So I got hacked
Tags: security, my blog, my server. By lucb1e on 2012-06-19 20:37:29 +0100
I must say well done to
Robbert Camps for hacking my website :)
Due to my inattentiveness when writing scripts in the
randomprojects folder, I missed a leak which gave him access to my blog and read-only access to any file on the system.
Ironically I was watching the website statistics right the moment before he discovered the leak, and realized there was an issue with a file someone was browsing. It was a testfile for a proxy service, and by trying to load the url "../../index.php" he could view the source code for my lucb1e.com/index.php file. This file then calls another file which contains the basics for my blog (handles all common features, like parsing /?p=about to my about-me page). It also contains my mysql connection data.
The breach was made at 17:02 local time, and I fixed it at 17:08, disabling access to the filesystem. It has been in there for months, but nobody else tried this (looked through logs). Directory browsing was not possible since indexes are generated by Apache and are not stored as files.
So yeah he got access to my database. But because I use a new MySQL user for everything, his access was restricted to this blog only, which contains my blogposts, links (for the external links page), and a cached version of my tagcloud (storing it is more efficient than generating it every pageload).
The only thing he did was inserting a blogpost, at 17:05, and that was all. That this was all is nice, so a round of applause please ;)
I discovered that someone made an uninvited 'guest post' at 21:08. Would have seen it earlier if I didn't make it cache client-side for 8 hours, but it turns out not to have been a problem.
Because of the restricted permissions, he couldn't obtain write access with a "SELECT INTO OUTFILE" query (not that he tried, but he could have). All other databases were safe too, and there was no directory browsing possible. The locations of all files on the system would have to be guessed, so it would have been really hard (yet not impossible) to obtain anything that wasn't public or referenced in public scripts. None of this happened though, and he had access for like 6 minutes.
My first reaction to discovering the uninvited blogpost was Shut. Down. Everything. Which is exactly what I did; pulled out the network cable and checked for unusual amounts of traffic on the server. I couldn't find anything but this blogpost at first, so I started browsing logs. Sure enough, someone had abused the leak I patched earlier today.
Patching the MySQL password, admin panel password*, and having already patched the leak, I plugged the network cable in while I assessed if there was anymore damage. (Yeah other people than me use this server, better to get things back up as soon as possible.)
* It looked as if he had been in the admin panel file, which contains an hardcoded salted sha-2 hash of the admin password, but he only
attempted loading the admin panel file and got a HTTP-404 back. He did not see that it is in another subdirectory.
Lessons learned:
- Hardening by using many different (and restricted) MySQL users pays off, bigtime in this case.
- Constantly mind the code you write. Think of all possible inputs, or better yet: automate an attack tool trying all sorts of inputs.
- Maybe some sort of monitoring tool, checking the homepage for changes or weird pageloads? I'm open for suggestions on this.