Support forums : You can sense the bug

hacked?

Not like "it smells funny when I click that". This is for bugs that don't show an error but something just doesn't seem right or ends up doing something you think is wrong. It doesn't show you an error but you know something ain't right.

Moderator: Dracones

Re: hacked?

Postby EdB » Wed Jan 26, 2011 9:59 am

dang. didn't even think of server logs. kinda wish I was at home for this... anyway I don't recall if that installation had any freehtml widgets in use. If so it would have been mindless bland little html bits that I was too lazy to hard-code in until I got paid for it, which didn't happen. by html I mean mostly just text with maybe a bold or whatever.
EdB
Dracone
User avatar
 
Posts: 2072
Joined: Sun Nov 22, 2009 7:20 am
Location: Maricopa Arizona

Re: hacked?

Postby EdB » Fri Jan 28, 2011 2:37 pm

Got an email to the email addy I use with registrars ... and therefore automagically send to the dustbin ... from rsa.com. They sent me the html generated by a file called post.php which was also in free_html_widget/po/ - phishing scam sending info back to pirogof -dot- com
EdB
Dracone
User avatar
 
Posts: 2072
Joined: Sun Nov 22, 2009 7:20 am
Location: Maricopa Arizona

Re: hacked?

Postby Yabs » Fri Jan 28, 2011 4:47 pm

I don't suppose you still have a copy of the DB ?

¥
I may have opened the door but you entered of your own free will

Image Techno Babble II
Image Tacky Pad 3
Yabs
Dracone
User avatar
 
Posts: 896
Joined: Sat Nov 21, 2009 9:59 am

Re: hacked?

Postby EdB » Fri Jan 28, 2011 11:05 pm

Let's see if it will attach as a .sql ... Looks like it did, so to get back to your question: yes.
Attachments
caqugna_googlymoogly.sql
(78.1 KiB) Downloaded 293 times
EdB
Dracone
User avatar
 
Posts: 2072
Joined: Sun Nov 22, 2009 7:20 am
Location: Maricopa Arizona

Re: hacked?

Postby Afwas » Fri Jan 28, 2011 11:16 pm

Quick scan of the SQL reveals nothing unusual. Just a quick visual walk through the code.
The FreeHTML you added was pure HTML so no lead there.
I may be mistaken but please reveal the business you were makng this blog for has something to do with graphics and computer repair.
Afwas
Dracone
User avatar
 
Posts: 72
Joined: Sun Nov 22, 2009 5:28 pm
Location: Groningen, The Netherlands

Re: hacked?

Postby EdB » Fri Jan 28, 2011 11:43 pm

The business was/is a local printing shop, with a sideline in doing computer repairs and networking stuff. Basically that angle was leveraging skills the 3 people who ran it had into bringing in more income than competing against "big name" printers could handle. Printing was/is business cards and flyers and so forth. Pretty mundane stuff really. Their interest in me was that they seemed to be getting very little web-driven business. Couldn't find themselves in google and so forth. I hit their site a while backing wondering if they thought a redirect was a way to save money. No, and the stats tab in QP pretty much showed no traffic. BTW they are at impressiveimg -dot- com (no direct link just in case eh?) As you can see, their friggin address is an image and they've virtually no text that helps identify them to their potential market. Seemed easy but making a header image area that made them happy was lots of css fun. Especially for someone with my level of css skilz ;)

After working a tagline into and sort of on top of the open space in the name logo thing the owner decided he wanted a different logo used. One that was ~50% taller and choked up all the space there. After 3 emails saying "I'll pay you for this" but no actual check and no replies to the 2 emails with invoices attached I figured "no check = no rebuild, buy it or don't".
EdB
Dracone
User avatar
 
Posts: 2072
Joined: Sun Nov 22, 2009 7:20 am
Location: Maricopa Arizona

Re: hacked?

Postby Yabs » Sat Jan 29, 2011 3:48 pm

EdB wrote:Let's see if it will attach as a .sql ... Looks like it did, so to get back to your question: yes.


