My Website was Hacked

[Owen]

Some hackers hacked into my website (my guestbook actually) -- they didn't do any damage (just left the word "hacked?"). I knew the guestbook was easily hacked and so did the writers of the software, but no one did anything about it.

The hacked page (I left it up. And yes I know the people who sign it are lame.) http://www.pbbt.com/cgi-bin/ugb/ugb.cgi

A clue about how stupid the makers are (and me too): http://www.pbbt.com/cgi-bin/ugb/gbad...dit&number=186 (it's a hidden gif by every entry so I can delete offensive entries.)

All one needs to do is type the name of the file and the directory... and I'll give you 3 guesses as to what it was (and looking at the source code is cheating). I chmod'd it to 750 so don't bother trying.

Anyway, don't forget to backup. I was lucky they didn't erase it.

Owen

BTW, this was the default configuration. Pretty stupid, eh?

[PeterW]

Somehow, I seem to remember all of the madrona park's products not being the best in security. UBB (even the one that used to be on SP) was vulnerable to the old "append a pipe and command" to an open exploit, which allowed anyone to run shellcommands as the owner of the script on the box with UBB installed...

[Son Nguyen]

Oh yes, using pipe is exactly what I did to a site, I opened a thread at WebHosting forum, check it out
I believe there are MANY holes are exploited through this way (pipe)

[Owen]

Yes... it's not good stuff.

How does the pipe and command exploit work? I use pipes for other scripts I use on my site and probably should make them secure.

Though having an unencrypted password on a publically accessable website, isn't the smartest thing in the world to do.

Owen

[Son Nguyen]

That site, the script just get the input, then perform a whois command: whois $input (no check performed on $input) then print out ANYTHING it got (even worse!)

say $input = | ls -l
A nice/harmless one!

Anyway, by having this exploit, the site opens a hole for people on the shared server (I actually did a listing of all sites on that server)

Too bad I didn't know much of Linux commands to do some interesting experiments!
Check out: neworder.box.sk if you're interested in security stuff.
<Edited by 123finder.com on 12-03-2000 at 03:35 PM>

[PeterW]

In perl, as a general rule, when I process the get or post request, I strip the pipes.

Another common mistake is fogetting to strip the pipes out of anything with "open". E.g.
open(something, "something|echo you got hacked>index.htm");

As 123finder pointed out, there are several good security sites around. If you're interested in this sort of thing, you may want to consider signing up to BugTraq.
<Edited by PeterW on 12-03-2000 at 03:53 PM>

[Owen]

I got it. It makes sense. Fourtunately, all my programs use pipes so I grep'd them out anyway. I also never execute ANY user input even to open files. (I always look up in a db first, then verify file exists and is proper format, then open.)

Owen