dont get mad | you have been hacked | your security=0 y3v.h4x
was the message I found today after deleting a pornographic banner from the header of my site (sorry for that) and another fishy php file I found on my server.
How can I not get mad? When I see a pornographic banner on top of my site. I AM mad. I am VERY mad but I'm going to focus my energy into getting even a more secure system, learning about and promoting security to others.
But here is the thing, I've already been quite security aware and my home system is quite secure, if I may say so - definitely more secure than most of them out there. But it seems it wasn't my system that was breached into - it was a vulnerability in the CMS I use, sNews.
I'm thankful to Luka and Mika, main developers of sNews CMS for supplying us all with a patch in less than 24 hours and everybody else who helped solving this. Bravo!
I was actually among the fortunate ones as my site didn't go down like it did to a friend of mine Patric for whom I feel very sorry. And everybody else who got somebody crack into their site - that's right, my site wasn't hacked into - as hacking is not all about breaking into other people's sites and posting inadequate content or doing any other harm. These are crackers who just know how to click "OK" and execute some exploit somebody else made. Ha! Hackers - you wish!
The first thing you should do now, after applying the patch from sNews forum, and which I recommend to everybody using the sNews CMS is to remove that little notion that says your site was barbecued by this CMS. It's the most obvious one and it won't solve your problem but that's probably the easiest way these crackers can find most of the sNews sites. Everything indicates that these crackers have used that to find sNews sites in this particular case: my logs say that the person who did this came from Google searching for this phrase and the exploit to which Luka at sNews Forum indicates looks like it's made to search for just that. I'll soon put a little picture there instead.
As far as I know for now, the cracker left one suspicious php file that my hosting says could be some kind of a shell script used to manipulate with my files but nothing like that happened because my server has phpsuexec option in PHP turned on, whatever that means.
Now I've got some questions that are bothering me: