How E@L Got His Groovy Blog Back (2)
While I had been playing with GZ and TAR, I noted that I had also downloaded all the access-log for my web-site, including those which covered when the spam emails had been sent out. They were GZ files too, so I unzipped them and was able to read them quite easily (a 32MB file - Notepad won't open it) in my text editor (I use TextPad - set it to TXT, otherwise it would open the file as HEX which is useless).
As you might not recall, the timestamp on the email was »06:23:27«.
Quickly I proved myself smarter than the first guy on the help-desk. At almost exactly that time there was repeated access to a 5kB file I didn't recognize: z.php in the "add-on" directory of pMachine, my blogging software. I did a search for z.php in the access-log and found it had been accessed quite a few times. It was quite simple then to find the IP addresses of those people who had accessed it. There were only three IP addresses that had done so. I grouped them all together and made a note of what OTHER files those IP addresses had accessed.
Also I took those IP addresses and checked them out on DNSstuff a search-engine for IP addresses. I found that two of the three IP addresses were listed on various SPAM databases. Shit. I did a WHOIS on them as well from this search-engine and found that all three came from servers in different cities in Romania!; "jump.ro" in Timis, "rds.ro" Constantia and "rdrsnet.ro" in Bucharest. They seem to be Internet or "communication" companies. You want the flat number and street name? It's there.
With CPanel, I was able to immediately block these IP address from ever accessing my website again. My son later suggested blocking all of Romania, just in case. I haven't done that yet, who knows how many E@L fans are out there in sunny Bucharest, aching for their daily dose of vicarious expat fun in the tropics? Who am I to deprive them? Of course the question is, where these the actual computers that the hackers had accessed my files with, or was someone using them as proxy servers to access my server (in California) from somewhere else? (There is another issue I haven't thought about yet: doesn't DNS also mean DYNAMIC Name Server. Every time a person logs on to their server they get a different IP address. So blocking individual ones may not help. Do'h!)
But first, exactly how were the emails sent out?
I checked the z.php file on Dreamweaver, and up popped a plainly formatted page that looked like a simple double windowed email program. On the left was a box to enter text for the contrent of the spam. On the right, some button labelled "Load Address from MySQL DB" and box for all the spammable email addresses that were presumably in that unspecified MySQL database. The database did not have to be on my system, but all they had to do was call for it from some other computer - maybe on one those three IP addresses.
This was the script / program that had been used to send out all the spam emails. It was so small and so basic. And so nasty.
I found two copies of it in different directories.
Meanwhile, comparing downloaded files with my originals, I noticed an unexpected directory in my downloaded website. A program called WysiwygPro was sitting there, not so innocently. I hadn't uploaded it. I didn't think I had. It looked like a on-line html editor, with all its files being php scripts. Way too geek for me. I deleted it.
And this name rang a bell. That's right, the bad IP addresses had also hit at some files with "wysiswig" in the filename. What were they?
In my root directory I found that one key file had been mimicked by this Wsyiswyg program - the index.html for my root web-page expat-at-large.com had a clone called wsysiwig-index_html.php. This was one of the files those naughty IP addresses had accessed. I called it up on Dreamweaver then preview it on my browser and found that it looked exactly like the web-page as I had designed it - like the "index.html", but with some extra code at the top and the bottom. See the comparison below. When I looked at the source code, sure enough, there at the start of the script were several lines of extra commands, the most ominous of which was:
// $_*GET['randomId'] !*= "NwtT....." followed by a long string of apparently random text. Then there was a call to create some buttons. There were a few closing tags at the end of the page as well.
I had found it .
The Original Page.
The Hack. (The images are missing as this is on my computer, not the real server.) Note the code at the top of the page.
The datestamp on the hacked file was »4 April 2005«, well before the first attack. More than just before the first attack, it was there over a year ago! My god. When was I first hacked? That's right, I am thikning back to other issues... I had got some spam emails from places like "firstname.lastname@example.org" quite a while ago. I had shut down my shallow_phil email address because of that. I also know that it is possible to send out emails that look like they have come from other places. My son showed me this one day, as I was skeptical. He sent me an email, and in the FROM section it read RonaldReagan@whitehouse.gov. So I didn't really worry too much about that spam from my own server at the time. Perhaps I should have done. But of course at that time I would have had no idea where to look.
