Site directory | Today's news | Film reviews | likhaai | nukkad | Stocks | Discussion boards | Photos | Puzzles
Restaurant Guide | Train Guide | Bus Guide | Mumbai Information | Image Galleries
About us | Advertise here! | Feedback | Donate

Sponsored Links: Articles on travel within India and USA-specific tips | Are There Lucky Planets In Your Astrological Marriage House?

Mumbai-Central.com

Where Mumbaikars meet

Top: nukkad: archive: Thread Index


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[nukkad] Anatomy of a webpage hack

----------------------------------------------------------------------------
Tip of the day:  Remember, this "nukkad" is international.
----------------------------------------------------------------------------


Sometime early Sunday IST, the front page of the Mumbai-Central.com
website was modified and replaced with this 
http://www.mumbai-central.com/hack.html
This was the front page - no links, no colors, nothing else.

I came to know of this via a phone call around midnight my time.
It is always disconcerting to get a phone call in middle of 
the night. It is especially unnerving when its from your family.
So it was almost a relief when Ninad told me that reason for
the call was the webpage modification.

Rather than going online and trying to figure out what was going
on, I asked him to save the hacked page and create a temporary
webpage for the site. It is always fun dictating Unix commands
over the phone while you are still groggy and trying to figure out
how to salvage the situation.

He created a temporary page and I let it stay till I got a chance
to figure out how the page was changed.

My first fear was that somehow the password to this account had
been captured and used to change the page. However, everything
else on the site looked fine. Only the main page was changed.
So either I had a benevolent hacker who could have done much worse
or he found a way to modify the front page and little else.

I got a chance today to look through the log files and figure out
the exact steps he/she took to update the main webpage. He (I will
just use 'he' from now on) exploited a bug in one specific script
on the website. He was searching the web for sites that use that
particular script (it is a popular free download) and found the
mumbai-central.com website. I bet he modified dozens of sites
within a couple of hours.  

One of the arguments to the script was a file-name. The script
did not check if the value of the variable was a real file. It
naively assumed that the user would never enter malicious data
and opened the chosen file without any checks. The hacker exploited
this trusting script and passed it some Unix commands where a
file-name was expected. Perl, the language in which this script
is written, treats connections to Unix commands (called 'pipes')
and files in an indetical manner. So when presented with a pipe
and a command, the script went merrily ahead and opened the pipe
which resulted in the command being executed. He first checked if 
this bug was present by using some benign commands (system information, 
file listings etc.). Once he confirmed that his approach worked,
he went ahead and crafted a command to overwrite the main page
with the text you see on the page. I am sure he then moved
on to modify other sites.

I went ahead and added a check to the script that verifies if the
variable contains a valid file-name. If the format of the data is
not what is expected, the script aborts with an error message.

I probably should have fixed this script a long time back (it
has been running for over 5 years now) but never got around to
it. In hindsight, I am surprised it took someone so long to do this.

Seeing how he modified the page, I am very glad that he didn't 
cause more damage. He could have used the same bug to modify other
files or worse delete all the files on the website. Now, that would
have been a sleep depriver!

I wish he could have just sent me an email alerting me to the bug
but I guess he wanted to make an impact. At least I am now aware
of this bug and will have to look at other scripts that may have
the same problem.

If none of you saw the hacked page or the stop-gap one-line page
that replaced it, this may not have been of much interest. But if
you saw either of those two and were wondering about what was going
on, this was it.

- 'shal 



-- 
 http://www.mumbai-central.com : Where Mumbaikars meet


------------------------------------------------------------------------------
To Subscribe [Unsubscribe] send a blank message to 
        nukkad-list-request@mumbai-central.com 
with the word 'subscribe' ['unsubscribe'] (without quotes) in the Subject 
of your message.
The list is archived at  http://www.mumbai-central.com/nukkad/archive.html

Subscribe to nukkad

Use the form below to subscribe or unsubscribe to the list.

Your e-mail:

Choice:
Subscribe
Un-subscribe


[Prev Page][Next Page]

Main Index | Thread Index

Site directory | Today's news | Film reviews | likhaai | nukkad | Stocks | Discussion boards | Photos | Puzzles
Restaurant Guide | Train Guide | Bus Guide | Mumbai Information | Image Galleries
About us | Advertise here! | Feedback
Donate

Sponsored Link: Are There Lucky Planets In Your Astrological Marriage House? | Articles on travel and USA-specific tips
Get notified about site updates
To get updates about the Mumbai-Central.com site via email (only 1-2 messages per month), sign up!




Created and maintained by us