Website hacked. LOL

Forums › Off topic › Website hacked. LOL

Tel69

Tel69
261 posts

Ultimate Geek

Trusted

Lifetime subscriber

#129056 2-Sep-2013 16:28

Sorry if there is a convo on this already, but I thought this the best place to post.
So I was reading stuff and came across some business website in Timaru got hacked.
I'm sure we have all seen it, but here it is if you have not.

So I decide to take a look at this website when I get home (out of curisitory).
Looks OK for a small business website, but some obvious avenues of infultration.
The HOME has an edit drop down that takes you to a login page. LOL
Perfect chance for SQL injection there and they are not even hiding the edit function.
There are other possibilites, but that one was funny.

Small company yes, but they learnt the hard way.
I'd say they got pinged because with the US threatening to hit Syria and their company name being Washingtons.

Tel

sidefx

3711 posts

Uber Geek

Trusted

#888386 2-Sep-2013 16:40

The HOME has an edit drop down that takes you to a login page. LOL
Perfect chance for SQL injection there and they are not even hiding the edit function.

While it's odd having that on the menu, just showing that and having a login page doesn't open you up to sql injection... sql injection is where you're running un-santized\un-escaped input from the user directly against the database. I can't see any indication of this there.

"I was born not knowing and have had only a little time to change that here and there." | Octopus Energy | Sharesies
- Richard Feynman

Tel69

Tel69
261 posts

Ultimate Geek

Trusted

Lifetime subscriber

#888387 2-Sep-2013 16:42

Yes, but opens up another possibility to inject into the username and password inputs on the form to see if it's possible.
I was just saying it's an attack vector you'd not normally see that easily.

Ragnor

8218 posts

Uber Geek

Trusted

#888390 2-Sep-2013 16:50

So a Joomla install where they didn't keep up with security patches.

Probably paid a one off fee for a website development with no ongoing support/maintenance for updates.

Tel69

Tel69
261 posts

Ultimate Geek

Trusted

Lifetime subscriber

#888429 2-Sep-2013 17:50

LOL, a reply from the company concerned to my pointing out about the edit button.

"Terry
Thanks for your help
I have been unable to get hold of my IT guy all day (wondered if he had been hijacked along with website!)
OMG I had never noticed the edit button
Don't think there's anything that can do any harm but if you can see how they get in would be interested

Thanks
Debbie"

Oblivian

7296 posts

Uber Geek

ID Verified

#888435 2-Sep-2013 18:07

I've seen a few smalltown business around the country advertising fully usable websites. They DL a Joomla or similar template, customise it for you, set up a domain, slap it on a VM with a quick CMS edit how-to and then charge monthly basic maintenance for it and any support..

Most people are none the wiser that you can do that sort of thing themselves without too much trouble.

Then again, at least they usually keep the versions up to date if they are on their own VM and not just handing off to a US server

sidefx

3711 posts

Uber Geek

Trusted

#888436 2-Sep-2013 18:08

I'm really not seeing what the issue is with that edit button other than it looking a bit sloppy.... perhaps you should point out that adding /administrator to their url opens up another "attack vector"?

http://www.washingtons.co.nz/administrator/

Really though, most CMSs will have something like that and if you can guess what the CMS is you can guess the URL even without a link. Most will have options for brute force mitigation and always try to educate users to pick decent passwords. And yeah, keep up on the patches.

"I was born not knowing and have had only a little time to change that here and there." | Octopus Energy | Sharesies
- Richard Feynman

Tel69

Tel69
261 posts

Ultimate Geek

Trusted

Lifetime subscriber

#888461 2-Sep-2013 18:38

Yeah, as I said a few things interested me for attack vectors.
That was another one, (although default, still not on their main page).
I spose I just don't like buttons saying edit from an internet facing front end.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

Ragnor

8218 posts

Uber Geek

Trusted

#889254 3-Sep-2013 21:10

The site is now returning an internal error (http status 500), oh dear.

nickb800

2715 posts

Uber Geek

Trusted

#889283 3-Sep-2013 21:48

Ragnor: The site is now returning an internal error (http status 500), oh dear.

Geekzone hug of death?

mattwnz

20141 posts

Uber Geek

#889298 3-Sep-2013 22:18

Oblivian: I've seen a few smalltown business around the country advertising fully usable websites. They DL a Joomla or similar template, customise it for you, set up a domain, slap it on a VM with a quick CMS edit how-to and then charge monthly basic maintenance for it and any support..

Most people are none the wiser that you can do that sort of thing themselves without too much trouble.

Then again, at least they usually keep the versions up to date if they are on their own VM and not just handing off to a US server

Actually unless you know how to do it, it isn't that easy to do, and it is a learning curve. You have to have a fair bit of knowledge to do it, and to sort out any techncial issues. One of the problems is that people expect web design for next to nothing these days, and one of the ways is to use a CMS like joomla, buy a template, customise it, and then insert content etc, to do it as quickly as possible. The thing is they need to keep it all up to date, so these companies should regularly contact their web designers to regularly update the CMS and the template for them, which all takes time and costs money to do. As many companies websites hardly change, I do sometime wonder why some companies bother having a CMS, and don't just stick to a static website.

clanmouse

9 posts

Wannabe Geek

#889329 3-Sep-2013 22:44

mattwnz: As many companies websites hardly change, I do sometime wonder why some companies bother having a CMS, and don't just stick to a static website.

The most common feature request I receive is: I'd like to update the site content myself.
In reality, once live the client never bothers.

mattwnz

20141 posts

Uber Geek

#889334 3-Sep-2013 22:51

clanmouse:
mattwnz: As many companies websites hardly change, I do sometime wonder why some companies bother having a CMS, and don't just stick to a static website.

The most common feature request I receive is: I'd like to update the site content myself.
In reality, once live the client never bothers.

Not only that, but they then want the web designer to update the content anyway, because they then don't want to be bothered using the CMS, or adding images to the website with it is too hard.

Tel69

Tel69
261 posts

Ultimate Geek

Trusted

Lifetime subscriber

#889823 4-Sep-2013 17:20

mattwnz:
clanmouse:
mattwnz: As many companies websites hardly change, I do sometime wonder why some companies bother having a CMS, and don't just stick to a static website.

The most common feature request I receive is: I'd like to update the site content myself.
In reality, once live the client never bothers.

Not only that, but they then want the web designer to update the content anyway, because they then don't want to be bothered using the CMS, or adding images to the website with it is too hard.

Yup. Seen that a few times. (Or the infamous show this temp, she/he knows computers) then you get called about images or pages not working.