Rst.R Trojan
Moderator: General Moderators
Rst.R Trojan
Hello, I am a web designer with little experience and I need an advice from someone more expert.
I have my own website and it has been hacked. Someone uploaded a file named text1.php that is a variant of Rst.R trojan.
the index.php file has also been modified, it now contain at the end a javascript that include a iframe.
I don't understand how someone could have uploaded/modidied that files. My site has only pages that do not require input from the user. There is just a form "contact me" where the user can insert email, name and text.
I know, it is a big mistake but I didn't validate the result before using the mail() function. But since the "to" field was not coming from the user i thought there was no need to validate...
My question is: is it possible that someone could upload or modify a file in my server using vulnerability in the php mail() function? Or this means that someone can hack anyway, any website!!!
Thank you for your help
PS: Others pages contain just plain text or pictures.
I have my own website and it has been hacked. Someone uploaded a file named text1.php that is a variant of Rst.R trojan.
the index.php file has also been modified, it now contain at the end a javascript that include a iframe.
I don't understand how someone could have uploaded/modidied that files. My site has only pages that do not require input from the user. There is just a form "contact me" where the user can insert email, name and text.
I know, it is a big mistake but I didn't validate the result before using the mail() function. But since the "to" field was not coming from the user i thought there was no need to validate...
My question is: is it possible that someone could upload or modify a file in my server using vulnerability in the php mail() function? Or this means that someone can hack anyway, any website!!!
Thank you for your help
PS: Others pages contain just plain text or pictures.
Re: Rst.R Trojan
Change your FTP password to something with upper case, lower case, numbers and symbols.
Your password was probably too weak.
Your password was probably too weak.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Rst.R Trojan
The mail() -function is not the problem. The FTP password as suggested might be the problem. It's funny that people often build web applications with strong passwords while leaving FTP passwords insecure.
Re: Rst.R Trojan
I believe is not a problem of FTP password. It is almost a random password with numbers and upper case.
Moreover I am the only one to know the password and is not saved anywhere.
There is another reason why I think is the mail() function. I find out that the file were uploaded or modified by a russian haker between the 20th to the 23th of January. In that period I have received a couple of weird email through the system. I thought they were just spam with some link to porn sites but probably there was more...
Moreover I am the only one to know the password and is not saved anywhere.
There is another reason why I think is the mail() function. I find out that the file were uploaded or modified by a russian haker between the 20th to the 23th of January. In that period I have received a couple of weird email through the system. I thought they were just spam with some link to porn sites but probably there was more...
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Rst.R Trojan
Sounds like your pages require input from the user.ailati wrote:My site has only pages that do not require input from the user. There is just a form "contact me" where the user can insert email, name and text.
Are you using a secure FTP connection like SFTP? If not, you're throwing your login credentials over a public network in plain text.ailati wrote:I believe is not a problem of FTP password. It is almost a random password with numbers and upper case.
Moreover I am the only one to know the password and is not saved anywhere.
If the russian hacker can upload files to your webserver, he can call his own mail() function to send out links to porn sites.ailati wrote:There is another reason why I think is the mail() function. I find out that the file were uploaded or modified by a russian haker between the 20th to the 23th of January. In that period I have received a couple of weird email through the system. I thought they were just spam with some link to porn sites but probably there was more...
The mail function does not process file uploads.
I would take the advice of others and change your FTP password. I would also look into validating all input data and encoding it before output. Finally, I would look into SFTP if you aren't already using it.
Re: Rst.R Trojan
I have now added some filter for the mail function.
From the log file I can see that the only access with FTP are from my IP.
The mail received from the russian were sent by the mail() function in my script. Otherwise why would he send to my email discosing in this way his attack to my site?
I think he used the mail() function to show the php code. In this way he could have added a javascrip to upload a file.
Let me put in this way: if I know that in the php code there is at some point in the body an
echo $message
could I post that variable through cookie or another way to show on the client browser whatever i like?
In this case I should change all the variables name. Is this correct?
From the log file I can see that the only access with FTP are from my IP.
The mail received from the russian were sent by the mail() function in my script. Otherwise why would he send to my email discosing in this way his attack to my site?
