main idea with which he wrote "let him lie here, maybe someone will be interested."