How do you prevent this?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Billy2007
Forum Newbie
Posts: 8
Joined: Fri Aug 31, 2007 4:00 pm

How do you prevent this?

Post by Billy2007 »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


There's an exploit out there and if your site gets hacked chances are you won't even know it.

The hack inserts code into php and html files. In my case two apps were hacked on my site yesterday - one was the WordPress Blog, the other was a php image gallery, Coppermine.

What code was inserted?:
[syntax="html"]<html><iframe width=0 height=0 frameborder=0 src=http://www.free20.com/portal/index.php?aff=razec marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe></html>
The fix?
Very simple. Get yourself a nice search and replace utility that does batch replaces and replace the code leaving the replace field blank. Or write a script to do it on the server.

The problem? They'll be back.

So can any experts out there, I"m just a photographer, shed some light on a how client sider like me can secure his shared server (Apache) from these cybertrash kiddies and their sick bots?

Any suggestions would be greatly appreciated. I run many PhP applications including PixelPost and PhPbb but only coppermine and wordpress were infected. It seems that the CMS community is very hush hush on these exploits - bad publicity for them - and as I said before, most users (probably thousands of them) don't know the code is there unless it breaks an application by busting up the code.

Thanks in advance.

edit: I should have added that the code doesn't try to break the site, it just redirects traffic in the background to generate ad revenue i guess..if you watch the status bar you will see all kinds of transfers going on while the page loads. In some cases it does break it unwittingly, for example it caused IE to read my CSS wrong and send my WP Sidebar to the bottom..that was the tipoff for me.


feyd | Please use[/syntax]

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

[quote="[url=http://forums.devnetwork.net/viewtopic.php?t=30037]Forum Rules[/url] Section 1.1"][b]2.[/b] Use descriptive subjects when you start a new thread. Vague titles such as "Help!", "Why?" are misleading and keep you from receiving an answer to your question.[/quote]
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

There's no magic security bullet code out there. Each instance is an example of a different security hole being found and exploited in each package. The authors of those apps do release security and bug fixes regularly to fix these vulnerabilities.

Your best defense is to try and keep your app installs up-to-date at all times. Many "one click install" hosts have a "one click upgrade" button that makes it dead simple to stay up-to-date with the latest security releases. It's sometimes a bit of a pain to do manually, but it's a chore that needs to be done, none the less.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: How do you prevent this?

Post by superdezign »

Billy2007 wrote:What code was inserted?:
<html><iframe width=0 height=0 frameborder=0 src=http://www.free20.com/portal/index.php?aff=razec marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe></html>
Inserted where?
Billy2007
Forum Newbie
Posts: 8
Joined: Fri Aug 31, 2007 4:00 pm

Re: How do you prevent code insertion attack?

Post by Billy2007 »

superdezign wrote:
Billy2007 wrote:What code was inserted?:
<html><iframe width=0 height=0 frameborder=0 src=http://www.free20.com/portal/index.php?aff=razec marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe></html>
Inserted where?
The code was inserted somewhere in the body of index.php in WordPress. In the case of Coppermine, the code was inserted (often multiple times) at the top of most (if not all) of the php files that are in the include folder.

Updating is part of the solution - I do that and and most importantly all my files and the MySQL tables are religiously backed-up weekly.

My question is how does this happen so I can customize my opensource php to minimize it happening again. Customized code is very unlikely to be hacked, mainstream code is very likely to be hacked.

If anyone has the expertise of a hacker, i.e. to understand how the attack happens - where is the point of entry, is it related to the server configuration (global settings), is it related to the login, etc....that's where it would be helpful and hopefully this prevention information could be spread to other CMS communities.

Fact: the average php based CMS user (forums, Mambo, Joomla, Wordpress, etc) is not a techie. These people create content not code. It's a shame to see a site defaced or trashed when it could have been stopped with some simple to implement measures.

I don't know how this attack works..and unless I can find an expert to explain it to me, I won't be in any position to stop one in the future, upgrades or not. btw, upgrades are a complex process because plugins and customizations rarely work afterwards.

So again, any help from the experts in this community would be greatly appreciated.
Thanks
:D
P.S. sorry for the vague subject and not using the code tags...
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: How do you prevent code insertion attack?

Post by superdezign »

Billy2007 wrote:My question is how does this happen so I can customize my opensource php to minimize it happening again.
It was actually IN the files? That doesn't sound like a client-side hack. Most likely, someone actually gained access to your server via FTP. Maybe you should consider a more secure password.
Billy2007 wrote:Customized code is very unlikely to be hacked, mainstream code is very likely to be hacked.
I don't agree with that statement at all. Mainstream just means more people actually know what the code looks like. That doesn't make the code less secure.
Billy2007
Forum Newbie
Posts: 8
Joined: Fri Aug 31, 2007 4:00 pm

Re: How do you prevent code insertion attack?

