Customer account hacked!

[kattouf]

One of my customer just told me he found a file called basher13.htm in his domain folder.

The title of the page is "Go patch the system"

Then "Basher13 ownz you"

A cartoon of a kid and an email address..

pretty scary, i sure hope he wasn't 13, that would be insulting! :-)

What do you recommend?

server is nt20..

[Brangwyn]

They running phpbb or anything like that ?

[awen]

Any hacker will tell you, the best, and easiest way is thru "social engineering". You talk to someone with the password and get it from them somehow, dumpster dive, look around the owners desk for the password, or clues as to what it could be.

Security begins with those with the "keys".

Once hacked however, you need to look over EVERYTHING, make sure there are no back doors plugged in anywhere that would allow them in even if you changed your password, such as upload scripts planted in other new files, or embedded into existing ones.

If I were the hacker, once inside I would stick a script inside another file that was loaded with all sorts of other code for something else... like a shopping cart module. From there it is easy to go right to the file and call the routine enabling full access to the account.

But I also wouldn't leave obvious clues that I had hacked the account. This sounds like an egotistical kid playing a "prank". But then hackers are well known as ego-maniacs... are are CEO's of popular software and fruit based tech companies.

Have fun.

[Brangwyn]

Social Engineering isn't the easiest way .. scripts with known exploits are .. social engineering is way too much work to go to when there a backdoor/exploits on things like phpbb sitting right in front of you!

Look at a days archive of BugTraq and you'll probably find half a dozen easy ways to hack a site or two in a few seconds flat.

[soky]

Quote:

Originally Posted by Brangwyn

Social Engineering isn't the easiest way .. scripts with known exploits are .. social engineering is way too much work to go to when there a backdoor/exploits on things like phpbb sitting right in front of you!

Look at a days archive of BugTraq and you'll probably find half a dozen easy ways to hack a site or two in a few seconds flat.

Social Engineering Still Alive and Kicking
Thursday, 19 May 2005, 09:29 GMT

A social engineering attack resulted in secure e-mail service provider Hushmail having its Web site redirected to a defaced Web site. According to reports, Network Solutions, the domain name service provider behemoth, gave out information through a customer support line sufficient to allow an attacker to alter DNS record information for Hushmail.com. Visitors to the Hushmail site were instead sent to a server co-opted by the attacker. Network Solutions said it's implemented new security measures to ensure that such an "isolated event" doesn't happen again.

More >> http://www.it-observer.com/news.php?id=5098

[soky]

Quote:

Originally Posted by kattouf

One of my customer just told me he found a file called basher13.htm in his domain folder.

The title of the page is "Go patch the system"

Then "Basher13 ownz you"

A cartoon of a kid and an email address..

pretty scary, i sure hope he wasn't 13, that would be insulting! :-)

What do you recommend?

server is nt20..

http://www.zone-h.org/en/defacements...acer=basher13/

Seems as though your FTP login and password were "figured out" one way or another.

[Brangwyn]

Check your PC for spyware/keyloggers. Just another form of exploit

Social Engineerings out there alive and well probably more so now with Mitnick on the speaking circuit + his books Art of Intrusion/Art of Deception, no doubt about that, but from a simplicity point of view it's just so much easier to google xxx exploit, take the code off the page you find and run it

[awen]

You're right, if you don't mind being branded a "script kiddie". Don't forget the ego factor. Hackers don't always take the easiest route. Because it's the easiest.

[Brangwyn]

Real hackers don't have egos, they don't boast about their exploits

[awen]

Here's an article from today, regarding the hack on Paris Hilton's T-Mobile account (Socially Engineered) and recent raids searching for the perpetrators of the LexusNexis data theft. It seems that one used viruses sent by email to log keystrokes and gain access to accounts. It was also noted there were security flaws in the software which helped the hackers.

http://www.washingtonpost.com/wp-dyn...051900704.html

So... I'll say it again, when it comes to security, the end users are the weakest links. be it the idiot that opens up email attachments for supposed "Child Porn", to the person who thinks they're talking to someone authorized to get usernames/passwords. Even in the case of software security holes, often times they remain unpatched long after it has been announced that the holes exists, and how to fix it.

As for hacker egos? The articled I link mentions a lot of info that investigators are using to make these raids came from someone supposedly involved. They may not be "real hackers", but they really hacked.

Most emailed viruses come with very poor spelling and grammer, so that's often a dead giveaway... unless you're in the habit of surrounding yourself with, and getting email from idiots.

What scares me is when their programmers graduate Grade School and their spelling and grammer looks like everyone elses.

[Altair]

Quote:

Originally Posted by Brangwyn

Real hackers don't have egos, they don't boast about their exploits

Many hackers are part of a group, and in order to get recognized by the group, you have to leave evidence behind that you were actually there. This doesn't necessarily mean that the hacker DOESN’T have and ego, but chances are good that he/she is simply trying to get noticed.

I would check any of the machines that have had access to the site. Run scanners for key trappers, like Brangwyn suggested.

Some “hackers” actually perform a valuable service. If you know you have been “hacked”, and the “hacker” didn’t do anything malicious to your system, then simply fix it and move on. He was only showing you that there is a security hole some place.

Brangwyn,

Exploits can be a very dangerous way to “hack” a system. Many exploit call for coming in on an unusual port, which the server then logs. It is hard to hide your attempt in the logs if you are accessing an unusual port. However, if you got the password from some one on “the inside” and took the proper steps, it is much more difficult to track. The fact that you logged in will be logged on the server, but you will pretty much blend in with all the rest of the accesses.


Of course there are millions of ways to "hack", and a "hacker" I am not. I just know a couple of tricks, having been "hacked" myself. Trouble is, with my experience, it was an entire group of "hackers". It was a very long day.

[Light Speed]

Logs can be edited.

Real hackers have no friends.

[awen]

I think we're confusing the words "real" and "successful". Successful hackers (meaning they get away clean, never to be caught), probably don't have friends, or egos.

It would seem to me if you really want to be successful, you use a computer with a removeable harddrive to hack with, then change it out when you're not active, hiding or locking up the hacker drive when not using it. That at least may keep evidence that you're the hacker when you get raided.

[kattouf]

talking about the paris hilton hack , check this video out:

http://www.current.tv/

its the third Thumbnail with the guy with the shades in the car.

[Altair]

Quote:

Originally Posted by Light Speed

Logs can be edited.

Real hackers have no friends.

uh huh... right... Logs can be edited... :Please:

"Real hackers"? LOL.

Real hackers come in many shapes and sizes. Let me know if you ever come by what YOU believe to be a REAL hacker.