Site defaced - what next?

Greg Rundlett greg at freephile.com
Fri Aug 13 23:53:00 EDT 2004 

Greg Rundlett wrote:

> My site was owned and defaced.  It looks like the mediawiki script 
> that I recently installed to create a free-software community may have 
> opened the 'door' to the site being compromised.  This is unconfirmed 
> however.

I ruled out the possibility of mediawiki being the one to blame.  Brion 
Vibber (author) was very helpful in responding to the possibility of a 
problem, and actually discovered and patched a potential security issue 
in his project.

My ISP didn't have logs going back far enough to trace the exact events 
at the time of the initial intrusion (which was discovered to be 
5/18/04).  However, based on the fact that the first files appeared 
within my OSCommerce installation, and there were more than one 
unpatched vulnerability in OSCommerce, I am drawing the conclusion that 
OSCommerce was the weak link.

I checked through the history of osCommerce, and there have been a 
number of vulnerabilities found (and fixed) throughout the projects 
history.  I was using Preview Release 2.2-CVS, and it is likely that the 
attacker was able to use a SQL injection, or PHP injection vulnerability 
in osCommerce to introduce the phpexplorer.php file. It is almost 
certain that the cracker was able to uncover my database credentials 
(since once you can look at the php sources, you can view the database 
password in clear text in the configuration file).

I didn't use OSCommerce for actual order processing, it was more of a 
showcase.  For that reason, I didn't maintain vigilence on the 
vulnerabilities announced by the project, nor did I maintain the sources 
up to date.  I hope to alert people not to make that mistake if they 
want to avoid being cracked.  This is especially important if you ARE 
using it to do transactions and/or are using it for consulting clients.

In the past, I tended to throw a lot of stuff up on my website, to play 
with it, and experiment to see what other people liked.  I had over 
20,000 files on my site.  The next version won't be so unweildly, or 
vulnerable.

More information about the gnhlug-discuss mailing list