Carbonized Blog » hackers

Beware of FTP Apps

Carbonize — Thu, 16 Jan 2014 09:24:29 +0000

Yesterday I received an email from my hosts saying they had received a report of email spam coming from my site. They said they had removed the offending script and suggested my site had been exploited. Like a good webmaster I logged in and checked my files. Nothing was amiss except a new directory with a random name like rbdfghydhf. I deleted the directory then started checking my server logs to see what requests had been made around the time the directory was created. I found nothing so began the process of deleting old files and scripts, which is something we should do regularly anyway.

So four hours later, after some Battlefield 4, I log back in to find a whole bunch of new directories had been made and again nothing in the logs to indicate how they were created. So I contacted my hosts and asked them to check the ownership of the directories and the files they contained. They eventually got back and told me they had been created via my FTP account from an an IP address in Poland, 77.114.120.185. Given my username and password are not simple things I scanned my computer to make sure it hadn’t been compromised. Two different anti virus programs and no malware found. Then I remembered that about a month or so ago I tested three FTP apps on my Android phone. One didn’t seem to work but the other two worked just fine after some messing with the settings. So by logical deduction I suspect this is how my account details got compromised. I checked the Play Store and only two of the three apps I tested are still listed which is another sign that this was the problem.

The moral of the story, if you need to FTP from your mobile device or anything else that requires your sites login details stick with trusted names or those that have a lot of reviews both good and bad. I was lucky but they could of done some serious damage.

Another Day, Another Internet Explorer Exploit

Carbonize — Fri, 15 Jan 2010 08:49:12 +0000

When Internet Explorer 8 came out Microsoft said they had seriously improved security and that it was now one of the safest web browsers to use. Apparently they were wrong. According to the Guardian newspaper here in the UK an exploit in Internet Explorer was used in the recent attack on Google’s systems in China.

source

So why keep using it? There are plenty of excellent alternatives these days. Firefox, Opera, Chrome, Flock and you could even use Apple’s Safari although it uses a stupid amount of memory on Windows.

Sad Children Thinking They Are Hackers

Carbonize — Tue, 10 Mar 2009 19:12:05 +0000

A few days ago I installed the Bad Behavior plugin for Word Press just as an extra way of combatting spam comments etc. In 2 days it’s blocked 49 attempts by malicious scripts to access this blog. I just looked at the log and most of them are attempts to run a remote PHP script to see if I am running a vulnerable script. The remote scripts are all the same and simply contain

Basically from what I can see there is a bunch of script kiddies who like to call themselves hackers but haven’t got the first clue about real hacking. All they can do is follow step by step instructions they have found on security web sites. A real hacker is a person who actually knows how things work and looks for ways to exploit them so that the makers can make the products more secure.

Had quite a few hits on this one with people searching for information so have decided to add some.

If you are running Word Press then I highly recommend installing the Bad Behavior plugin as this has, to my knowledge, blocked all attempts by these kiddies. I have also added a couple of the banned useragents from Bad Behavior to my sites .htaccess file to prevent them accessing the site all together. It also blocks some known spambots.

SetEnvIfNoCase User-Agent "^libwww-perl*" spammer=yes SetEnvIfNoCase User-Agent "^Mozilla/5\.0$" spammer=yes SetEnvIfNoCase User-Agent "^Java/1*" spammer=yes SetEnvIfNoCase User-Agent "^Java 1*" spammer=yes SetEnvIfNoCase User-Agent "^ SetEnvIfNoCase User-Agent "^Jakarta*" spammer=yes SetEnvIfNoCase User-Agent "^TrackBack*" spammer=yes SetEnvIfNoCase User-Agent "^USERAGENT$" spammer=yes SetEnvIfNoCase Via pinappleproxy spammer=yes SetEnvIfNoCase X-AAAAAAAAAAAA 1 spammer=yes Deny from env=spammer

Just remember it is also up to you to make sure that any scripts you are running on your site, be they a forum, a blog, a guestbook etc are the latest versions.

BTW if you came here because you found a file containing the FeeL.CoMz text from above then I’m sorry to say your site has already been exploited by this idiots. All you can do is look for other files last updated around the same time to see what else they did. Then make sure your scripts are updated.