hacked by osm@n

[BearState]

Wow?!

How do you manage to have your Blue Host password effecting Mysql?

Or did you change both passwords?

If you know how, you can go in to mysql and use the GRANT OPTION command to change the password for mysql access and then make sure than in your source script the mysql connect statement uses the new password.

Are you familiar with the Mysql Connect Statement in PHP ( I'm assuming you are using PHP )?

Perhaps you can get help from your friendly BH service tech. They are very knowledgeable and willing to be your guide. And indeed they get good reviews from everybody who've had to rely on their help.

[nicco]

i'm weary in my response since i dont know jack about php and mysql.. the geeklog install was my first experience with this type of code.
that being said, i'll try to explain the best i can. when i set up the geeklog site you have to enter your main pass for the BH account (or at least that is what i did at the install). then when i changed my BH account pass before, my geeklog site couldn't connect. so i changed it back. after the recent hack, i changed it because it obviously a priority to keep my account secure.

if you can help.. great. if not, i'll ask the BH guys at a later date.

so, there is a line of code in CONFIG.php that reads as follows:

$_DB_pass = 'iHv7fKJ{YFOD'; // MySQL password

i cant change this manualy since I have no clue how to decode this.. and i hope others dont either (or else all sites would be hacked in seconds), so i'm guessing your comment on GRANT OPTION may be the way to go.

could you expound on this a little?

thanks for the TIP, either way.
nicco

[nine]

are you sure that's not the password itself? lol. when you change your password for cpanel login, it will change mysql password to the same thing, so whatever php scripts you are using to login to mysql server - you need to update them too, and put in the new one instead of the old one.

[BearState]

I understand now.

When you give a BH password, it becomes the root password for mysql.

You should NOT run any applications over mysql that use the ROOT PASSWORD for access. Consider this a TABOO.

Instead yes, you should use the GRANT command in mysql to create an application user with limited access privelages. You may want to create a different application user in mysql for each different application you have accessing the DB.

If for example, your web page is an application that paints certains things out of the DB, it should be created as a user. Then GeekLog would be yet another. User Accounts are created in mysql with the GRANT OPTION command. Of course you may find reason to create just one application user account and leave go at that. BUT NEVER NEVER NEVER use the ROOT account to allow application access. You give up every privelege there can possibly be on the mysql database to the application. AGAIN, A TABOO. Don't do it. It's a serious security breach.

You should maintain ROOT ACCESS for yourself to do maintenance on the DB and in fact for maintenance, you should create an ADMIN USER instead. ROOT Should only be there for extreme situations where you need total control over the DB, although in the BH setup, ROOT is unavoidably there for maintenance. This may be something BH might want to change in their setup for users ie... force users to create an administrator account to do maintenance on their DB instead of giving full ROOT for that.

When you create an application user, you may limit access to READING only or to READING, WRITING and UPDATING only certain tables. AS ROOT, users of your application may potentially find ways to access the DB and do every thing from creating their own tables and database to deleting records and dropping your database. Again, don't use ROOT as your application user account. If an instruder can get root access, they can read system tables as well and discover much about your account.

Do yourself a great favor and change your application and your mysql setup to use a limited access USER ACCOUNT. Do this by using GRANT to create an application user and then by altering any setup or config files to use that account and NOT ROOT.

If your password in mysql can be discovered by someone who has root access to mysql through your application, it is not to difficult to understand how they obtained access to your BH account and why your original hack occurred. That's how important it is to keep ROOT for yourself and not allow applications to have root access. Someone possibly used geeklog, queried the system tables and found your BH password and Voila! You were hacked.

Now you have all the answers. Not just how to get your mysql access back, but how the hackers got into your account in the first place.

Anyone else reading this, I can not stress how important it is to keep ROOT access limited to yourself. DO NOT ALLOW any application to have root access, either to operating system, database or any other resource. You will be begging to be hacked with a sign out saying "Here I am. I'm not too bright and you can get away with murder if you're smart enough to know that I've given you the keys to my account."

Nicco and Bisjea, change your setup asap. People read these posts, good people and bad people.

BLUEHOST, you may want to consider forcing creation of an admin account for MYSQL instead of defaulting root as the login for maintenance. It appears that there are web applications that people are plugging in out there that default to using the web host account login and if you understand what I've written in this post, you understand that that is DANGEROUS!!

[alligosh]

The passwords for mysql are a cpanel thing.

Basically, you CAN use the main account and it's password for all your databases, but it is not recommended.

If you go into cpanel and select the mysql section, you can create user accounts for your databases in a nice graphical environment. You can then assign these users to any of your databases.

And yes, once you have done that, you will have to edit the applications that use the DB to have the username/password that you created.

And yes, if you have used the main account and password in a cleartext config file, it would be good to create a DB user for it, change the app, then change the main account password to something else.

It is not enforced that way because quite frankly most of the users want complete control over their stuff, including being able to do things that I would otherwise not allow. If it isn't a blatant bug, or a security issue, it is generally allowed.

[BearState]

Obviously, these two people didn't know any better or didn't know that.

Just one of the pitfalls of being naive about how hackers do their thing?

If bad coding and bad code generated by html generators can cause all the down time fuss that Matt regailed against a month ago ...

On a shared server ... a hacker loose in one account ... hmmmm?

Security is a system administrator issue. Users should not be allowed to compromise security, no matter how naive they are ... no matter what. By way of comparative example, if you noted someone using extraordinary resources, you'd have a ceiling and prevent them from breaching it ... warning them as they approach it and halting them if they surpasss it ... correct?

If there are plug-in applications that create security holes, I'd review them and get them changed or find alternatives.

Sugg:

BH can not know about holes in all applications as some may not be CPanel offerings, but be imported by the account holder.

It's not too difficult to write a script and grep through config files and *.php in server accounts comparing to the account password and then firing off an email to the user that they have a limited time to correct the problem or be disabled. That's friendly to the user and causes them no down time unless they ignore the warning ... and assures them that you are on the job and concerned for the security of their account. Such a script need not be cpu intensive if it works on only new or recently modified files.

[rv8ch]

Hi,

Does anyone know how this hacker is getting in? I've got geeklog, drupal, and gallery 2 running on my site, so it could be any of these. It would be great if the Bluehost support people would perhaps take 10 minutes to investigate so we don't all have to do it.

The guy I just spoke to on the phone at bluehost support was totally clueless - he recommended that I not use open source software!!!

[mrjerryk]

Email Bluehost support and have them do a backup on your site. I had to have it done. They have daily and weekly backups that they can restore for you. I chose the weekly backup. Within an hour after my confirmation email back to them my site was restored and running like normal again. After you do get the site restored CHANGE YOUR PASSWORD just in case.

[Vegetta]

Many times these types of programs have setup page/files so a novice can easily get something up online and running - did your program have a setup type page that should have been deleted after it was used?

If you dont remove these scripts people can use them to hack parts of your site

You may want to double check the documentation available and look for any issues there...

[BearState]

Once upon a time in a magical land called Silicon Valley, there existed a splendid palace built by a company called Televideo and Televideo built smart terminals back in the days when text terminals were the standard connection to unix computers.

And from Televideo so the fable goes, two of its officers spun off a small company called OSM Comuter Corporation which built and distributed multi user/multi processor CP/M computers using Zilog Z80 microprocessors under the name Zeus for a while, before OSM floundered, failed and went belly-up.

Both of these companies were Korean American companies and folks used to wonder whether OSM meant Oh, Sh.t, Mother .. because of its business decisions ...

But not too many people ever knew what OSM stood for.

I'm curious about that osm@n posted in the title of this thread. Where did it come from?