This was the backdoor they had used to gain entry to my server for that other recent spamming and the uploading of the bank phishing files as well. By using their modified version of index.html file, the main page's script for most web-sites, they could generate a new ID, or maybe somehow find an existing one and get into my server where they could run the z.php script to do their spamming.
I wonder where they came from for that original hack? Let's check the access-logs for April 2005. Now at that time "expat-at-large.com" was called "expatatlarge.com". I had to change because of problems with my old host, Lycos, who still controlled the Domain Name although I chose it and paid for it. You may not remember, you may not even care by this stage, but when it came time to renew my tenure on that name, they wouldn't accept any non-US credit cards and so the name has been locked away ever since. Anyway, back to the log files. I found an entry which had accessed the about.php and looked up their entry in DNSstuff.
Oh. My. God! The IP address is from the Starhub Cable Vision servers! A Singapore Gahmen (Gov't) owned company! Someone had hacked in from right here in Singapore. Singaporean hackers had got in to my web-site somehow. THE BASTARDS.
Maybe it was the Gamhen after all?
Had they left any other backdoor files somewhere else?
Man, here's another: wysiwyg.z_php.php It looks like even the Spam program itself had been hacked to get an ID and access.
And it turns out there was another file too that had been accessed, hidden away in a different sub-directory from the z.php script in the pMachine directory. It was called about.php. Very innocent, yeah? However when I compared the downloaded directory with the original on my system it was obviously a new file. It's datestamp was »27 April 2006« different to all the other original files, although it didn't match the dates of the spamming either. Maybe it had been updated?
What is it? I check it out in Dreamweaver. It seems to be a SQL database manager, with lots places to enter names and create databases, and stuff around generally in stuff I don't have the faintest clue about. It do know all my blog entries are in a MySQL database, and that php is a program language that uses them. Oh dear. I'm going to have to check the integrity of databases...
One interesting thing I find in the about.php file was a line referencing a Russian web address. Trust those pesky Ruskies to be in on this.
//$*c99sh_*updateurl = "http*://ccteam.ru/update/c99shell/"
Looking up ccteam.ru with DNSstuff, I find a guy called Ivan in Russia. Meet Ivan. Ivan is a hacker. Or he allows hackers to operate from his server. THE BASTARD!
In the next line, another nice reminder that this is an International conspiracy if ever there was one.
// $*donated_html = <*center><*b>No-Code Hackers Batam Indonesia<*/b><*/center> [I've put random asterisks in these lines to stop the code running!]
A hackers group in where-else but Batam Indonesia! This bit of text flashes and moves about when viewing this code in a browser. Maybe they donated some html for the hacking program? Who knows how these people think?
Just now, I checked the access-logs to see who saved the about.php file to my system. I found an IP address that had accessed it the day before the datestamp. That was weird, but checking the IP address in DNSstuff, guess were it comes from? Bloody Batam, Indonesia all right! THE BASTARDS!
Hey, I can see the island of Batam out my freaking office window on a clear day! Maybe it was someone from this group that actually did the hacking. They went initially via Singapore, then after my domain name changed, via Romania to get to California so they could fuck me over in back in Singapore. Then again maybe it was Ivan coming through a server in Batam, but I doubt it. Maybe still that first hacker, from Singapore.
And hey again, here is YET ANOTHER FILE file! This one is called bnc1.txt and it is not on my original uploads either. I open it up. It is a script, not a simple text file after all. It's got a big ANSI graphic on the header from a group calling themselves MyHackSecurityCrew. Hackers, bastards. The datestamp is today, maybe somehow I mucked this one up.
I have no idea what this file does. In the bnc1.txt file is the line:
// sendsock($*cli, "NOTICE AUTH :*** DalNet #HackerMalaysia")
Malaysia this time!
Weirdly some of the comment lines are in a strange language:
"Servidor em uso, o REATTACH não ?possível."
Portugese? Spanish? Romanian? Russian? Malay? Indo? Singlish?
