I've Been Hacked!
Yesterday I was "building" a new PC for my dad (more on that later) and adding some bookmarks to what I've heard my mum refer to as "That damned Mozzarella Firethingy Jake put on it" (seems she prefers IE). I added a shortcut to my www.jakehowlett.com portal so that dad wouldn't have to keep asking me what this site's address is.
While doing so I happened to notice an odd green square on the page. At first I thought it was something on the monitor and even tried refreshing the page to get rid it. When I finally looked at the source I had a shock.
Somebody, somehow, has managed to alter the source to the index.html file and add their own code, as you can see below:
First there's a 3px iframe which open the banglachat website and then there's a "hidden" link to it. The link will help them gain PageRank and I guess the iframe is so they get a referral each time that page opens and they can track how long it remains there.
So, who's to blame? Obviously the person that did it is as guilty as hell. But whose fault is it that they could do this? Mine of the hosts'. The site is hosted by Easily.co.uk who I was moaning about the other day. Looks like I really will have to leave them now. They are yet to reply to my email asking how this could have happened.
There's a small chance I could be to blame. Passwords to MySQL are stored in files on the web server that PHP needs access to. As discussed in this article they are named *.inc files and Apache is configured to not allow browsers to read them. If anybody got access to this file on jakehowlett.com they would know my FTP username and password and would be able to hack me very easily.
Until I find out more I am not pointing any fingers. Who do you think I should blame for this? What course of action should I take with the hacker? This is highly illegal, right?
I see the problem still there, but the link doesn't open any site. So Pagerank might not be the reason.
"All I need is PHP and some time, at least in a hosted environment with more users on one server". This was the answer a friend of mine got. A lot of hackers surprisingly leave their contact details and you can talk to them in IRC. They know that it is impossible to catch them.
It is not easy to secure a PHP enabled webserver and if you do so many common scripts will stop working without modifications. In a hosted environment you are also at risk that a user is too lazy too keephis PHP scripts up-to-date.
Subhan. The site seems to exist. It looks like they're having problems at the moment though.
Henning. Interesting. So the hosts are part to blame then? A hacker doesn't need *my* details as such, just those of a user on the same machine?
If Woody had gone straight to Domino, none of this ever would have happened.
;-)
banglachat.net
Nice domain.. NOT...
I wondered how long it would be before somebody suggested I use Domino instead ;o)
"Mozzarella Firethingy?" Me likes that.
I do not know if the hosts are only to blame. If the servers are too strict, many people will complain. Unfortunately for many exploits it is not needed to get your data. Just one account needs a vulnerable version of e.g. phpbb2 (a quite common bulletin board) and they are done (who needs your password if you already have root access ;-). It is not easy for a provider to check the versions of each account and shared accounts are sometimes problematic just because they are shared accounts.
But unfortunately many providers do not harden their installation leaving the default settings (that are often considered development settings). Fortunately there are so many machines on the web that there is still a good chance that you never get hacked.
Some general information about PHP security can be found here: {Link}
(but be warned, security is boring stuff).
Its a shared hosting issue. You might have configured the web server not to send *.inc files, but what about shell users? You need to chmod those files so that they are read only for yourself and the web server user (although me thinks that means that if you know the filename, and write your own PHP script to read the contents of a file on another users directory... bingo).
If you telnet (or SSH) into the server, can you 'ls' other members directories, and determine what files are stored there?
Just checking on my PHP host, they prevent 'ls' from working in other users directories, although I can see other users names by doing an ls on the /home directory.
Also, I presume your password is robust enough to prevent guessing, or even mild brute force attacks?
login: jakehowlett
pwd: karen
or am I wrong ;-)
Close. It's K4r3n ;o)
Hey Jake,
Consider the hack as flattery.
If this site did not have the 'pull' it commands they would not have hacked into it to get free publicity for their crappy site.
Regards
al.
Dave. The username AND password are what I'd call "high-strength". They are both decided on by Easily and I've not even bothered trying to rememeber them. I don't they allow SSH access.
g'day
What does it say about Domino, if a self proclaimed Domino expert host's on alternative technology ?
Is Domino now just too boring for Jake ? Probably.
cyber.sammy:
Obviously you aren't a long time reader. (Welcome!!!)
Jake's been an advocate for PHP for a while now, and has even had a string of PHP-for-Domino-developer centric posts & articles. He's never been about Domino all day all of the time.
Jake:
Consider yourself lucky. It could have been a Javascript library link that would have run under your permissions.
John Smart:
Actually, I _am_ a long time reader, well before Jake was interested in PHP, even before PHP. And, yes, he was all Domino, all day, all of the time - back before blog was well know. (Kudos to Jake for one of the few worthwhile sites on the whole of the net, by the way).
(His concept of storing code tib bits, online, aka CodeStore, was great. I have always appreciated him for that.)
Anyway, back to PHP and Jake. I think Domino is somewhat sucky and generally pretty boring. The lack of a real IDE is just the beginning and the lack of the available options for _good_ application structure is just the end. Most of Lotus/Domino has always seemed liked such a hack.. and you know what, it is. Check out Notes V3 applications and you will see what I mean. From there, I havent seen much progress.
As IBM killed off the proprietary Servlet engine, their introduction of the eclipse framework will probably be a good thing I reckon.
Thanks cyber.sammy for the email heads up on your reply!
I meant that when Jake was blogging, he sprinkled non-Domino stuff, it was primarily Domino but it had other (e.g. personal) elements as well. Yes, the focus has been less Domino-specific, and he's blogged about that shift as well, which led me to believe you weren't a long-time reader if you made those comments now.
I kind of agree with your comment about Notes being a hack, but I'd also add that
- A schema-free database format is a "feature, not a bug", :-)
- The very reason that Notes R3 was popular was because common people could pick it up. The best R3 developers I knew were former teachers, former economists, former quality engineers, etc, not techies. The IDE was meant to be simplified. Even so, I think it should have improved more than it has over the years.
- Notes R3 apps still exist and work today. My guess is that you haven't seen much progress because it hasn't been necessary, and it works well as defined by the people who hire you. A decade ago, I was trying to explain Notes to the hardcore coders by comparing Notes vs C like Duplo blocks vs sand. You can get exactly what you want with sand, but you can get close enough with the Duplo blocks much faster.
To say that Notes is sucky and generally pretty boring is something I more or less agree with provided we're all about the technical as opposed to the enablement. However, I've seen a lot of business benefit from some technically sucky and boring apps, and that's what gets me up in the morning. In some moods, the suckier the better; when I think of the best apps I've seen, they are often embarassingly dull from a purely technical aspect. When I can make the same _business_ impact as fast with Java (e.g. Workplace, JSF, or some other RAD layer that I can then fine-tune after prototyping), I'll likely switch.