Website was hacked by cyber-soldiers

Yeah, the permissions of config.inc.php was 666. So if that is the problem, how could these permissions have let them hack the site?

For now, the only suspicious thing I’ve found is:

dsl85-98-14636.ttnet.net.tr - - [11/Jul/2006:19:09:22 +0300] "GET /modx/assets/cache HTTP/1.1" 301 871 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
dsl85-98-14636.ttnet.net.tr - - [11/Jul/2006:19:09:23 +0300] "GET /modx/assets/cache/ HTTP/1.1" 200 491 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
dsl85-98-14636.ttnet.net.tr - - [11/Jul/2006:19:09:31 +0300] "GET /modx/assets/cache/siteCache.idx.php HTTP/1.1" 200 423 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
dsl85-98-14636.ttnet.net.tr - - [11/Jul/2006:19:09:58 +0300] "GET /modx/assets/cache/siteCache.idx.php HTTP/1.1" 200 464 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
dsl85-98-14636.ttnet.net.tr - - [11/Jul/2006:19:10:01 +0300] "GET /modx/assets/cache HTTP/1.1" 301 870 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
dsl85-98-14636.ttnet.net.tr - - [11/Jul/2006:19:10:02 +0300] "GET /modx/assets/cache/ HTTP/1.1" 304 318 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
www.zone-h.org - - [11/Jul/2006:19:10:29 +0300] "GET /modx/assets/cache/siteCache.idx.php HTTP/1.0" 200 393 "-" "Wget/1.9.1"

Quote from: Nameless at Jul 14, 2006, 06:31 PM

Yeah, the permissions of config.inc.php was 666. So if that is the problem, how could these permissions have let them hack the site?

That means that the file is world writable, and if they are clever enough, they can find a way to write to that file. You should only change the file to 666 during installation or upgrades, then set it back to 644 so it is no longer vulnerable during normal site operations.

Where was that message located after the hacking? Was it in the config.inc.php file, or did the /modx/assets/cache/siteCache.idx.php or another file in that directory contain their message?

I still highly doubt that a writeable config file gave them access to your server.

What other services and applications were running on your server?

Quote from: vbrilon at Jul 15, 2006, 12:01 AM

I still highly doubt that a writeable config file gave them access to your server.

Right, I didn’t mean to imply that; I was trying to imply rather that the config file being world writable means that hackers compromising another application or service vulnerability on the server, could write to the file very easily.

Quote from: OpenGeek at Jul 15, 2006, 12:08 AM

Quote from: vbrilon at Jul 15, 2006, 12:01 AM

I still highly doubt that a writeable config file gave them access to your server.

Right, I didn’t mean to imply that; I was trying to imply rather that the config file being world writable means that hackers compromising another application or service vulnerability on the server, could write to the file very easily.

Excellent point. And exactly the line of thinking I was going with.

The message was in /modx/assets/cache/siteCache.idx.php. Well, there are also several installations of mambo, joomla and phpwcms. Then there was not fully installed phpMyAdmin . I am using shared hosting.

That is why I recently moved my site to a host with phpsuexec. This way my scripts run as the owner of the script (which is me) instead of the apache user, so none of my files have to be world-writable. All it takes is somebody able to get into the server, and they can write to any world-writable files they like. And if you figure that often these shared hosts have up to 400 users on one server, what are the chances one of them manages to break out of his own space?

A very interesting topic, I’ve been pondering about the security issue in MODx, which seems to me that it’s suppose to be quite secured. Lets see... Can you give us your hosting company and the plan that you use. Maybe we can investigate this further, either this is a security breach on the server or on the MODx itself.

http://www.tvs.lt/index.php?psl=talpinimas . The plan is "Mini".