OK. I giveup. This way too complicated. The entire world is out to hack my website.
Let's just delete all this crap. Which is what I did.
After I had been through every directory and deleted all the suspect files and replaced those that had been modified with good versions, I also deleted the CGI_BIN directory because it wasn't on my original upload. I am not sure if that was necessary but I did it anyway. My son who is a bit of php guru - it's what he uses at work - said that CGI-BIN is where executables go, or something is called-up from, or where something-or-other is dumped to whenever a php script is run - I don't remember what he said exactly, my eyes had glazed over by this stage. But anyway it may not have been relevant or important. The directory came back by itself I noticed when I logged on again, but with no contents.
So there you are. It took me about 12 hours of actual on-line work to do most of this. I've also done a lot of extra IP address looking up just now, while drafting this text. The people at my server were of absolutely no help whatsoever.
I made some comments to this effect as I informed them that everything had been cleaned:
I find it amazing that a beginner like me had to do all sleuthing here. Or maybe that is the way of the world in general and help-desks in particular.
The lack of continuity on the help-desk was a worry. Every query I have sent in has been answered by a different person! Sometimes I felt I was going in circles. The time delay probably may be the reason for this - I am 16 hours ahead of you guys here in Singapore.
I really hope that all my hard work has not been in vain, that you will let me back on and this will not happen again. It has been learning experience, about many things... At least now I have a full back-up of my site!
Their excuse seems to make sense though, and they offered the following explanation after unlocking my site.:
Thank you for all your hard work. Your site has been un-suspended.
One primary reason we ask that you audit your own site is that we simply have no method of determining if the files are correct/identical to the originals you had uploaded. Realistically speaking, we also manage over 90k websites. Most phising[sic] and spam sites will simply not respond, moving on using other names and other hosts. Those sites we simply delete. Also, exploits are often times the results of scripts that are not completely up-to-date. Again, it would not be feasible to check every site to make sure that every script is up-to-date. The resources necessary would render inexpensive hosting impossible. Richard.
I shrugged. I guess Richard has a good point or ten. He mentioned as well that they run the help-desk 24/7, but that my Question-4592 kept getting put to the bottom of the pile whenever I added to it, and that it had been a particularly busy day. As I replied, I guess the $6.95 per month I pay doesn't buy too many beers, let alone pay too many IT professionals to ferret around for X hours looking for something as subtle as the datestamps on files when they don't know what time the original files were created... I suppose if it was THEIR site that got hacked they could do that.
So it was a great learning experience for me. I am now *an auditor*! I now know what to expect when hackers attack, and I have a bit more of an idea of how they do what they do. I just hope they don't do it to me again.
Wherever they come from next time, I'll be ready.... GGgrrrrr!!! THE BASTARDS!!!
OTHER MONKEYS SAID
Here I was thinking of moving away from Blogger onto my own server...but seriously, with all the hassles why bother...added to which I would have to pay to write this crap...and I can think of alot cheaper ways to enjoy my time alone on the Internet ~grin~
Yeah, but last night, for an hour or so, I couldn't access ANY blogspot blog in the world. Not even blogger.com. Was it me? ?????
Once upon a time a few years ago the guy who set one of the original free Blog sites just up and shut it down without warning. Thousands of blogs gone. He said he wasn't making any money, it was taking up too much of his time. So fuck off all you people he said...
That's what scared me, those random acts of whimsy. I remember reading about it, though I wasn't blogging at the time. So that's why I went private.
Plus the money side is of no concern - $7.95 for total independance. A beer a month. For hours of fun and no Gahmen can get me!
Plus I have learnt a lot. Not to keep my big mouth shut sometimes, but a lot.
A beer???? WTF!!! Where are you drinking? This is Singapore remember...beer cost lot la ~grin~
I have thought about it...we'll have to see.
OK a small shandy. From the 7/11 in Serangoon Rd.
One of the recent trends in the dog clothes market is stylish designer selections. There are just as many new and exciting fashions for dogs as there are for humans. Designer dog clothes are developed by some of the top designers in the canine fashion world. These collections come in an array of colors and styles, and form a perfect selection for all kinds of occasions such as weddings and other social events.