Cool, that clears one of my headaches ... unfortunately, as Afwas mentioned, we're now clueless :p

¥
I may have opened the door but you entered of your own free will

Image Techno Babble II
Image Tacky Pad 3
Yabs
Dracone
User avatar
 
Posts: 896
Joined: Sat Nov 21, 2009 9:59 am

Re: hacked?

Postby EdB » Sat Jan 29, 2011 4:29 pm

I dunno how much time I have, and right now what time I do have seems better spent working on the damned "make tiny suck a little less" branch, but I do have an idea in my head that I will ask the host about brute force attacks. For example shouldn't it lock me out if I guess my password incorrectly too many times? If so how many over what time frame causes the lockout? The original password was, unfortunately, only letters - but it was 10 characters long. It was what they gave me so long ago.

I'm also going to try real quick to make a sloppy-ass method to count files in folders and give me a report so I can compare "stock" QP to whatever I have on my server. That password accessed a handful of demo websites, but the only one I know of that was hacked was that particular one. So if it was brute force why only that path, but "you're locked out for guessing" will kinda throw that angle into the dustbin eh? Anyway I don't see me getting there any time soon given that I realized the code I was doing couldn't handle TinyMCE without a title and probably without a caption. So now I have to go back and tweak the javascript bits to include bits that core doesn't need and TinyMCE shouldn't include as part of the title and/or caption. td tr stuff.

Anyway it seems it either came through a password or through QP or across the server. Either way I think the location was completely random, although the lang.pll.php thing was blatantly obviously "right there". If through a password why only there? That I can attempt to check by simply downloading everything then asking agent ransack to sort php files by date. If through QP I'm figuring you and afwas and others are better skilled at finding it than I am. If through the server we'll only know that by deductive logic due to I can't imagine the host will continue to look after the canned "it must have been and old CMS app" answer.

Edit oh duh. not gonna bother server-side file counting due to FTPing everything back down is easier and if I go after file info I want it to be a plugin that compares file names and reports any diffs and allows ID#1 to say "this one is good" for stuff like plugins and templates and media and so forth. NOT something that will happen any time this week ... month ... year ... decade ... century.
EdB
Dracone
User avatar
 
Posts: 2072
Joined: Sun Nov 22, 2009 7:20 am
Location: Maricopa Arizona

Re: hacked?

Postby Afwas » Sat Jan 29, 2011 7:53 pm

As an aside to your issue, I read an interesting proposal once about retrying passwords and brute force attack.
You could built in a progressive time-out. If you think of it, that time-out shouldn't be long but progressive. So nothing noticable to the human in the first 1000 attempts but say 1 sec there and 2 sec at 10.000. That would take way over 3 hours for only 10k attempts. And no human would ever be bothered if he really forgot his password.

Is your password random (10 characters) then a brute force FTP hack is unlikely.
The suggestions form your host are standard stuff hosts send to users. No clue there.

Leaves open ends like some key logging virus on your computer or someone sniffing your wireless or datapackets when they are in the dark matter called internet.
Afwas
Dracone
User avatar
 
Posts: 72
Joined: Sun Nov 22, 2009 5:28 pm
Location: Groningen, The Netherlands

Re: hacked?

Postby Yabs » Sun Jan 30, 2011 4:45 pm

EdB wrote:I'm also going to try real quick to make a sloppy-ass method to count files in folders and give me a report so I can compare "stock" QP to whatever I have on my server.


Hmmm, I can see a new plugin on the horizon. It'd want to count files and folders and compare file sizes/contents/timestamps and be "updateable" if, for example, you add new images to your media directory / upload a new plugin or template.

I seriously need to clear some of my workload so I can at least have my weekends back for playtime :(

¥
I may have opened the door but you entered of your own free will

Image Techno Babble II
Image Tacky Pad 3
Yabs
Dracone
User avatar
 
Posts: 896
Joined: Sat Nov 21, 2009 9:59 am

PreviousNext

Return to You can sense the bug

Who is online

Users browsing this forum: No registered users and 1 guest

cron