[blu] Re: My website was hacked! (fwd)

[david at thekramers.net (David Kramer)]

On Wed, 24 Nov 2004 bbj at innismir.net wrote:

> On November 24, 11:48 pm David Kramer <david at thekramers.net> wrote:
> 
> > I think I found it.  I'm running TWiki, and at that time there were
> > some really nasty things happening in access_log and error_log.
> 
> Yup.
> http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch

I found that last night.  Made me feel a whole lot better.

> 
> I think this was posted on FD yesterday.

What is FD?

> > I will also note that the "bandits.webm.ru" website contains one
> > phrase, in Russian: "Soon it will begin..."
> 
> Typical Script Kiddie Rhetoric.
> 
> > I'm going to disable TWiki for now.
> 
> Very Good Idea. My personal opinion is that once you've been owned by an
> actual human at the keyboard, your only safe way out is to blow away the
> box and start from scratch. Anyhting you keep from the last install should
> be inspected by hand.

I'm normally the one yelling at people to do that after their box has been 
owned, but given that this is a clearly defined exploit that can only run 
things as wwwrun, and I've defanged the binary he downloaded, and I've 
already analyzed everything that's changed in the past few days, I'm 
fairly confident it's safe not to do that.  If all of those things were 
not true, I would probably shut the box down and post mortem it when I 
get back (I'm in New York right now).

-- 
DDDD   David Kramer         david at thekramers.net       http://thekramers.net
DK KD  
DKK D  This a central tenet of cat philosophy: 
DK KD  Whatever it is, it's not the cat's fault. 
DDDD   Cats are without sin and error.                         - Jon Carroll