Looking for explanation to security breach

[mmcfadden]

I am trying to figure out what happened to one of my sites.

Bottom line sales were not good for a solid 3 week stretch and then 2 days of nothing. I finally had a test transaction done last night and permission settings for .htpasswd were changed.

I know there are a lot of knowledgeable people on gfy that may know how a scam like this would work. How can I track down what processor would use the changed permission setting and how could I still receive some sales during this stretch. Like it was changed for a period of time then changed back. My host claims they cannot track a change to the settings... only if the file was uploaded. The biggest indicator is a 30 member discrepancy in my password file.

For this to work my page prior to processor change would have had to been replaced as well. Can this be done without me knowing... ie my IP would be recognized and show the correct cc page?

Finally, is there any way for permission settings on password files to be inadvertently changed by some hosting anomaly?

[BestXXXPorn]

Are you on a dedicated box or a shared box?

What OS?

Is FTP enabled?

Is SSH restricted by IP or open?

Do you use auth keys? Could anyone have taken your private key?

There's a million ways it "could" happen so it's hard to have any idea without more information... The devil is in the details...

[VGeorgie]

Could happen if the host has to do a restore and the settings aren't right (has happened to me with a particular host known around here, so I imagine it could happen elsewhere). They should tell you if they did, but the tech may not be looking at the right place to see it, and let you know.

But, how would a change to your htpasswd file affect sales? If anything, you'd be getting the sales, but members wouldn't be added. If you're using CCBill for the biller, you should get an e-mail if their JPOST script fails on an add because of a bad or missing htpasswd file.

[plsureking]

ya if it is actually a hack, they could have figured out the path to your htpass file and then injected a script to edit it. or they could be hacking the biller script if it is discoverable.

i doubt it was a hack tho. most likely just a screwed up script somewhere.

you should be using separate pass files for each biller too. all with unique unguessable names.

[mmcfadden]

Quote:

Originally Posted by VGeorgie

Could happen if the host has to do a restore and the settings aren't right (has happened to me with a particular host known around here, so I imagine it could happen elsewhere). They should tell you if they did, but the tech may not be looking at the right place to see it, and let you know.

But, how would a change to your htpasswd file affect sales? If anything, you'd be getting the sales, but members wouldn't be added. If you're using CCBill for the biller, you should get an e-mail if their JPOST script fails on an add because of a bad or missing htpasswd file.

What host?

Sales will not go through as ccbill explained to me. They tried last night and it didn't even register as a submission...

Sales have been minimal for a couple weeks now so either my settings were changed 2 days ago (2 days of solid zero sales) or like you say... sales can still squeeze through once in a while.

I don't know... people that work on the site have (actually had) FTP access.

[VGeorgie]

I left the host several years ago and there's no reason to go muckraking. Needless to say, they have a spotty record here, so if you use them, you'll know by their rep if you should be staying around.

When this happened to me the sale went through, but I caught it early enough to manually fix the problem and I got credited. Don't know if they've changed things since then.

You can look at your CCBill error log (it's in a directory under your CCBill posting script, in your CGI directory) to see if there were problems with other transactions. And, go into your CCBill admin and make sure you are set to get e-mails for posting errors.

(I just checked, and the one place to put in an e-mail for these warnings says it only works with STORED user names. I do use those now, but didn't when I got the error message way back when. You may want to ask Client Support for help here.)

As for a hack changing the permissions to (apparently) make it unwritable, why would they do that? Generally they just try to snag it so they can hack it offline. They don't do anything to make you suspicious that there was a break in. More likely the file was inadvertently changed by someone with authorized access.

[mmcfadden]

My error log stopped working on 3-30-10. It had permission settings changed so nothing could be written to it.

Found this code in htaccess within /members. any ideas?? It's not ccbill's code

AddType application/x-httpd-php .html .htm

[mmcfadden]

Quote:

Originally Posted by VGeorgie

I left the host several years ago and there's no reason to go muckraking. Needless to say, they have a spotty record here, so if you use them, you'll know by their rep if you should be staying around.

How about you just ICQ me the name (and let me know it was you)? I just want to know what is happening but too many things wrong for just permission settings inadvertently changed

[sortie]

Quote:

Originally Posted by mmcfadden

My error log stopped working on 3-30-10. It had permission settings changed so nothing could be written to it.

