blog was hacked by danger man

Topics: ASP.NET 2.0
Oct 4, 2009 at 7:55 AM

Hi guys,

 

I've been enjoying my blogengine.net then all of a sudden my blog was hacked with the following message.

H4ck3d By

 DangerMan Security Team

Your Security is Best

LOL 

We are :

  DangerMan

DangerMan was here

From Iran

Keep out of children & lamers !!!

 

H4ck3d By

 DangerMan Security Team

Your Security is Best

LOL 

We are :

  DangerMan

DangerMan was here

From Iran

Keep out of children & lamers !!!

It was a very irritating experience. I got the site stopped and I recovered all my posts but I was wondering what would be the possible attack points so that I can secure my website accordingly before I put it up again.

Hopefully somebody can help me.

Note: All my passwords are complex and it seems that he just changed my index page as all the other pages are still alive.

 

Thanks in advance!

Oct 9, 2009 at 6:06 AM

bump. who somebody can answer.

Coordinator
Oct 9, 2009 at 6:11 AM

There's no known vulnerabilities in BE I can think of.

This type of thing could be accomplished if someone discovered your username/password, had FTP access, had access to the server, etc.  I've seen cases too where a trojan gets installed on a web server (at a web host) and it goes through all the sites on the server and adds code into web files.

Oct 9, 2009 at 6:39 AM

thanks benAmada. is there a way to see how he did it? would be very interesting. I recovered the folder that contains my BE. are there any logs that I can check and see which account he used to log in.

 

Coordinator
Oct 9, 2009 at 7:04 AM

BE doesn't keep track of logins into the blog through the login.aspx page.  But, I'm guessing he didn't log into the blog and add a blog post or modify existing blog posts.  That's basically all you can do when you log into the blog and interface with it via your browser.

You would first want to see what was modified.  For instance, was the content in blog posts or widgets modified.  I'm guessing the files on the file server themselves were modified -- e.g. site.master, default.aspx.  If files like this were modified, this means it was done via either FTP access or direct access to the web server.  If it were done via FTP access, you can check to see if you have any FTP logs you maintain yourself, or your web host maintains (if you're at a web host).  If it was some type of trojan on the server, your web host may know if the server was infected.  You could also ask the web host if any other sites on the server were defaced.

So, again the first step would be to find out 'what' was modified.  This will basically be either the files themselves, or the content in the blog posts.