Topbetter - what is it and how do i get access?

[Stickleback]

Please be aware the topbetter service appears to have been hijacked by a Russian source.
I've let the chap who runs/maintains the service know so that he can take further action.

[smk77]

Please be aware the topbetter service appears to have been hijacked by a Russian source.
I've let the chap who runs/maintains the service know so that he can take further action.

Cheers for posting on here and sending the email. I've taken the site down.

Any security experts out there able to advise?

[munk]

Cheers for posting on here and sending the email. I've taken the site down.

Any security experts out there able to advise?

What exactly happened? Are you saying the site got defaced or anything more malicious? How many other sites have you got on the server? What kind of access have you got to it (ssh/ftp/etc?)? Do you update the server regularly? There's a zillion questions really

If it's been defaced it's probably a vulnerability in some CGI script that's been exploited by a bot - a service has probably been started to allow access to the server so they can see what's around and upload things. In turn any domains hosted on the server will be used to serve up more 'botkits' which will be used to compromise other webservers.

Hopefully you have all your logs if you wanted to do forensic analysis of what happened - there are various strings you can search for in the webserver logs that indicate a bot intrusion which is probably what happened.

Hopefully they've only managed to gain access as the user the webserver runs as - unless the webserver runs as root in which case... doesn't bear thinking really... well I don't think anyone does that anymore anyway!

For a start I would unplug it from the net if possible - if that's not possible then shut down all services.

Have a look for any strange looking services that are running. If you're curious you could try and watch any odd service you find (ktrace or lsof or whatever)... double check to see what user they're running at. I wouldn't just go around deleting those things personally, I'd keep them around in 'quarantine' just to look at them more closely and research what impact they might have had.

Check the init/rc scripts to see if anything unusual is set to start on boot, remove those if necessary.

Check the passwd database to see if any unusual users have been added (though to be honest I imagine it's just a CGI attack in which case they wouldn't have had the privs to add new users to the system). Look at 'last' on the commandline to see who last logged in and from where.

Other than that... well I'd probably rebuild my server I think but that's just me. End of day did you keep on top of server updates? Is usually #1 cause of compromise.

Change all important system user passwords. If your web based services include user based systems (well... as with topbetter ) then notify all users if possible and recommend they change their passwords (if they're going to continue using the services... although even so if they use the same passwords on other sites then they could be vulnerable).

I will be happy to help if you want it looking at.

[smk77]

What exactly happened? Are you saying the site got defaced or anything more malicious? How many other sites have you got on the server? What kind of access have you got to it (ssh/ftp/etc?)? Do you update the server regularly? There's a zillion questions really

If it's been defaced it's probably a vulnerability in some CGI script that's been exploited by a bot - a service has probably been started to allow access to the server so they can see what's around and upload things. In turn any domains hosted on the server will be used to serve up more 'botkits' which will be used to compromise other webservers.

Hopefully you have all your logs if you wanted to do forensic analysis of what happened - there are various strings you can search for in the webserver logs that indicate a bot intrusion which is probably what happened.

Hopefully they've only managed to gain access as the user the webserver runs as - unless the webserver runs as root in which case... doesn't bear thinking really... well I don't think anyone does that anymore anyway!

For a start I would unplug it from the net if possible - if that's not possible then shut down all services.

Have a look for any strange looking services that are running. If you're curious you could try and watch any odd service you find (ktrace or lsof or whatever)... double check to see what user they're running at. I wouldn't just go around deleting those things personally, I'd keep them around in 'quarantine' just to look at them more closely and research what impact they might have had.

Check the init/rc scripts to see if anything unusual is set to start on boot, remove those if necessary.

Check the passwd database to see if any unusual users have been added (though to be honest I imagine it's just a CGI attack in which case they wouldn't have had the privs to add new users to the system). Look at 'last' on the commandline to see who last logged in and from where.

Other than that... well I'd probably rebuild my server I think but that's just me. End of day did you keep on top of server updates? Is usually #1 cause of compromise.

Change all important system user passwords. If your web based services include user based systems (well... as with topbetter ) then notify all users if possible and recommend they change their passwords (if they're going to continue using the services... although even so if they use the same passwords on other sites then they could be vulnerable).

I will be happy to help if you want it looking at.

There was a line of code at the bottom on the index.php with a .ru extension in an iFrame. Apart from that nothing has changed.

The site was developed in joomla and is hosted externally with 1and1 so I can't check the server. From the research I have done I think that there is a vulnerability with Joomla that has allowed this to happen so there isn't much that I can investigate server side...Just work out what it was that cause the Joomla attack.

I've changed the Joomla admin password (from another machine). I'll get an non-joomla page running shortly.

And I thought being first out of the Trading challenge was annoying!!

[Stickleback]

Cheers for posting on here and sending the email. I've taken the site down.

Any security experts out there able to advise?

smk, unfortunately I'm not a security expert but if it's any help I started to become suspicious having just accessed the site using Firefox (v3.0.11). Currently if you go to the site you'll receive a "reported attack site" page. The page stipulates that your domain has been reported as an attack site. The log I sent you seems to indicate that your "in.cgi" and "index.php" files have been compromised but unfortunately I'm no CGI/PHP expert so that doesn't really mean much to me. Hope that helps?

EDIT smk, apologies I've just read your last post and can see you appear to be on top of things. Pesky hackers.

EDIT Have you reported the compromise to 1&1? I've never published my own site so I'm not sure how it generally works but seen as you're probably paying them to host the site for you they should be able to offer advice on how to mitigate the risk of this happening?

[smk77]

smk, unfortunately I'm not a security expert but if it's any help I started to become suspicious having just accessed the site using Firefox (v3.0.11). Currently if you go to the site you'll receive a "reported attack site" page. The page stipulates that your domain has been reported as an attack site. The log I sent you seems to indicate that your "in.cgi" and "index.php" files have been compromised but unfortunately I'm no CGI/PHP expert so that doesn't really mean much to me. Hope that helps?

EDIT smk, apologies I've just read your last post and can see you appear to be on top of things. Pesky hackers.

EDIT Have you reported the compromise to 1&1? I've never published my own site so I'm not sure how it generally works but seen as you're probably paying them to host the site for you they should be able to offer advice on how to mitigate the risk of this happening?

Thanks for the response.

I'm going to restore the site from a backup although that might take a while. I'll then see if I can work out how it was attacked. I might upgrade to the lastest release of joomla too.


In the mean time anyone who wants to see the odds on a different url with no joomla just send me a PM and i'll give you the link.

[smk77]

UPDATE: I've spent most of the day installing the latest version of Joomla. Hopefully there is no vulnerability in it! The site has been completely cleaned so all traces of the hijack have been removed.

There are a few bits to sort still but there matches are there.

[bioboybill]

The site has been down again for over 24 hours.

[bioboybill]

By the way, I got charged my £5 subscription today. Hint, hint.

[smk77]

By the way, I got charged my £5 subscription today. Hint, hint.

Thanks for letting me know. It looks like the site was hacked again! I've restored some files and it should be ok now. I'll be getting in touch with the host and asking a few questions....