Page 1 of 1

Rst.R Trojan

Posted: Wed Feb 10, 2010 5:57 am
by ailati
Hello, I am a web designer with little experience and I need an advice from someone more expert.
I have my own website and it has been hacked. Someone uploaded a file named text1.php that is a variant of Rst.R trojan.
the index.php file has also been modified, it now contain at the end a javascript that include a iframe.

I don't understand how someone could have uploaded/modidied that files. My site has only pages that do not require input from the user. There is just a form "contact me" where the user can insert email, name and text.
I know, it is a big mistake but I didn't validate the result before using the mail() function. But since the "to" field was not coming from the user i thought there was no need to validate...
My question is: is it possible that someone could upload or modify a file in my server using vulnerability in the php mail() function? Or this means that someone can hack anyway, any website!!!
Thank you for your help

PS: Others pages contain just plain text or pictures.

Re: Rst.R Trojan

Posted: Wed Feb 10, 2010 9:23 am
by timWebUK
Change your FTP password to something with upper case, lower case, numbers and symbols.

Your password was probably too weak.

Re: Rst.R Trojan

Posted: Thu Feb 11, 2010 6:20 am
by kaisellgren
The mail() -function is not the problem. The FTP password as suggested might be the problem. It's funny that people often build web applications with strong passwords while leaving FTP passwords insecure.

Re: Rst.R Trojan

Posted: Thu Feb 11, 2010 10:47 am
by ailati
I believe is not a problem of FTP password. It is almost a random password with numbers and upper case.
Moreover I am the only one to know the password and is not saved anywhere.

There is another reason why I think is the mail() function. I find out that the file were uploaded or modified by a russian haker between the 20th to the 23th of January. In that period I have received a couple of weird email through the system. I thought they were just spam with some link to porn sites but probably there was more...

Re: Rst.R Trojan

Posted: Thu Feb 11, 2010 12:45 pm
by flying_circus
ailati wrote:My site has only pages that do not require input from the user. There is just a form "contact me" where the user can insert email, name and text.
Sounds like your pages require input from the user.

ailati wrote:I believe is not a problem of FTP password. It is almost a random password with numbers and upper case.
Moreover I am the only one to know the password and is not saved anywhere.
Are you using a secure FTP connection like SFTP? If not, you're throwing your login credentials over a public network in plain text.

ailati wrote:There is another reason why I think is the mail() function. I find out that the file were uploaded or modified by a russian haker between the 20th to the 23th of January. In that period I have received a couple of weird email through the system. I thought they were just spam with some link to porn sites but probably there was more...
If the russian hacker can upload files to your webserver, he can call his own mail() function to send out links to porn sites.

The mail function does not process file uploads.




I would take the advice of others and change your FTP password. I would also look into validating all input data and encoding it before output. Finally, I would look into SFTP if you aren't already using it.

Re: Rst.R Trojan

Posted: Thu Feb 11, 2010 1:27 pm
by ailati
I have now added some filter for the mail function.
From the log file I can see that the only access with FTP are from my IP.

The mail received from the russian were sent by the mail() function in my script. Otherwise why would he send to my email discosing in this way his attack to my site?

I think he used the mail() function to show the php code. In this way he could have added a javascrip to upload a file.

Let me put in this way: if I know that in the php code there is at some point in the body an

echo $message

could I post that variable through cookie or another way to show on the client browser whatever i like?
In this case I should change all the variables name. Is this correct?

Re: Rst.R Trojan

Posted: Fri Feb 12, 2010 12:26 am
by flying_circus
I don't claim to have all the answers, so all I can do is speculate.
ailati wrote:The mail received from the russian were sent by the mail() function in my script. Otherwise why would he send to my email discosing in this way his attack to my site?
A spammers goal is to get emails to a human. Sounds like a success.

ailati wrote:I think he used the mail() function to show the php code. In this way he could have added a javascrip to upload a file.
Javascript is client side and can not manipulate uploaded files on your server.

ailati wrote:Let me put in this way: if I know that in the php code there is at some point in the body an

echo $message

could I post that variable through cookie or another way to show on the client browser whatever i like
It depends where $message came from, but it doesnt usually lead to disclosure of source code, atleast not as a whole.

ailati wrote:In this case I should change all the variables name. Is this correct?
No. That is a poor idea and it doesnt fix the root problem. Hypothetically, if an attacker gained accessed to your source code and read that you are using the variable $message, why wouldnt he just read it again to find that you've renamed it to $message_renamed?



A server misconfiguration may lead to users accessing your files. You could always try contacting your service provider to bring this to their attention. They will likely tell you to change your passwords, but it never hurts to ask. Also, don't rule out the possibility of an attacker editing the log file to cover their tracks.

Re: Rst.R Trojan

Posted: Fri Feb 12, 2010 4:24 am
by ailati
A spammers goal is to get emails to a human. Sounds like a success.
To me it doen't cound like a success. All this work just to send to one person when they can easily send the same mail to thousand people in other ways.
Javascript is client side and can not manipulate uploaded files on your server.
Good to know. But is also true that javascript can modify a div with the innerHTML. Including a iframe with their file.
I think (but im not sure) at this point they can upload or modify a file in the server.
Hypothetically, if an attacker gained accessed to your source code and read that you are using the variable $message, why wouldnt he just read it again to find that you've renamed it to $message_renamed?
I believe no one gained access to the source code using the password. The trojan uplaoded on my server would be useless if they had access...
I also have other subdomain on the server that were not modified.
I have now put some filter in the $_Post so I think is less likely that someone can do a mess again.
A server misconfiguration may lead to users accessing your files. You could always try contacting your service provider to bring this to their attention. They will likely tell you to change your passwords, but it never hurts to ask. Also, don't rule out the possibility of an attacker editing the log file to cover their tracks
I am using HostGator, I though it was reliable. Does anyone had bad experience with them?

Re: Rst.R Trojan

Posted: Fri Feb 12, 2010 4:59 am
by timWebUK
ailati wrote: To me it doen't cound like a success. All this work just to send to one person when they can easily send the same mail to thousand people in other ways.
He could have easily BCC'd it to many other users.

Re: Rst.R Trojan

Posted: Fri Feb 12, 2010 12:14 pm
by kaisellgren
The intruder(s) had a write access to your server. There are plenty of things that could lead to it such as some vulnerabilities like LFI (local file inclusion), RFI (remote file inclusion), RCE (remote code execution), insufficient file uploading, shell injection, etc, but nothing to do with the mail() -function or JavaScript.

Re: Rst.R Trojan

Posted: Sat Feb 13, 2010 1:05 pm
by ailati
kaisellgren wrote:The intruder(s) had a write access to your server. There are plenty of things that could lead to it such as some vulnerabilities like LFI (local file inclusion), RFI (remote file inclusion), RCE (remote code execution), insufficient file uploading, shell injection, etc, but nothing to do with the mail() -function or JavaScript.
Ok I trust people more expert than me.
Is there anything I can do to remove these vulnerabilities?

Re: Rst.R Trojan

Posted: Tue Feb 16, 2010 4:39 am
by kaisellgren
ailati wrote:Is there anything I can do to remove these vulnerabilities?
If you are talking about vulnerabilities such as the ones I listed above, then you need to understand them if you are the one who writes software, otherwise, you need to use software that is well written in terms of security and keep them updated. Unfortunately, keeping things secure is never easy, so, make sure you have backups.