I recently had the no so pleasurable task of dissecting an 0wn3d host to determine what happened. The attacker did the system owner a favor and tagged the site with a defacement image making detection pretty easy. The image appeared in small title frame on the top of the page. My initial guess was they had a directory traversal vulnerability in the image upload engine and some weak permissions on a folder structure. We took a look at the date/time of the defaced pic and it showed the image had change the previous evening. "find / -mtime 0" showed a few other files that had changed around the same time. One of them was a new PHP file. vi revealed it was a variant of the c99 PHP Shell. So we go to the apache logs and find the attackers IP and try to figure out how he got in. There are two interesting entries: [14/Aug/2008:22:18:42 189.50.144.24 - - [14/Aug/2008:22:18:42 -0400] "POST /index.php?option=com_user&task=completereset HTTP/1.1" 301 -
This is a collection of Articles, Tools, Conference talks, interviews, etc by Mark Baggett