Post by Billy2007 »

It was actually IN the files? That doesn't sound like a client-side hack. Most likely, someone actually gained access to your server via FTP. Maybe you should consider a more secure password.
Client side? No, never came into question. This is server side - like sql injection. the fact that the same line of code was repeated several times, the fact that only certain apps were compromised, all point to a bot attack ( I also checked the access logs on the server....nobody hacked the passwords.
don't agree with that statement at all. Mainstream just means more people actually know what the code looks like. That doesn't make the code less secure.
Agreed - what I meant is that bots look for code they can recognize - this why captcha with questions works..bots are too stupid to answer simple questions unless they know what questions will be asked. simply removing a website url field on a comment form can end a spammer's attempt to spam your site...change the order or names of fields on a registration form will once more send a bot into fits...that's what I meant...

obviously if we are talking humans, well that's another story, but to think some hacker actually looked for me tiny little site out of the billions of sites out there, just to insert a few lines of code that would help him generate some ad revenue before being reported and shut down doesn't make sense.

so my initial question remains, by what mechanism was the hack perpetrated? knowing that will help prevent it.

edit: when i said i'm a client sider, I meant I photograph, I photoshop, I write flash actionscript, I write javascript, as well as CSS etc....in other words I can develop my own website. I also access my site through FTP and its Control Panel...the basics of Unix etc...but I'm not a security expert on php nor on servers...that's why I'm asking for help in this community. none of my html or flash components were touched, only the php ones.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Post by califdon »

I'm certainly not a security expert either, but I totally agree with Superdezign that what you described sounds like it had to be done on the server side by someone who gained access to your hosting password. I know of no exploit from a client program that could change code in your scripts. That's what he meant by client-side.
Billy2007
Forum Newbie
Posts: 8
Joined: Fri Aug 31, 2007 4:00 pm

Post by Billy2007 »

califdon wrote:I'm certainly not a security expert either, but I totally agree with Superdezign that what you described sounds like it had to be done on the server side by someone who gained access to your hosting password. I know of no exploit from a client program that could change code in your scripts. That's what he meant by client-side.
Then the person who hacked my account must have been severely mentally retarded. Why? Because aside from the fact that no real damage was done to my site, the same line of code was inserted repeatedly. A bot will do that but a human realizes when he has inserted it once versus a dozen times in the same file....other files infected aren't even used by my site....they just happened to be in the same folder.....files in image folders were infected although they aren't even executed...only a bot could make that "mistake".

Also, doing a google search on free20.com hack will reveal a handful of people who have reported this - there is no relationship between myself and these people...we all got hacked by bots...in fact these bots were likely unleashed in the past because the website of the hacker has been closed down....again he would have to be incredibly stupid to add code to generate ad revenue for his website when his site no longer is up.

surely a bot must have infected thousands of users, not just me, why so little reports on the web? because the hack doesn't do much damage if any...you will only notice you are infected if you look at the status bar on your browser...there you will see transfers from ad sites as the page loads - so people don't even know they are infected.

regarding your point about client or server, again yes it is server side...and yes these attacks happen all the time, spam bots, sql injection, etc....even Microsoft's site has been defaced by bots.

final point...i use strong passwords..my site is not even advertised, it is just for family and friends...this wasn't the work of Kevin Mitnick.

:D
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Are your files writable by everyone? 0777?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Billy2007
Forum Newbie
Posts: 8
Joined: Fri Aug 31, 2007 4:00 pm

Post by Billy2007 »

Hey Scott
The index.php file from the WordPress blog had one line of code (the iframe) inserted - it is the only line of code that actually worked (i.e. that redirected to ad sites).
The properties are set to only allow the owner to write: 644

The compromised files in the Coppermine gallery include folder actually broke one of the files and did not allow the iframe hack to do its thing. Once more, these files are set to 644. These had the same line of code repeatedly inserted for some reason - as if the bot did not realize it had inserted the file and kept repeating.

None of the other components of the site - flash, html were compromised. Same for the other php components - Pixelpost (3 photo galleries in different folders) and PHPbb forum - all were clean.


Any insight into how this attack was carried out would be greatly appreciated - there is very little on the internet on this issue. People can only offer "someone must know your password" - which reminds me of the typical tech support response when your printer doesn't work - "must be a virus, reformat your hard drive and reinstall windows and all your applications".
Z3RO21
Forum Contributor
Posts: 130
Joined: Thu Aug 17, 2006 8:59 am

Post by Z3RO21 »

Sounds to me like a bot exploiting poorly written code that is not properly validating data.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

Have you emailed your hosting support about this? Maybe it would come out that you are not the only one with this problem ;)
There are 10 types of people in this world, those who understand binary and those who don't
Billy2007
Forum Newbie
Posts: 8
Joined: Fri Aug 31, 2007 4:00 pm

Post by Billy2007 »

Z3RO21 wrote:Sounds to me like a bot exploiting poorly written code that is not properly validating data.
Agreed. I have updated both php apps - but I still want to understand where the door was, so I can shut it down.
Billy2007
Forum Newbie
Posts: 8
Joined: Fri Aug 31, 2007 4:00 pm

Post by Billy2007 »

VladSun wrote:Have you emailed your hosting support about this? Maybe it would come out that you are not the only one with this problem ;)
I spoke to them on the phone as well..they were totally useless...their attitude was it's not our problem..it's your problem.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

Billy2007 wrote:
Z3RO21 wrote:Sounds to me like a bot exploiting poorly written code that is not properly validating data.
Agreed. I have updated both php apps - but I still want to understand where the door was, so I can shut it down.
Most probably it is not the case. Usually, only your FTP user has write access to your files, unless they are chmoded to 0777 permissions. That's why a poor coding problem wouldn't result file modifications. You said that your modified files had 0644 permissions, so it should have been done by your FTP user or by other user with write access (e.g. root ;) ).
So, there are two ways it could be done:
1) somebody has access by your FTP user/password (e.g. by using a trojan on you PC);
2) your hosting server has been totally hacked;

I would vote for the second one :)
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply