"uh...why did I get a complaint?"

[bad_brain]

yep....with that sentence a mail from a customer started, he wanted to know why he got an abuse complaint about his website....so I checked.

site is a Joomla 1.6 one (1.6 was a very weird release, abandoned for 1.7 within a few weeks and never really maintained anymore since then).
so yeah, the reason for the abuse complaint was quite obvious for me when I saw this after the first simple ls command:



yes, every 2- or 3-letter folder contains malicious scripts that have been uploaded by attackers, also notice the net2ftp folder.....pretty all of the scripts I checked are 1 liners like:

Code: Select all

<?php header("Location: http://com-wd24.net/space.php?a=218848&c=job_iw&s=j369"); ?>

so they obviously turned the site into a portal site, I had no real time yet for a full analysis because I first had to back up everything and then wipe the whole site...pointless even trying to fix it anyway.
further compromises on higher levels did not appear, every site on my servers runs kinda chrooted in their own environment with their own user...so even if you get a shellscript up there you can't get higher than public htdocs level.

[ayu]

I'm writing a tool that is supposed to be used for fingerprinting sites.
Do you think you would have use for a tool like that, where you can enter a list of sites into a file, and then get a good overview of which sites that have Joomla for example, and if they have the latest version or not?

Thinking about more uses than just my usual "is this version shitty enough for me to easily break in?"

[bad_brain]

hmmm...well, in general such a tool is of course very useful for a hoster like me, but in my specific case it doesn't make too much sense because the sites on my servers are 95% Wordpress, just 2 or 3 Joomla- and 2 Magento sites.
I update the Wordpress core for all sites at once via shellscript as soon as a new version was released (even if WP does automatic updates now), so I know all sites are up to date...the only real use I would have for such a version checker script would be for the numerous WP plugins, but to realize that would be a pain in the rear...

the site where this happened is on a customer server btw, where I only have a contract for server maintenance and administration...so keeping their sites up to date is actually not my business. the more they break the more I make...

[J9NF]

We dealt with this exact issue a few years ago on a wordpress site my husband built for a project. The culprit was actually a plug-in he had installed to handle caching so the site would load faster. The plug-in was hackable, apparently... and it got the 'hacker' right in to the root folder with write/edit privileges. We fixed the problem by setting things up so that the directories themselves are read-only and require a ridiculously long and complicated password to access. We also scrapped the plug-in for one that was more secure. I still don't trust 3rd party WP plug-ins.

[bad_brain]

yeah, that's why I always check when the last version of a plugin was released before installing it, just to be sure if it's still actively maintained...so many plugins out there that have been abandoned even years ago already (I kinda don't understand why they still keep them in the official WP list, imo there should be something like an auto-purge function which kicks every plugin out that hasn't been updated since 6 months or so, and not just the warning they display).

of course this is only for the sites I maintain myself as a part of a deal with a customer, many (or even most) sites I host are maintained by the customers....and with more than 100 sites it's simply impossible for me to take care of them all for free.

luckily my server security is very tight, starts already with picking "the right" Apache MPM flavor (Prefork MPM for example is an absolute no-go because it runs all sites under the www-data user, which means: one site pwnd == all sites pwnd, and just one step away from root permissions). also my provider is not bitching about abuse reports, all they ask for is to reply within 24 hours, then the case is closed for them.
the only negative effect I experienced so far is that one of my mailservers is blacklisted by Bellsouth, which turned out to be a totally retarded ISP demanding totally silly measures by me in order to get off their blacklist...I have my doubts they will ever take that server off after I told them my honest opinion about their IT literacy level...