Server "Hacked by Buster"

[mohsho]

A university server that I work on quite a bit has been attacked. I am wondering if anyone can give me more information on this kind of attack. A number of PHP pages seem to be replaced with a page that has the following text on it:

Anti - France

We don't need AB(D) to make something.

Make Sure : Your system is secure

The nasty image on the page says:

Hacked by Buster

Here is the URL of a page that has been replaced by the page I've described above:

-- link removed by admin --

I provided the description above as I hope that the SysAdmin will get rid of the hacked page very soon, making this URL not quite as interesting.

Thank you.

[dharrison]

Link removed as requested.

[mohsho]

I was finally able to connect to the server in question with my SSH client and I see that all of my PHP files are in their usual places, but still, the hacker's page was appearing instead of any file I would try to load from certain directories.

[Mustaf]

If there is config.php, configuration.php, config.inc etc. or other important files on server, you must check them. For security you must change the files CHMOD.

You can change CHMOD 744 for all files. So Hackers or lamers don't change your files.

Can you send me hacked site? (PM)

[mohsho]

No, sorry, can't send along the URL. My SysAdmin would have a heart attack if I did. Thanks for the tip on the config files, though. I know exactly how the hackers got into the server now. It was through a PHP include statement where they could set the path to whatever they wanted.

[Mustaf]

You can check your scripts to exploit or include statement.
Example: Your script is Php-Nuke.
"Phpnuke include" etc...