Hackers... Had a Visitor...

gord · 16 Apr 2010 at 11:31

So it appears our webserver has had a visitor. Luckily, didnt cause any damage but left me a nice html/txt file in the root of most of our websites called Hitman with the instruction to improve my security.

Our webserver runs quite a few applications and I don't know exactly where to start with finding the root of the exploit. Are there any scans/tips/tricks I can use to see how this might have happened. All files were created at a similar time.

Funny thing is, we actually used a PCI scan for the web server not that long ago when we were thinking of holding transactions on it.. damn happy we don't now, but we didnt have any major holes show up IMO.

Any help is much appreciated.

gord · 16 Apr 2010 at 11:54

mast3r said:
raw sats data? *search hitman.txt, find IP. Trace Route IP, Report IP allong with logs to ISP.

What firewall are you behind? what software is on the server?

Went into the logs of one of the sites and found the following for the day the files were created:

Code:

2010-04-02 13:23:56 W3SVC336356993 10.0.0.220 GET /Hitman.htm - 80 - 64.38.3.50 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9)+Gecko/2008052906+Firefox/3.0 200 0 0
2010-04-02 13:23:56 W3SVC336356993 10.0.0.220 GET /Hitman.htm - 80 - 109.200.166.75 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+ar;+rv:1.9.2.2)+Gecko/20100316+Firefox/3.6.2 200 0 0
2010-04-02 13:25:47 W3SVC336356993 10.0.0.220 GET /Hitman.htm - 80 - 217.162.28.98 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+Trident/4.0) 200 0 0

Seems to be 3 different IPs that tried to access the file quite a few hours after they were created. Although, to do it twice in the same second, surely we are looking at bots here rather than a person?

I didn't set the server up, but it appears we have no software firewall running unless AVG8.5 has one built in, but it doesnt look like it. I 'assume' we have hardware firewalls, as its a co-located hosted server.

The server runs a mishmash of apps using SQL, MySQL, PHP, ASPx.

gord · 16 Apr 2010 at 12:22

iNPUt said:
Most probably some web app, with a PHP or MySql vulnerability. If so it should create a log file with the attackers proxies ip within the web log. Oh is there sometime like a command log, unless they got root it will still be there under the user they log in as.

Not so sure. They managed to place a .htm file in the root of several of our websites spanning all technologies.. so it doesnt look like an app vulnerability.. otherwise surely it would affect that specific app's site?

Oddly, the only site it hasn't affected is our store. The SSL cert is setup for that sub domain too.

Neodite said:
http://www.zone-h.org/archive/notifier=TeaM HITMAN HaCkEr/page=13

Not on that page, but we have been named on another.

gord · 16 Apr 2010 at 19:31

Fantastic, thanks guys. I'd just got Nikto working before the end of the day.. command line software isnt something ive used for a while.. but getting there now. Will give that a look too NickK.