After a successful hack attempt I have found a trail but I am still puzzled how it happened.
The hacker goes by the name of Team Mosta Algerian hacker. There are references all over the internet. He also has youtube video showing himself at work: http://www.youtube.com/watch?v=YvJoOdDEMcw
He managed to gain access to my server and change every index. file to a fiile that contains some text stated I had been rooted by team mosta. This affected over 50 websites.
Here is the code he ran to affect all the files:
<snip>Not being funny but I dont want that to be handed out on a plate for any skript kiddy to play with!: Spike</snip>
The weird thing is that two days previously I was told by facebook when trying to log in that someone had been trying to access my account so they disabled it. I then had to choose a new password. I used the securest password I know which was my server password. A few days later my server is hacked. The IP address of the Algerian hacker (41.201.87.76) is in Algeria and the IP address of the facebook hacker was in America (facebook showed me a map and asked if this was legitimate). Not sure they are connected. Even if the hacker had sniffed the password how could he have tied it into my server unless he had been watching me for a long time and found my server details.
I know this wasn’t an FTP hack as this affected all websites which all have their own FTP accounts and the code to make the changes was in my tmp directory off root on my server.
I have since run a rootkit checker and full analysis software and have found nothing of any alarm.
If it wasn’t for the time it would take to rebuild and configure things like ffmpeg/mplayer etc I would just do a rebuild but that is not an option at the moment.
Can anyone shed any light on this mystery?
Also, does anyone know what this does? It was also in my tmp directory and appeared at the same time the hack occured. Looks like a back door as the file was called back. I have since deleted it.
<snip>Now that we know it’s a reverse shell script I’m removing this one as well - same reason as aboveScallioXTX</snip>
the ip can be spoofed, so i wouldn’t trust that too much - i would probably try to trace it and see what i came out with…
the perl script is a reverse shell script, which connects on a listener on another box to avoid firewall rules on your box, you can try it with netcat to see
can’t really say much more as the code you posted has been removed (which btw is a good security decision)
I used the securest password I know which was my server password.
As you probably realize now, it’s best not to use any password in more than one place. Use long random passwords, and a different one for each purpose. If the hacker sniffs or cracks your password in one place, they’ll sometimes try it at any other locations they can identify that you’d need to log in, such as your website.
This brings up a recurring theme that I’m sure we’ve heard before. But with recent situations like this maybe somebody will finally listen. We need to get rid of passwords in favor of two-factor authentication.
For example, a PIN and a random series of numbers from an RSA token (either a piece of hardware, keyfob, or a soft token). No passwords to write down or worry about getting intercepted. The PIN can be changed but that is only part of the authentication, paired up with the random numbers from your token.
While two-factor authentication does protect against passive attacks and in general increases security, in this case it would not help, because these attacks happen either by exploiting vulnerabilities in installed software (either server or client side) or because victims’ computer is infected and so are files that the victim is uploading. Distribution and management costs of these token-devices are too high for most projects.
Bruce Schneier has written on two-factor authentication:
My bank uses 2-factor auth and it’s quite awesome, except the only issue is it’s hardware dependent. If I don’t have my reader with me, I can’t quick check my bank account. While this is a good thing, it’s a drawback that goes with the cost you mentioned: if I lose my reader, I’ve got to buy a new one.