I think he used the mail() function to show the php code. In this way he could have added a javascrip to upload a file.
Let me put in this way: if I know that in the php code there is at some point in the body an
echo $message
could I post that variable through cookie or another way to show on the client browser whatever i like?
In this case I should change all the variables name. Is this correct?
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Rst.R Trojan
I don't claim to have all the answers, so all I can do is speculate.
A server misconfiguration may lead to users accessing your files. You could always try contacting your service provider to bring this to their attention. They will likely tell you to change your passwords, but it never hurts to ask. Also, don't rule out the possibility of an attacker editing the log file to cover their tracks.
A spammers goal is to get emails to a human. Sounds like a success.ailati wrote:The mail received from the russian were sent by the mail() function in my script. Otherwise why would he send to my email discosing in this way his attack to my site?
Javascript is client side and can not manipulate uploaded files on your server.ailati wrote:I think he used the mail() function to show the php code. In this way he could have added a javascrip to upload a file.
It depends where $message came from, but it doesnt usually lead to disclosure of source code, atleast not as a whole.ailati wrote:Let me put in this way: if I know that in the php code there is at some point in the body an
echo $message
could I post that variable through cookie or another way to show on the client browser whatever i like
No. That is a poor idea and it doesnt fix the root problem. Hypothetically, if an attacker gained accessed to your source code and read that you are using the variable $message, why wouldnt he just read it again to find that you've renamed it to $message_renamed?ailati wrote:In this case I should change all the variables name. Is this correct?
A server misconfiguration may lead to users accessing your files. You could always try contacting your service provider to bring this to their attention. They will likely tell you to change your passwords, but it never hurts to ask. Also, don't rule out the possibility of an attacker editing the log file to cover their tracks.
Re: Rst.R Trojan
To me it doen't cound like a success. All this work just to send to one person when they can easily send the same mail to thousand people in other ways.A spammers goal is to get emails to a human. Sounds like a success.
Good to know. But is also true that javascript can modify a div with the innerHTML. Including a iframe with their file.Javascript is client side and can not manipulate uploaded files on your server.
I think (but im not sure) at this point they can upload or modify a file in the server.
I believe no one gained access to the source code using the password. The trojan uplaoded on my server would be useless if they had access...Hypothetically, if an attacker gained accessed to your source code and read that you are using the variable $message, why wouldnt he just read it again to find that you've renamed it to $message_renamed?
I also have other subdomain on the server that were not modified.
I have now put some filter in the $_Post so I think is less likely that someone can do a mess again.
I am using HostGator, I though it was reliable. Does anyone had bad experience with them?A server misconfiguration may lead to users accessing your files. You could always try contacting your service provider to bring this to their attention. They will likely tell you to change your passwords, but it never hurts to ask. Also, don't rule out the possibility of an attacker editing the log file to cover their tracks
Re: Rst.R Trojan
He could have easily BCC'd it to many other users.ailati wrote: To me it doen't cound like a success. All this work just to send to one person when they can easily send the same mail to thousand people in other ways.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Rst.R Trojan
The intruder(s) had a write access to your server. There are plenty of things that could lead to it such as some vulnerabilities like LFI (local file inclusion), RFI (remote file inclusion), RCE (remote code execution), insufficient file uploading, shell injection, etc, but nothing to do with the mail() -function or JavaScript.
Re: Rst.R Trojan
Ok I trust people more expert than me.kaisellgren wrote:The intruder(s) had a write access to your server. There are plenty of things that could lead to it such as some vulnerabilities like LFI (local file inclusion), RFI (remote file inclusion), RCE (remote code execution), insufficient file uploading, shell injection, etc, but nothing to do with the mail() -function or JavaScript.
Is there anything I can do to remove these vulnerabilities?
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Rst.R Trojan
If you are talking about vulnerabilities such as the ones I listed above, then you need to understand them if you are the one who writes software, otherwise, you need to use software that is well written in terms of security and keep them updated. Unfortunately, keeping things secure is never easy, so, make sure you have backups.ailati wrote:Is there anything I can do to remove these vulnerabilities?