23 Sep 2007

Customer website was hijacked -- thank you !

What is this ?



This is the result of a database driven website been hijacked by some moron who somehow found his way into the website´s admin section, and who replaced several records in the site´s CMS (Content Management System)

At times I´m - with the respective customer´s consent of course - keeping an eye on websites I did for former clients, and that´s why I just noticed that 3 pages have been overwritten with some "Hello my name is..." crap and links to whatever porn sites.

It seems that this fellow must have detected one rather tiny loop hole (I know which one :-) in a certain CMS admin page which - by mistake - has not been "hardened" -- well, shit happens, but that´s now been fixed.

However there´s something that this fellow doesn´t know, and which might give him some headaches, should he ever be able to detect another security hole:

1. years ago when I developed this tailor-made CMS for my customer, I added a nifty self-acting "incremental backup" feature to the "update content" form:
  • on page load the record´s current content is getting loaded in some hidden form fields, and when...
  • someone clicks the "update" button, the current content gets inserted into a separate table
Very fortunately I had to add this feature to the ex-customer´s "multi-user capable" CMS at some point, because one of the staff members had to be fired for whatever reason, and before leaving the office, he (unattended of course) logged in to his CMS account and overwrote most pages with nada -- so I implemented this feature to make sure that the CMS will not even become a victim of "friendly fire".

Well, for me it was actually a snap to crawl the CMS backup table using a separate "admin only" list which lets me filter the records by various (combinable) search criteria like "date added", "title" -- spotting the undestroyed version was very easy, and restoring the hacked CMS records from those backup versions was done in a minute.

2. very fortunately I added a "mail notification" trigger to the update forms as well, means whenever anyone *but me* updates a record, I get an email containing some info about the updated record´s "ID" and "title" -- this has always been a very handy feature for monitoring what´s going on in the CMS, and getting such a notification now made me instantly aware there´s something weird going on.

However, this example demonstrates that such security holes can affect you very easily and of course when you don´t expect something bad to happen -- I´m certainly not too proud of having missed to "seal" one certain page, but I´m proud to have added some other safety precautions.

Well, gotta say thanks to this unknown moron though ! Without his attempt to wreck havoc I certainly wouldn´t have been noticed this miss -- however, the last laughter is on my side actually, because my efforts to restore the CMS contents have been *much* easier than his multiple record editings performed on a certain date.

Added 2007-09-24

  1. while googling for "my name is Alfred" I have found out that this fellow or a group of website hijackers have submitted this stuff (either with identical text or slightly modified variants) to *lots* of websites and forums -- considering the sheer amount of hijacking it seems that it´s assumingly a large group of folks which must have prepared some predefined text snippets to be copied to whereever they can.

  2. a *very* recommended read on all things related to "Web Vulnerability" can be found on the Acunetix website. Besides providing one of the most comprehensive lists of vulnerability issues I´ve ever seen, you´ll be scared to see which commonly used "web applications" (forums, content management systems etc) have what exploits -- well, and there´s lots of clues on what keep an eye on. You live and learn !

No comments: