This isn't necessarily Silverlight, but it's important to bloggers, so I'm using that tag. If you're not using Grafitti and don't care to read my rant, just delete!
I was using the free version of Grafitti for our Phoenix Silverlight User Group. I really didn't feel I had the time or inclination to write yet another site, and nobody was jumping up and down asking to do it for me :)
Notice I said 'was'. During the Silverlight FireStarter yesterday, I wanted to Twitter that we also have a User Group in Phoenix, and for drill went to the site, and whoa... here is a big logo saying "Your box is ours, yadda, yadda"... sigh
So I ftp'd up and replaced the extension on the Default.aspx that had that info in it and put up a default.htm that told everyone that some A-hole had hacked the site.
Then I went to all my domains and changed passwords although in retrospect that was unnecessary, but to be honest, in my anger at the mental midgets that did this, I created some righteous passwords :)
Then I sent email to my host and told them we'd been hacked and what I'd touched. They came back eventually and told me that "oh it wasn't hacked, somebody simply used my file named 'DangerMan.aspx' that was sitting way out in some Grafitti folder and uploaded the file' ... My response was less than courteous... I looked at DangerMan and it was a dual pane webform to allow you to upload files from your HD to anywhere you want on the server. Would anyone in their right mind have such a file on the server and not have it protected 6 ways to Sunday??
Besides, this was Grafitti out of the box with some text and image changes, and I'm pretty well positive DangerMan doesn't ship with Grafitti.
I'll skip a bunch of back and forth with my host, but I eventually found another file in a Grafitti image folder named Sex.aspx that had absolutely nothing to do with what it seems... it was a very sophisticated password/login sniffer.
So I ftp'd everything down, and started nuking aspx files and bin folders so that nothing could run.
I had the IP address of the badboy and chased it down to Ripe.net in Amsterdam. I wrote the admin there and got a bounce back from their 'bit-bucket' address. So... if you have anything to do with Ripe.net good luck... maybe they're the hackers for all I know. And if you're reading this and not the hackers, thanks for nothing anyway!
The database at phoenixsilverlight.net was fine, and the only thing I found with a deep search on the files I ftp'd down was those 3: DangerMan.aspx, Sex.aspx, and the Default.aspx. I'm guessing they tried to get in, didn't get anything useful, so left me a note letting me know they were there. That is the height of stupidity because had they not done that, I may not have known they were there!
Bottom Line:
There was only one login ... me... because nobody had stepped up to help. I had modified the Admin password, so that was of no use to them. My database had a strong password on it, obviously since they didn't get into it. But how did they get in?
Well... that is the 'Watch out' part... file upload was NOT part of what was exposed to browsers of the site. I don't remember, but I'm not sure it was even available to me when I logged in as Admin since I was using an alternate theme that hosed the default menu.
But... and this is the part that really sucks, the file upload code was out there where it would be on any default installation, and hey... I'm guessing it didn't check for someone being logged in. So... just going to that location and executing the upload, they uploaded their file, then using it, placed the other two.
I don't remember any cautions about having to rewrite the file upload module or anything, and I just ASSUMED it was protecting me out of the box ... and you know what assumptions get you. I don't care enough about Grafitti at this point to investigate this because one way or another they got into that file system without logging in.
Fore-armed and all that...
Now to figure out WTF to do for the UserGroup site, because if I have to go to that much effort to protect my site, I may as well write it myself.