Page 1 of 2
Security of pdf and image files on server
Posted: Wed Oct 17, 2012 3:01 pm
by matthijs
Someone asked me to help clean up a website he build which was hacked. It was an outdated wordpress install with a bunch of plugins (some also outdated) and a theme he bought (also not uptodate). So enough weak spots. I backed up everything, deleted all files from the server and uploaded fresh wordpress and plugin files. And changed all passwords. Everything seemed clean again.
But a week later the site was hacked again. So apparenty the vulnerability is still there. I will go through the routine of cleaning up everything again. But I was wondering about one thing: there are a couple of folders on the server with some images (.jpg) and .pdf files the owner put there. Can those contain the vulnerability as well?
Re: Security of pdf and image files on server
Posted: Wed Oct 17, 2012 4:09 pm
by Benjamin
Have you reviewed the logs? Is this shared hosting? What are the hackers doing?
Re: Security of pdf and image files on server
Posted: Wed Oct 17, 2012 4:16 pm
by matthijs
Yes it's shared hosting. What happened is that some hidden scripts (eval(obfuscated code)) had been added to the code. Those added hidden iframes to the site which again loaded malicious downloads from some china domain or something.
I couldn't go back in time enough in the logs to see what happened. Most often with these wordpress sites it's a weak spot in a third party plugin or theme (or outdated wordpress install).
But those things I can check my self. I am not sure about the pdf's and .jpgs on the server. How can I make sure those are safe?
Re: Security of pdf and image files on server
Posted: Wed Oct 17, 2012 4:21 pm
by twinedev
As far as I know, unless the server is specifically set to handle .jpg and .pdf extensions to run as something like PHP or another server side processor, they should be fine (i could be wrong, there is always something new to learn when it comes to hacking)
When you say you deleted all files, did you delete everything under the root web directory (usually public_html)? I ask as if wordpress was somewhere else (say ~/public_html/blog) and you only cleared the blog directory, the hack could be somewhere else. and requires everything to be checked.
If they have more than one domain for the same user (ie, I normally set up dev.domain.com to feed from ~/dev_html/) then you need to check all the web accessible files as they could write to each other.
Is the server set up so one user cannot access another users directory? (usually any more this is not a problem, especially if you are using cPanel).
Depending on how the account was compromised, there could possibly be a cron job set to do something like once a week go get a copy of a hack script and stick it in the root of the site, so a hacker knows "hey, 9pm every Sunday I can get in".
Just some things off of the top of my head.
Also make sure the client is not using insecure ways to log into things like cPanel, FTP and mail (if they are using the main account login for them) if they ever use open Wifi. Open Wifi is becoming so available now, many people don't think twice of connecting and going to town sending their login unencrypted. (should be using Secure mail connections and SFTP when possible). Best method for OpenWifi is to use something like OpenVPN if you have your own server or a service such as
http://www.privatetunnel.com to secure your data once connected (make the VPN connection before doing anything else after establishing the open wifi connection)
-Greg
Re: Security of pdf and image files on server
Posted: Wed Oct 17, 2012 4:29 pm
by Benjamin
Did you change the FTP/cPanel passwords? Also further up the user/pass for the hosting account itself.
Re: Security of pdf and image files on server
Posted: Wed Oct 17, 2012 4:43 pm
by Christopher
Remember that PHP can include any file like include("images/some.jpg") and if that file contains PHP code it will run. I have seen hacked sites that were including files that appeared to be cache, data and image files. You might want to grep them for "<?php" or other terms.
Re: Security of pdf and image files on server
Posted: Wed Oct 17, 2012 11:42 pm
by matthijs
@greg: I deleted all files inside the doc root (public_html), except those pdfs and jpgs, since I thought those where no threat. But after the second attack I started wondering wether they could contain the backdoor. However, as you say, I also understand that pdf and jpg should be fine as long as the server doesn't execute them as something else (php). I have to look into that possibility.
As far as the server set up: I don't have any control on that. It's a shared hosting at bluehost. It is possible on shared servers for hackers to come through other compromised sites isn't it?
Good point about the cron jobs: I will check that.
As far as the security at the client is concerned: I'm not sure about that. Don't count on it being very secure. Most people/clients I know have very little security awareness. I have seen too many people choose passwords like 'abc2012' even if their company name is ABC and domain name is abc.com ...
@Benjamin: I changed all passwords but what I will do now is change all passwords to something very difficult and send to them by SMS instead of email, insisting they don't change them.
@christopher: how would that work exactly?
Re: Security of pdf and image files on server
Posted: Thu Oct 18, 2012 12:30 am
by Benjamin
Ok, keep in mind that the client could have a virus on his own machine (or possibly you!). I know there is one that captures FTP credentials and uploads them to a server that automatically downloads data searching for certain tags and replaces them with malicious code.
Re: Security of pdf and image files on server
Posted: Thu Oct 18, 2012 1:26 am
by matthijs
@Benjamin: yes, a virus infection is also possible. Don't think I'm infected (I am pretty careful, work on a Mac and even if it would be possible to get a virus it doesn't make sense only this site is hacked and not any of the other 50 I maintain).
Re: Security of pdf and image files on server
Posted: Thu Oct 18, 2012 1:39 am
by Benjamin
Yeah it could be the client then because the virus I am speaking of will hit every site.
Re: Security of pdf and image files on server
Posted: Thu Oct 18, 2012 11:14 am
by Christopher
matthijs wrote:@christopher: how would that work exactly?
Usually CMSs have some directory permissions to allow uploads via the admin pages. This is typically for images, PDFs, etc. An injection exploit is used to put files into these directories and run them.
Re: Security of pdf and image files on server
Posted: Thu Oct 18, 2012 11:36 am
by matthijs
Christopher wrote:matthijs wrote:@christopher: how would that work exactly?
Usually CMSs have some directory permissions to allow uploads via the admin pages. This is typically for images, PDFs, etc. An injection exploit is used to put files into these directories and run them.
Sorry, what I meant is, how do you search inside the images and PDFs for executable code? Text files (html,php,js) I can open in my code editor. But how can look for hidden code inside images and pdfs?
Re: Security of pdf and image files on server
Posted: Thu Oct 18, 2012 3:51 pm
by Christopher
If it is Unix then something like:
grep '[\<]?php' *
Re: Security of pdf and image files on server
Posted: Thu Oct 18, 2012 4:06 pm
by Benjamin
grep -r '<?php' *
Re: Security of pdf and image files on server
Posted: Thu Oct 18, 2012 6:15 pm
by Christopher
touche !