Help me I'm sinking!

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

JoeLucky39
Forum Newbie
Posts: 8
Joined: Fri Feb 17, 2006 8:28 am
Location: Florida

Help me I'm sinking!

Post by JoeLucky39 »

hawleyjr | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]


My site was hacked! (http://www.hydracomics.com) The hacker defaced my index page and placed a bunch of files on my server.

Two of which appear to be back doors named r57shell.php and c99shell.php

I contacted my site host and they believe it to be a leak in my code.
But, in order to place files on my server wouldn't they need some sort of FTP access code?

I'm stumped at how they could find the code.

How I build my sites is with includes. For instance I have an include which contains my database connection snippet. So instead of writing that into each script I just call the file up with an include statement.

Is it possible to grab that file from my server? Even though I'm behind a firewall?

Also, I build my regular pages with includes. EX:

Code: Select all

$HTTP_GET_VARS["cont"];

IF( isset($cont) )
	{
		$cont=$cont;
	}
ELSE
	{
		$cont="content/index_content.php";
	}
	include("template.php");
This is my index page. Template.php has my HTML template with an include <? include($cont); ?> in the section where my content would go. And you can see that $cont is set on the page that calls the template (in this case the index page is calling index_content.php).

Is there a security flaw with this type of site structure?

My host says, "It's the developer"..... that's me! But, I have no idea how this is happening.

Can anyone give me some advice?

Thanks,
Joe


hawleyjr | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

You need to read up on PHP security practices. See the sticky topic at the top of this forum for a list of resources users have posted. There are a lot of ways an external user could access your site and overwrite/read files. Includes are generally okay - its a common practise. The problem may lie in your directory/file permissions (do you have any directories set to 777?), any upload scripts (have any?), use of unfiltered variables (how do you make sure the user is not passing incorrect/harmful values?), and so on.

One example from your post is using $cont.

What should this normally contain, and how is it used in your templates? I could pass anything into that variable without you knowing because all you're doing is checking it is set - not making its contents safe. Another small thing to bear in mind is that you are using an older superglobal - $HTTP_GET_VARS. More modern PHP versions use $_GET instead.

If this is a sign your PHP code is aging (written a few years ago) it may need a long overdue overhaul to have current security practices integrated to prevent exploits.

For specific reasons the hacking however everyone here would need to see the code - that's the only way to pinpoint the exploit that was used (keeping in mind a clear idea that your script may not have been the weakness - any PHP app that has not been regularly updated may be a suspect).

Summary: Read up on PHP security practices, examine your code (or post samples here) for exploits, check any other applications you are hosting, and check for 777 permissions that are accessible to anyone. You could also check if anonymous ftp users can access your directories - it happens and could be a sign your host isn't so blameless as they'd lead you to believe.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Hi, there may be a hole somewhere else in your code, but on a side note.. all but a few lines of your index page is redundant.. the below would achieve the same result:

Code: Select all

<?php

$cont = (isset($_GET['cont']) ? $_GET['cont'] : 'content/index_content.php');

include('template.php');

?>
However, some validation of $_GET['cont'] should occur, i.e. is the value of $_GET['cont'] what you want it to be? The attacker could put any path they like in the url and that owuld then be assigned to $cont.
JoeLucky39
Forum Newbie
Posts: 8
Joined: Fri Feb 17, 2006 8:28 am
Location: Florida

Thanks

Post by JoeLucky39 »

Thanks for the replies. You guys gave me some good information.

I'm going to "seal" up that $cont variable.

The reason I left it open was so that I could run my whole site off of the index.php page if I wanted to by changing the content of the page trough a url variable. But, I can see how someone could maybe place foreign elements into the body of my webpage through that functionality.

Obviously the risk outweighs the benefit.

Thanks for the help.

Joe
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Do you mind if I ask if you're on a shared server environment or a dedicated server? I used to get my scripts vandlaised a bit with a particular shared host in the UK. If your host hasn't taken security precautions it's possible someone else on the server is using the Apache user to browse other user's home directories and make changes.
JoeLucky39
Forum Newbie
Posts: 8
Joined: Fri Feb 17, 2006 8:28 am
Location: Florida

Shared

Post by JoeLucky39 »

It is in fact a shared hosting solution. I'm using fatcow.com as my host.

I brought this up to my host, but they say I'm the only one of their clients with this problem.
Whether they are lying or not is beyond my control. They say it must be a hole in my site's code.

I'm hoping that closing the open variable talked about above will fix this. If not, I'll try to look for more area's where I may be open.

Thanks for the info guys. I really appreciate this.

Joe
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Jenk wrote:Hi, there may be a hole somewhere else in your code, but on a side note.. all but a few lines of your index page is redundant.. the below would achieve the same result:

Code: Select all

<?php

$cont = (isset($_GET['cont']) ? $_GET['cont'] : 'content/index_content.php');

include('template.php');

?>
However, some validation of $_GET['cont'] should occur, i.e. is the value of $_GET['cont'] what you want it to be? The attacker could put any path they like in the url and that owuld then be assigned to $cont.
FYI.. use !empty() instead incase the user simply inputted ?cont=
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: Shared

Post by Chris Corbyn »

JoeLucky39 wrote:It is in fact a shared hosting solution. I'm using fatcow.com as my host.

I brought this up to my host, but they say I'm the only one of their clients with this problem.
Whether they are lying or not is beyond my control. They say it must be a hole in my site's code.

I'm hoping that closing the open variable talked about above will fix this. If not, I'll try to look for more area's where I may be open.

Thanks for the info guys. I really appreciate this.

Joe
Did they tell you how much checking they did? Make sure they've checked the logs for unusual activity, check modification times on the files etc....
JoeLucky39
Forum Newbie
Posts: 8
Joined: Fri Feb 17, 2006 8:28 am
Location: Florida

Maugrim_The_Reaper

Post by JoeLucky39 »

feyd | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]


As a reply to Maugrim_The_Reaper's question about upload scripts.

I do have an admin section with an upload script. Interaction on this page happens over a https encrypted page though.

The code looks like this

Code: Select all

<?
$file_dir = "https://hydracomics.com/product";
$showcase = $_FILES['showcaseupload']['name'];

if (is_uploaded_file( $_FILES['showcaseupload']['tmp_name'])) {
	IF($_FILES['showcaseupload']['size'] < 16270){
		move_uploaded_file($_FILES['showcaseupload']['tmp_name'], "$file_dir/$showcase") or die ("Couldn't copy");
 	}
 	ELSE {
 		$showcase = "detail_000.jpg";
 	}
}
ELSE {
	$showcase = "detail_000.jpg";
}
?>

feyd | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

About the includes. What about using a whitelist approach:

Code: Select all

// Define our array of allowed $_GET values
		$pass = array('intro','bluetruck','redhouse','brownbear');
			
	// If the page is allowed, include it:
		if (in_array($_GET['id'], $pass)) {
			include ($_SERVER['DOCUMENT_ROOT'] . '/inc/' . $_GET['id'] . '.php'); 
		} 
		
	// If there is no $_GET['id'] defined, then serve the homepage:
		elseif (!isset($_GET['id'])) {
			include ($_SERVER['DOCUMENT_ROOT'] . '/inc/intro.php'); 
		}

	// If the page is not allowed, send them to an error page:
		else {
				// This send the 404 header
					header("HTTP/1.0 404 Not Found");
				// This includes the error page
					include ($_SERVER['DOCUMENT_ROOT'] . '/inc/error.php');
		}
This is from http://www.digital-web.com/articles/easypeasy_php_2/
JoeLucky39
Forum Newbie
Posts: 8
Joined: Fri Feb 17, 2006 8:28 am
Location: Florida

Official response

Post by JoeLucky39 »

Here is what my host said about the hack:

"There are two types hacks/unauthorized access. One is security hack, another is script hacks. Security hacks are done on a system/platform due to its loopholes and can cause considerable damage on whole system. Script hacks are done due to user's script bugs/exploits which should be patched against such. While we ensure that our platform is secure due to our network & security policies we can not guarantee any unauthorized attempt to user's script due to it's age, bugs and loopholes.

In this instance, it appears that this is your own cart program rather than some known third party popular script.

We?re not sure what loophole of your program would have caused this. You can find this in two places. You can go through the CGI error log and look for suspicious errors. Another place is to download the stats raw log file where you can try to find several GET requests made for a script from remote IP?s which are trying to pass strange queries."
JoeLucky39
Forum Newbie
Posts: 8
Joined: Fri Feb 17, 2006 8:28 am
Location: Florida

matthijs

Post by JoeLucky39 »

reply to matthijs.

Very nice solution. That is exactly what I'm going to implement.

Thanks for the suggestion and help. I'm in need.

Joe
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Loopholes? I guess the rep isn't a programmer...;)

Make sure any other applications you host are updated to their most recent versions. Since apprently you do have access to the apache logs you should do as suggested and search for any calls to your applications that may look suspicious. Try around the time of the last modified date of those shell scripts - might narrow down the time window in which any exploits were being manipulated.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

JoeLucky39, I think you're busy enough with the advice so far. But if you do find the time it might be of interest to check out these very good resources on php security (besides the many threads on this forum):
http://shiflett.org/ Cris Shiflett's site, with many articles,
http://phpsecurity.org/ PHP security, Chris' book. Short but sweet, essential reading in my opinion,
You could also start with the security guide http://phpsec.org/projects/

And whenever in doubt, ask your questions here. I've always found a lot of help here.
JoeLucky39
Forum Newbie
Posts: 8
Joined: Fri Feb 17, 2006 8:28 am
Location: Florida

Thanks

Post by JoeLucky39 »

After this... absolutely I'll check'em out.

Thanks for all the help guys.

Joe
Post Reply