Found this code in htaccess within /members. any ideas?? It's not ccbill's code

AddType application/x-httpd-php .html .htm

That code is making all your html pages execute as php. (I believe )

So, you either needed that and did it yourself for the most dumb reason or
you don't really have many php pages so the hacker has to put his php inside
you html pages for them to execute or the hacker just wanted to infect all files.

If you didn't "secure" the ccbill member script then you could
get a hacker doing sign ups.

[sortie]

Quote:

Originally Posted by sortie

That code is making all your html pages execute as php. (I believe )

So, you either needed that and did it yourself for the most dumb reason or
you don't really have many php pages so the hacker has to put his php inside
you html pages for them to execute or the hacker just wanted to infect all files.

If you didn't "secure" the ccbill member script then you could
get a hacker doing sign ups.

I take back the part about doing that for "the most dumb reason"; there are
good reasons to actually do that. Just not the way I do things.

[TheDoc]

It sounds like your harddrive / temp areas are full. When my log files quit working, .htpasswd files stop logging, anything like that - it's always something is full.

[mmcfadden]

Quote:

Originally Posted by sortie

That code is making all your html pages execute as php. (I believe )

So, you either needed that and did it yourself for the most dumb reason or
you don't really have many php pages so the hacker has to put his php inside
you html pages for them to execute or the hacker just wanted to infect all files.

If you didn't "secure" the ccbill member script then you could
get a hacker doing sign ups.

Ok so lets say he dumped code into my html files... thousands of files actually that he could have dumped code into actually.

Besides just fucking up my site how would he be scraping the sales?

[TheDoc]

Quote:

Originally Posted by mmcfadden

AddType application/x-httpd-php .html .htm

Quote:

Originally Posted by sortie

That code is making all your html pages execute as php. (I believe )

Correct.... it's nothing bad, just makes html pages execute php within them rather than having to name everything .php - lots of scripts require this.

[ProG]

I hope you are storing the htpasswd file outside of the DocumentRoot? What reason would someone have to make the file unwritable? Does ccbill validate the usernames in the file?

Perhaps your server ran out of space? Do you have rotating logs?

[ProG]

Quote:

Originally Posted by mmcfadden

Ok so lets say he dumped code into my html files... thousands of files actually that he could have dumped code into actually.

Besides just fucking up my site how would he be scraping the sales?

Typically they put a an iframe into every page that loads something with spyware, virus, etc. If a surfer hits your page and his anti-virus goes off, I doubt he is going to signup.

[mmcfadden]

Quote:

Originally Posted by TheDoc

Correct.... it's nothing bad, just makes html pages execute php within them rather than having to name everything .php - lots of scripts require this.

Ok... so would a java popup require this? But even so an htaccess ccbill code is required in /members. That's how the members log in. That code replaced the ccbill code and users were still able to log-in because I have not received any complaints over the past couple weeks.

It is not a server or space issue... have a dedicated server with tons of space available.

[TheDoc]

Quote:

Originally Posted by mmcfadden

Ok... so would a java popup require this? But even so an htaccess ccbill code is required in /members. That's how the members log in. That code replaced the ccbill code and users were still able to log-in because I have not received any complaints over the past couple weeks.

It is not a server or space issue... have a dedicated server with tons of space available.

js wouldn't require that, only php would..

When your temp areas fill up, your hd space can look fine... Every server has some /dev/, /logs or /etc/temp or some crap folders that sometimes screws up and doesn't empty - and aren't on the main drive space. It can mess with your .htpasswd files, locking and unlocking them longer than it should - screwing with permissions, missing record inserts, yet still seem like it works to you and most users.

[sortie]

Quote:

Originally Posted by mmcfadden

Ok so lets say he dumped code into my html files... thousands of files actually that he could have dumped code into actually.

Besides just fucking up my site how would he be scraping the sales?

If he planted a php script onto your site then members logging in will go thru his
php hack. Every member has to enter the "members directory" and that's when
the code in your htaccess will parse the html page as php and execute his hack
and let surfers in for free or what ever the hack script wants; like chmod errorlog.txt
to "444".

[mmcfadden]

Quote:

Originally Posted by TheDoc

js wouldn't require that, only php would..

When your temp areas fill up, your hd space can look fine... Every server has some /dev/ or /etc/temp or some crap folder that sometimes screws up and doesn't empty. It can mess with your .htpasswd files, locking and unlocking them longer than it should - screwing with permissions, missing record inserts, yet still seem like it works to you and most users.

