GiorgosK
Wed 9 April 2008, 02:04 pm GMT +0200
One of my sites was found with spam links included in the index.php
the site has no database
just a simple contact form (that uses mail())
I found "prefer.php" file in my public_html/lib/
that was actually doing the insertion/injection in index.php
but how did it get there (I can send it if anyone wants to see it)
I am sanitizing/filtering all the inputs for email headers injection
but maybe not correctly for XSS attacks or PHP remote inclusion
are there some patterns I should be scanning for ??
should I include any directives in .htaccess ??
How can someone write a file on my server with
just exploiting a contact form ??
any pointers/advice would be greatly appreciated
Nikolas
Wed 9 April 2008, 02:53 pm GMT +0200
So the prefer.php wrote to the index.php?
In any case if something wrote to any page of your site, you should check the scripts that use the fopen() and fwrite() functions.
An other thing you should check is other directory index files (index.php on www root folders) that have the same problem. If this is the case then someone hacked the server and you should contact your hosting company (or let me know if it is your own server)
Good luck :)
GiorgosK
Wed 9 April 2008, 03:47 pm GMT +0200
thanks for the reply Nikola,
the server is not mine so I also asked the admin
they told me that I should alwasy have my .php files as CHMOD 644
apparently I did not have them
Would that be enough for them to get access ??
I will check all my fopen, fwrite functions but I am pretty sure
the filenames for them are hardcoded
that does not cause a problem right ??
I did not understand this part though
----------
An other thing you should check is other directory index files (index.php on www root folders) that have the same problem.
---------
olaf
Wed 9 April 2008, 04:42 pm GMT +0200
sounds to me that the provider is hiding some problem, I had the same problem before with a shared hosting account.
look the hacker is not some stranger, I think it's another customer ;)
GiorgosK
Wed 9 April 2008, 05:17 pm GMT +0200
Olaf thanks for you input,
It is indeed hosted on a shared host.
2 support guys concluded that keeping the .php files as 644
will prevent other attacks
They were both definite about that !!!
But never offered to explain how such a think could have happened !
olaf
Wed 9 April 2008, 07:00 pm GMT +0200
what permissions do you have for these files? a normal server will use 644 as default
GiorgosK
Wed 9 April 2008, 07:11 pm GMT +0200
I never knew that I should be worried about this
but now I will, everything is turned to 644
olaf
Wed 9 April 2008, 07:50 pm GMT +0200
I never knew that I should be worried about this
but now I will, everything is turned to 644
if you upload a file this should be 644 automatically or the server is wrong configured
YMC
Thu 10 April 2008, 07:24 am GMT +0200
I feel for you Giorgios. One of my database driven sites apparently become a target on a Vietnamese hacker forum. It seemed that they figured out I was using a vulnerable script and encouraged their members to post that forum's banners and links on my site. Don't some folks have anything better to do with their time?
Hopefully, your problem is much easier to fix and you will get your site fully secure quickly.
olaf
Thu 10 April 2008, 08:24 am GMT +0200
This 3rd party script are big problems, even Wordpress is a risk since there are problems in the past. These days I bought a website with some custom script, it is so bad scripted that I think about to move the whole thing into the RB.
Nikolas
Fri 11 April 2008, 02:31 pm GMT +0200
These guys usually use an XSS vulnerability to include a remote script to your code. Then they use the /tmp folder to install an application that checks all the www directory index files (index.php on every site) and deface it.
In addition there is another vulnerability which may gives them the right to run their app as root, which means that your files will be defaced anyway (this is a problem with crontab)
GiorgosK
Sat 12 April 2008, 01:08 am GMT +0200
I never knew that I should be worried about this
but now I will, everything is turned to 644
if you upload a file this should be 644 automatically or the server is wrong configured
I have probably changed the file permissions after uploading them.
The hosting company has been great so far, everything works as advertised and the support questions are usually answered within the hour.
These guys usually use an XSS vulnerability to include a remote script to your code. Then they use the /tmp folder to install an application that checks all the www directory index files (index.php on every site) and deface it.
In addition there is another vulnerability which may gives them the right to run their app as root, which means that your files will be defaced anyway (this is a problem with crontab)
Olaf and Nick
Its my own script, simple of course but does don't allow input with
content-type:
bcc:
cc:
document.cookie
onclick
onload
;
~
|
Anything else I should be checking at ??
Nikolas
Sat 12 April 2008, 11:35 am GMT +0200
You should check if you are including files from $_GET or $_POST. For example :
include $_GET['action'] . '.php';?>
GiorgosK
Sat 12 April 2008, 08:28 pm GMT +0200
You should check if you are including files from $_GET or $_POST. For example :
include $_GET['action'] . '.php';?>
Thanks Nikolas but I was not doing anything that dangerous !!