Archive

Archive for June, 2012

Hacked, Then UnHacked

June 10, 2012 4 comments

Been almost a year since I expressed my thoughts and feelings here. . .Not that I found a new space to express them but the will and time to write just hasn’t been there, until four days ago when I was buzzed on YM by an old friend, a staff at Standards Organisation of Nigeria. For those who were close to me back home in Nigeria, they knew I developed several IT solutions for the nation’s apex Standards body – including their website, which I handed over to their IT guy before leaving (hosted at http://www.sononline.org)

To cut the long story shott. the site got hacked by Co=Cain Warriots. See image below

The home page was redirecting users to http://cocainteam.persiangig.com/coc.htm with the above image displayed.

Straight To Work

I logged on to the webserver (luckily, the bad guys didn’t change my password.. .did they even have it?) and opened my index.php file. I searched through the file for any <frame> or <iframe> tag thinking it may be an <IFRAME> attack, but nothing of sort. My code looked clean and there was no sign of any malicious injection.

Then I decided scan the entire webserver for viruses, just incase “the insect that feeds on vegetables, lives with the vegetables” 🙂 Scanning over. No virus found. . .:(

The Solution

Since some portion of the page displays before being redirected to http://cocainteam.persiangig.com/coc.htm , I decided to play the line-by-line execution tricl, remmniscent of my programming school days.

I replaced the entire content of my index.php with “test” and re-uploaded. (The original contents saved in a separate notepad) The page executed fine. without a redirection with “test” showing up on the screen. Then I knew I was going to win. . .:)

Then I began to copy the original contents in chunks back to my index.php file. I executed the page after each chunk is copied. I didn’t experience the redirection, until I got to the code block where I fetch the Latest News from the database. . .Viola!!! I caught the thief red-handed!!!

I immedaitely figured that my database has been compromised, the “news” table specifically. 3 malicious rows containing the <IFRAME> attack code were inserted by co-cain warriors. I deleted the three rows and refreshed my page and there was no redirection.

I changed all passwords, file permissions and ran a new virus scan

Co-cain Warriors defeated. Flawless Victory 🙂

Tips

1. Take into account that when a new table called “News” is created, every Salome, Lukman and Khadija can guess what the column names will be. ID, Title, Body and Date being the obvious ones. For your own good, name them differently.

2. Do not leave any security information raw on the server, Make sure you encrypt always.

3. Always keep back ups of your source files

4. Keep your passwords safe and alpha-numeric

It was fun while it lasted. That’s all folks. . .:)

Advertisements
Categories: Java, Uncategorized