Tuesday, June 15, 2010

Hacked!

Oh well isn't that cute... someone hacked my webcomic!


Of course, I'm not exactly clueless when it comes to these things, so after verifying the extent of the damage, I did some digging through the logs.

Ready for a laugh?

"K4Rel," the Iranian "L337 H4x0r!" who defaced my site is a complete poseur!

The actual break-in was done on Monday by someone in Jakarta, Indonesia.  They found a way in, uploaded a backdoor for themselves (the quite useful "b374k" php script), and changed the (hashed) passwords for the admin section. Once finished, it appears this individual passed off (or let's be honest, probably sold) the admin passwords to a second person.

The second guy actually was from Iran.  But he was only able to add a new "comic" to the database, as you can see above, and wasn't able to touch anything else on the site.  Heck, he barely even did that - the internal page id had incremented by two, which means he effed it up the first time and had to try again!  Laaame.

For the technically curious:  the original Indonesian hacker used classic SQL injection.  SomeryC, the extremely lightweight comic-oriented CMS I use for Directionless, was doing nothing to sanitize the page number in the URLs.  This allowed him to edit the hashed passwords for the admin section.  From there, he used the comic uploader to install the backdoor script, and after that appears to have left the server alone, after passing it off to the Iranian "hacker" (and for him, I use the term very loosely indeed...)

Over the last few hours, I've restored Directionless to normal.  Will helped me with some of the PHP, so the site should no longer respond to bogus input.  Additionally, I have put the entire admin section between an additional level of security with htaccess, and of course, changed all the passwords. DirectionlessComic.com should be secure now, at least from this type of attack.