The story of one hacking
I am the administrator of one not very large site. I want to tell an interesting story.
Yesterday our site was infected. The hacker, using the exploit, uploaded the resident script and wrote a code to each executable file. The problem was in the Coppermine gallery of the old version - a leaky script (mea culpa, did not follow). Hacker used the classic google hacking to find a gallery.
The sequence of actions is very thought out and it is difficult to prove the crime of a hacker. From the German IP (217.20.118.150, apparently rented server) the version of the gallery was probed, then the script loader was poured through the hole in the script. From the same German IP, this script is requested via HTTP, which leads to its execution on the side of our site. The executing script loader sucks the resident script from IP server 78.157.140.3 (IP address is accessed) copper.txt, packs / writes it into one of the folders where writing is allowed (already in php format) and writes in the first line of all php files its calling code (also packed). After this, the script loader is self-obliterated (I don’t know if this script is visible from the Internet on the German server, there is no copy left on our server). Further, when opening any page where php is used, a resident script is launched that requests the executable code from the server at nomcen.biz (the domain now corresponds to the same IP 78.157.140.3). In the script script, there was a syntax error in each file, so the site simply gave out blank pages (the error message was eaten as a result of using ob_start). Had it not been the case, the resident script would quietly work out the work that the hacker needed.
And now the most interesting thing: I don’t have enough evidence from the German server (there are only two entries in the log, the script itself is unknown and where to look for it on the network is of course not known). With IP 78.157.140.3, the executable code was taken exactly by our server (the script loader worked). Appeal to the domain was also a script working on our site (the work of the resident script). The domain registrar accepts claims only about spam; they recommend contacting the hosting provider about the distribution of exploits.
')
Total: we see hacker technology with a certain degree of protection against criminal prosecution.
PS: This text does not claim to be new and is not written for instruction. The main idea with which he wrote "let him lie down here, maybe someone will be interested."
Yesterday our site was infected. The hacker, using the exploit, uploaded the resident script and wrote a code to each executable file. The problem was in the Coppermine gallery of the old version - a leaky script (mea culpa, did not follow). Hacker used the classic google hacking to find a gallery.
The sequence of actions is very thought out and it is difficult to prove the crime of a hacker. From the German IP (217.20.118.150, apparently rented server) the version of the gallery was probed, then the script loader was poured through the hole in the script. From the same German IP, this script is requested via HTTP, which leads to its execution on the side of our site. The executing script loader sucks the resident script from IP server 78.157.140.3 (IP address is accessed) copper.txt, packs / writes it into one of the folders where writing is allowed (already in php format) and writes in the first line of all php files its calling code (also packed). After this, the script loader is self-obliterated (I don’t know if this script is visible from the Internet on the German server, there is no copy left on our server). Further, when opening any page where php is used, a resident script is launched that requests the executable code from the server at nomcen.biz (the domain now corresponds to the same IP 78.157.140.3). In the script script, there was a syntax error in each file, so the site simply gave out blank pages (the error message was eaten as a result of using ob_start). Had it not been the case, the resident script would quietly work out the work that the hacker needed.
And now the most interesting thing: I don’t have enough evidence from the German server (there are only two entries in the log, the script itself is unknown and where to look for it on the network is of course not known). With IP 78.157.140.3, the executable code was taken exactly by our server (the script loader worked). Appeal to the domain was also a script working on our site (the work of the resident script). The domain registrar accepts claims only about spam; they recommend contacting the hosting provider about the distribution of exploits.
')
Total: we see hacker technology with a certain degree of protection against criminal prosecution.
PS: This text does not claim to be new and is not written for instruction. The main idea with which he wrote "let him lie down here, maybe someone will be interested."
Source: https://habr.com/ru/post/40965/
All Articles