I just got a new server last month with way more capacity then required. How could individual files within my cgi-bin folder just randomly change permission settings... that's huge. Like I said the htaccess within /members was also changed... last update was 4-9-10. Everything points to a hack... or should I say direct intent to fuck my site up, but I do not understand how this person is making any money off it. One thing for sure is sales are outlandishly slow, but when I contacted CCbill yesterday they said there is no way for a sale to even go through with permission settings not matching theirs.

It's like files for the past 3 weeks have been uploaded, deleted, re-uploaded to take the sales but cannot understand how they could get a processor to take the sales.

There was a 30 member discrepency in my password file with the changed permission settings.

[EDepth]

Quote:

Originally Posted by mmcfadden

I just got a new server last month with way more capacity then required. How could individual files within my cgi-bin folder just randomly change permission settings... that's huge. Like I said the htaccess within /members was also changed... last update was 4-9-10. Everything points to a hack... or should I say direct intent to fuck my site up, but I do not understand how this person is making any money off it. One thing for sure is sales are outlandishly slow, but when I contacted CCbill yesterday they said there is no way for a sale to even go through with permission settings not matching theirs.

It's like files for the past 3 weeks have been uploaded, deleted, re-uploaded to take the sales but cannot understand how they could get a processor to take the sales.

There was a 30 member discrepency in my password file with the changed permission settings.

That addtype line was added to hide exploits within html. Could be to install virus's, add passwords remotely, or whatever. But guaranteed you have exploits on your server hidden.

[TheDoc]

Quote:

Originally Posted by mmcfadden

I just got a new server last month with way more capacity then required. How could individual files within my cgi-bin folder just randomly change permission settings... that's huge. Like I said the htaccess within /members was also changed... last update was 4-9-10. Everything points to a hack... or should I say direct intent to fuck my site up, but I do not understand how this person is making any money off it. One thing for sure is sales are outlandishly slow, but when I contacted CCbill yesterday they said there is no way for a sale to even go through with permission settings not matching theirs.

It's like files for the past 3 weeks have been uploaded, deleted, re-uploaded to take the sales but cannot understand how they could get a processor to take the sales.

There was a 30 member discrepency in my password file with the changed permission settings.

Some people are straight up douche bags.... they aren't in it for the money, they get off knowing they fucked shit up.


Knowing you moved to a new server, it could be a hack - but it's not like new servers don't screw up at times either. May want to start over to make sure you clear out any issues, hacks, bad setups, etc.

[sortie]

Quote:

Originally Posted by mmcfadden

I just got a new server last month with way more capacity then required. How could individual files within my cgi-bin folder just randomly change permission settings... that's huge. Like I said the htaccess within /members was also changed... last update was 4-9-10. Everything points to a hack... or should I say direct intent to fuck my site up, but I do not understand how this person is making any money off it. One thing for sure is sales are outlandishly slow, but when I contacted CCbill yesterday they said there is no way for a sale to even go through with permission settings not matching theirs.

It's like files for the past 3 weeks have been uploaded, deleted, re-uploaded to take the sales but cannot understand how they could get a processor to take the sales.

There was a 30 member discrepency in my password file with the changed permission settings.

The hack doesn't stop you from making normal sales.

Why do this? Password trading!!!!

The hack will load passwords into your file but it will not show up as a sale
from ccbill. Sales from ccbill will still go thru; but if your site is all over the
password trading sites then the surfers are using that instead of signing up.
Therefore signups are down.

I'm not claiming 100% this is happening; just saying from knowledge of working
with the system and my programming background that this is a very strong possibility.

[sortie]

Did the .htpasswd file have a chage of permissions also?

[mmcfadden]

Quote:

Originally Posted by sortie

Did the .htpasswd file have a chage of permissions also?

yes... it was changed to 775.. should have been 666

[sortie]

Quote:

Originally Posted by mmcfadden

yes... it was changed to 775.. should have been 666

Ok, then that explains how your sales are still going thru.

755 on some servers will allow the ccbill script to record sign ups.

[mmcfadden]

Quote:

Originally Posted by sortie

Ok, then that explains how your sales are still going thru.

755 on some servers will allow the ccbill script to record sign ups.

It was 775 though... not 755 (this was actually told to me and not verified)... another story which I was really clear I did not want anything changed until I had an archived copy of everything

[sortie]

Quote:

Originally Posted by mmcfadden

It was 775 though... not 755 (this was actually told to me and not verified)... another story which I was really clear I did not want anything changed until I had an archived copy of everything

Email me the name of your host please : tube at econfirmpro dot com.

