BRAND NEW ANTi-HACKER (Script Kiddie) PROTECTION!

Sergeant Joined: May 23, 2003 Posts: 126

I have just completed this evening, a simple pair of scripts that help safeguard against the devastating effects of script kiddies.

3 months ago, terrible irrepairable damage was done to my server by a hacker who replaced all the code in every single file named index.* on my server.

I had to get the server completely reset as not only the website files were over-written, but many important files to do with the virtual hosting control panel.

So this is my solution.

For every directory on your server where there exists a file called index.* it will be copied to a file called name_chosen_by you.* in the same directory.

Now obviously if everybody used the same name for the copied files, the hackers would be on to it in a flash and soon write the file name into their damaging scripts. For this reason, everybody who uses the script must set a variable called $newfile to an inconspicuous name.

e.g: suppose you set the variable $newfile to old_texts

then the files

/var/www/html/index.php
/var/www/html/modules/forums/index.php
/var/www/html/bobs/index.html
/var/www/html/sue/index/shtml

would be copied to

/var/www/html/old_texts.php
/var/www/html/modules/forums/old_texts.php
/var/www/html/bobs/old_texts.html
/var/www/html/sue/old_texts.shtml

and it should preserve the appropriate permissions, ownership and group as it uses cp -p

Should a hacker break into to deface your index files, he probably wouldn't notice or bother with files named old_texts.php

So, he defaces all your index files, including some heavily modifed ones.

No problem, repair your server and websites in a jiffy by running unxedni.sh
It will delete all the corrupted index.* files and restore them from your backup old_texts.* files.

I hope people find this very useful. Please don't hesitate to ask questions or comment.

The files are here:

http://www.nukecops.com/uploads/El_Supremo/xedni.zip

Please read the instructions in the script very carefully as I won't take any responsibility if you screw up. They are very simple, unbuggy shell scripts that are very easy to use ... if you follow the instructions!

The first time you run it, ignore any error messages - they are just because the program is trying to delete any old backup files before making new ones - obviously the first time it is run, there is nothing to delete Smile

It was easier for me than testing whether they existed before deletion.

I would also recommend renaming the scripts and the directory they reside in to same name as you use for the variable $newfile.

Best of luck, I hope this helps save a few people from the heartbeaking experience I have had!

Posted: Tue Mar 16, 2004 1:35 am

Very well done and a nice idea.

Posted: Tue Mar 16, 2004 5:49 am

Me gotta try this.

Sergeant Joined: May 23, 2003 Posts: 126

Thanks, I had to think long and hard over whether to release it at all if you know what I mean! People who download this script, should only download it from here and they should always check the code for themselves before executing it and make sure they understand what it will do as there is a potential for this code to be modified and distributed as a trojan.

Posted: Tue Mar 16, 2004 7:19 am

Hmmmm... Good work supremo, Works fine for me. Cheers

Nuke Cadet Joined: Feb 20, 2004 Posts: 9 Location: Denver

This is a good idea...but wouldn't it be a better idea to figure out how they are getting in a corrupting all your files? Is this a known exploit in apache or something? I would rather prevent this from happening than just saying "oh well, it happened for the 20th time, copy the files over again..." Just wanted to know if any one knows the source of the problem...

Thanks for the scripts though!

Sergeant Joined: May 23, 2003 Posts: 126

Oh don't worry, I agree with you absolutley and I have tightened my security considerably since I was hacked.
In my case there were two factors which contributed to my downfall.

1) I had taken my Firewall down for some routine maintenence and forgotten to switch it back on.

2) I had safe-mode disabled globally. I now only have disabled locally for for my nuke site by use of php .htaccess directives.

I still find it reassuring to have this last resort in place, just in case they find a new way in.

Security all the way!

Lieutenant Joined: Jul 09, 2003 Posts: 293

I have to wonder about this.

Most index changes are defacements used to 'sign' the work of the hacker/group.

Your infection has nothing to do with the index.* whatsoever. If the hacker can get your password hash, decrypt it, and then go to the web site like ANY user and login, voila.

I don't see how this will affect the infection.

Sergeant Joined: May 23, 2003 Posts: 126

My infection is history - if you read through this thread thoroughly, you will see that my breach was caused by momentarily letting my guard down. If I had had this script operational before that mass defacement took place, I could have undid the 10,000 or so index file changes made by the hacker in about two minutes and saved myself a server rebuild.

This is not a prescription or a firewall, merely a useful tool that might just help if the worst were to ever happen again. It is probably not suitable for everyone who runs a nuke site, just webhosts or those that run their own dedicated servers.

Lieutenant Joined: Jul 09, 2003 Posts: 293

I'm not saying your method isn't worthy, I'm saying that it's not security through prevention it's security through oop's I screwed up so hopefully this will work.

Sorry I am taking this stance based on your subject line that this is some kind of protection. I think we both agree that isn't true.

That's all.

Sergeant Joined: May 23, 2003 Posts: 126

Whatever dude

Private Joined: Jan 07, 2004 Posts: 45

I think it 'IS' security ...

Just like backing up your computer hard drive is a data security. This is a great idea and really appreciate your sharing it with us.

All the Best To You!
Miss Vicky

Sergeant Joined: Dec 28, 2003 Posts: 87

hi
im very newbie so sorry for my question if its stupid .if someone hack my site he only hack my files on host server but not in my pc right ? so if they hack for example my index.php isnt it possible i upload my clean index.php or something Rolling Eyes

regards

Posted: Tue Mar 23, 2004 2:21 am

Hmm.. this might seem like a stupid question.. Embarassed

But where do I run the script? If i try to run it on my server, there pops up a box that ask if I would like to save the file... how do I run the file directly on my server?

Do I need to change the ending to something else? .sh to .**?

Posted: Tue Mar 23, 2004 4:16 pm

Anyone? I would really like to get this working as I already have been hacked this way before Sad