Site defacement

Site defacement

Yesterday morning my site got hacked by a script kiddie. He just changed the homepage to this nice piece of art:

I found it almost imediately, and it was just a matter of removing the index.htm file the guy put there. No big harm. I changed all the passwords, fearing that the guy had ftp access and read all my php files, and checked again the file permissions of everything to make sure no directory had 777 ( = rwxrwxrwx, writable-by-anyone) permission.

Now to the interesting bits. There is appearently some competition between that kind of hackers, and as soon as they hack a site, they put it online so they can raise their ranking. Our hacker did put our hacked site online. So we already had his nickname: syrianspider. Other people talk about him. I of course downloaded his index file for study. It is made with Microsoft Word (that's a good hacker, isn't it?). Inside, you find this:

<o:documentProperties><o:Author>Yousef Alnamli</o:Author><o:Template>Normal</o:Template><o:LastAuthor>Yousef Alnamli</o:LastAuthor><o:Revision>12</o:Revision><o:TotalTime>33</o:TotalTime><o:Created>2009-12-19T10:56:00Z</o:Created>

A hacker who puts his own name inside his hack files??? I couldn't believe the guy was so idiot. But wait. I have access logs for my site. At the time of the hack, I found several lines of this type:

78.110.96.5 - - [05/Apr/2010:15:54:58 +0000] "GET /test/sp.php?dir=/domains/54193/web/yorik HTTP/1.0" 200 34926 "http://yorik.uncreated.net/test/sp.php?dir=/domains/54193/web/yorik/test" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3)Gecko/20100401 Firefox/3.6.3"

It is weird, because I'm sure there is no test/sp.php file on my site. After googling a bit, I found several places mentioning that filename to add a new user to a database. That new user can then use the database to create new files. It is likely a very common site hacking method. So, I have the IP address from where the hacking occured. It is indeed the IP address of a proxy server located in Syria. My friend Fabio did some more research, and found out the complete identity of the hacker. He has a large identity on the net, and even a facebook page... Indeed the guy seems to have signed his file with his own name!!! I found that entire experience extremely funny. Now I still need to find out how to protect the site against such attacks, but Fabio will surely come up with a good solution...