[VGeorgie]

666 is less secure than 755 (or 775 for that matter), and there's no real reason for a hacker to have modified your files so. I still looks like a crummy tar and restore job. Or just some sloppy admining. You said people had FTP access. Maybe one of them did it, especially if you didn't change the password when they were done moving your site.

I don't bother with ICQ. If you trust your host, then you trust them. If not...

To be fair, when this happened to me I was on a virtual plan. I switched to a dedicated plan for a few months, and fewer really bad mistakes happened.

[VGeorgie]

I'll add that sales to my site have been really slow the bulk of this week, and particularly bad today, even though it's a Friday, near the 15th, and a payday for many people. My site hasn't been hacked, my file permissions are correct, and I haven't moved my site.

I have nothing to blame my poor sales on other than tubes, too much free porn, the week after Easter and Passover, volcanic ash in Europe, the Democrats, the Republicans, the Tea Party, Sarah Palin, Michael Palin,...

(I'm not really making light of your situation, and it's a PITA to have to double check a host's work. I'm just saying there could be other reasons for the bad sales days.)

[sortie]

Quote:

Originally Posted by VGeorgie

666 is less secure than 755 (or 775 for that matter)

That is old/bad information and actually is an indicator that your host is complete fucking
shit. If you fear setting a file to 777 then you're already fucked.

If you are on a secure server with no holes in your scripts then there is no way
I can hack your site just because you set every file to 777.

I wish people would quit repeating this bullshit.

If your host says "you were hacked because you had files set to 777" then you are
crazy to keep hosting there.

[VGeorgie]

Well I wouldn't want to tempt fate. At least 7?5 is not writable by the web server.

Besides, I still don't think he was hacked, and only a dim hacker would change file permission from 666 to 7?5, because he'd get more mileage keeping it at 666. That's the point I was trying to make.

[mmcfadden]

Quote:

Originally Posted by sortie

Email me the name of your host please : tube at econfirmpro dot com.

sent it... i don't think it was the host... the programmer I gave ftp access to is my suspicion. But I want to know how he made money from it... then i'll pursue that

[sortie]

Quote:

Originally Posted by VGeorgie

Well I wouldn't want to tempt fate. At least 7?5 is not writable by the web server.

Besides, I still don't think he was hacked, and only a dim hacker would change file permission from 666 to 7?5, because he'd get more mileage keeping it at 666. That's the point I was trying to make.

No, wrong again!!!!!!!!!!!!!!!


That's why you should stop repeating this bullshit.

If I get on your server thru a script then I can chmod any file to whatever I want
so what difference does it make what you set it to???

I already said that 755 will let the ccbill script work the same and clearly the
permissions were change. He already said that.

So telling him to set permission to 666 means bullshit since the hacker changed it to 755
anyway.


This debate is so old and so stupid to any decent programmer but
no way can we ever stop this information from spreading.

If your host told you to change your 777 files to 755/744/766/etc because of security
issues then your host is shit!! OK!!!!


Look at it this way : I am telling you that there are no 777's of Mass Destruction!

Stop looking for them!


Look for a decent hosting company instead.

[VGeorgie]

I never told him to change it to 666. That's the standard setting CCBill does when they install their scripts. That's what the permissions WERE. Whether or not other permissions work is not the point. No hacker is going to bother changing them to 775 or 755 because as you say it wouldn't matter if they've already hacked the site. Just keep at 666 then no one wouldn't have known the difference.

I don't think it's too much to ask to not read things into something I didn't write.

My other point is that there is no need to have more permissive settings than what's needed to get the job done. That's just common sense, for everything, not just servers.

[mmcfadden]

Quote:

Originally Posted by VGeorgie

I never told him to change it to 666. That's the standard setting CCBill does when they install their scripts. That's what the permissions WERE. Whether or not other permissions work is not the point. No hacker is going to bother changing them to 775 or 755 because as you say it wouldn't matter if they've already hacked the site. Just keep at 666 then no one wouldn't have known the difference.

I don't think it's too much to ask to not read things into something I didn't write.

My other point is that there is no need to have more permissive settings than what's needed to get the job done. That's just common sense, for everything, not just servers.

it's not a hacker... it would be the programmer I gave full FTP access to.

My question remains are there any processors out there that would write to htpasswd file set at 775 and collect the money?

I have no idea but not a sale today either... never, never has happened since I opened the site.

Maybe check it out and see if anything comes up? I have accessed so many times and I see nothing out of the ordinary by going to the site.

www.vstrippoker.com

[mmcfadden]

Quote:

Originally Posted by EDepth

That addtype line was added to hide exploits within html. Could be to install virus's, add passwords remotely, or whatever. But guaranteed you have exploits on your server hidden.

So what would I look for written into html... that code in htaccess is obviously gone but now what do I need to try and find?

[VGeorgie]

This is all I'm going to say on the matter because there are people who seem to itch at misreading what others write.

You can do your own transaction tests through CCBill. Assuming you haven't done this before:

Go to your admin panel, find the Test Transactions tab, and enter your e-mail and IP information. Note the dummy MC and Visa card numbers to use for the test.

Go to your site, fill out your subscription form, and provide the dummy card number. Be sure you give the right e-mail address, and you are connected from the IP you said you would.

If the transaction is successful you'll be shown your usual welcome page. If not, you'll see that, too. If successful, check your htpasswd file for the just-added username and password. (It will be deleted automatically in a day, so just leave it if it's there.)

Use this method any time to see if the CCBill setup is working. No guess work needed.

[EDepth]

Quote:

Originally Posted by mmcfadden

So what would I look for written into html... that code in htaccess is obviously gone but now what do I need to try and find?

Your host most likely has a script they can run on your server to find exploits.

[VGeorgie]

Okay, next to the last thing. Here's the last:

You can also test the user management function of CCBill just by doing a Manual Add. That's in the (as I recall) Member's tab. Select the specific account, then click Manual Add. Provide a username/password. You're told if the add was successful or not. Verify the username and password has been added to your site.

You should do a Manual Remove after the test.

You can perform these steps whenever you make a change to your site that you think might impact the user management aspects.

[mmcfadden]

I know that... that's how I found the problem last night doing a test transaction.

Now the files have been replaced that were fucked but I don't think the site is ok... I think there is still code jammed all over the place and likely need to replace the whole fucking thing from a month ago.

But... someone has screwed with my site, that is certain, all I want to know is if they made money from it. So that is why I keep asking if a processor that anybody may know of will post to htpasswd file with the code 775 in it??

Then I do what I need to do.

[sortie]

Quote:

Originally Posted by VGeorgie

I never told him to change it to 666. That's the standard setting CCBill does when they install their scripts. That's what the permissions WERE. Whether or not other permissions work is not the point. No hacker is going to bother changing them to 775 or 755 because as you say it wouldn't matter if they've already hacked the site. Just keep at 666 then no one wouldn't have known the difference.

I don't think it's too much to ask to not read things into something I didn't write.

My other point is that there is no need to have more permissive settings than what's needed to get the job done. That's just common sense, for everything, not just servers.

You are assuming that you know exactly what the hacker is trying to do.

Scenario :

If the hacker chown/chgrp the file in addition to chmod 755 then this can make the
file unchangeable by the website owner when he logs into FTP. (at least some servers)
The webmaster is no longer the owner of the file and needs 666, but can't
change it to 666 himself because he is not the file owner anymore.
So now we have a file full of hacked passwords that we can't change thru FTP.

This can be fixed, but is just one more way to slow the fix down.

There are other things possible too.

[mmcfadden]

its great... the programmer I suspect but never accused personally has vanished as soon as I mentioned my password files were fucked with.

I don't know, maybe just me, but somebody who was paid to make sure the site was up to snuff just decides to log off ICQ and not answer after I mention I have a security problem (10 am this morning is when I said it) is gone? hmmm

so crazy... i just can't understand how he would have benefited from this.

[sortie]

Quote:

Originally Posted by mmcfadden

its great... the programmer I suspect but never accused personally has vanished as soon as I mentioned my password files were fucked with.

I don't know, maybe just me, but somebody who was paid to make sure the site was up to snuff just decides to log off ICQ and not answer after I mention I have a security problem (10 am this morning is when I said it) is gone? hmmm

so crazy... i just can't understand how he would have benefited from this.

If it's the programmer then this is the first time on GFY I saw that happen.

Maybe the only benefit is exploits to download on surfers.

[mmcfadden]

Quote:

Originally Posted by sortie

If it's the programmer then this is the first time on GFY I saw that happen.

Maybe the only benefit is exploits to download on surfers.

3 FTP passwords were given out and active over the past 3 weeks. Programmer, CCbill, my host.

I don't think my site was hacked...

[LoveSandra]

see my sig