Connecting Tech Pros Worldwide Forums | Help | Site Map
bytes > topic > php > answers

security compromised

Ivo
Guest
  
Posts: n/a
#1: Jul 17 '05
Hi newsgroup,

it appears someone has broken into my site. This morning I found about 20
files (each called index.htm) suddenly featured this line:

<IFRAME SRC="url-of-bad-site" WIDTH=1 HEIGHT=1></IFRAME>

and their last modified date was set to today between midnight and 1 GMT. In
some files, this line was placed directly after the body opening tag, in
others it was just before </body>. In one file where the whole document is
written in javascript, they had even escaped their quotes!

The malicious url is www.b00gle.com/fa/?d=get
I have no access to the raw server logs and my own log script shows no
strange hits around that time.
How have they done this? And what can I do about it? I ask here because the
site uses PHP a lot but I guess there are more appropriate places to ask.
Thanks
Ivo

Filth
Guest
  
Posts: n/a
#2: Jul 17 '05

re: security compromised

> How have they done this? And what can I do about it? I ask here because
the[color=blue]
> site uses PHP a lot but I guess there are more appropriate places to ask.
> Thanks
>[/color]

there is no way of telling if you do not provide more details. 1 thing tho
have you tried looking at the raw log files for that time period. It most
likely give you a clue.
David Mackenzie
Guest
  
Posts: n/a
#3: Jul 17 '05

re: security compromised

On Fri, 4 Jun 2004 15:29:08 +0200, "Ivo" <no@thank.you> wrote:
[color=blue]
>Hi newsgroup,
>
>it appears someone has broken into my site. This morning I found about 20
>files (each called index.htm) suddenly featured this line:
>
><IFRAME SRC="url-of-bad-site" WIDTH=1 HEIGHT=1></IFRAME>
>
>and their last modified date was set to today between midnight and 1 GMT. In
>some files, this line was placed directly after the body opening tag, in
>others it was just before </body>. In one file where the whole document is
>written in javascript, they had even escaped their quotes!
>
>The malicious url is www.b00gle.com/fa/?d=get[/color]

That document itself contains an Iframe whose document caused my
browser to start downloading stuff from a porn site. Luckily I spotted
its dodgy url before any images appeared!

I think someone was trying to hijack hits to your site for themselves!
[color=blue]
>I have no access to the raw server logs and my own log script shows no
>strange hits around that time.[/color]

If you are on a shared server, contact the webmaster - other people on
the same server could also have been compromised.

--
David ( @priz.co.uk )
Ivo
Guest
  
Posts: n/a
#4: Jul 17 '05

re: security compromised

"David Mackenzie" wrote[color=blue]
> "Ivo" wrote:[color=green]
> >it appears someone has broken into my site. This morning I found about 20
> >files (each called index.htm) suddenly featured this line:
> >
> ><IFRAME SRC="url-of-bad-site" WIDTH=1 HEIGHT=1></IFRAME>
> >[/color]
> I think someone was trying to hijack hits to your site for themselves![/color]

Sounds plausible.
[color=blue][color=green]
> >I have no access to the raw server logs and my own log script shows no
> >strange hits around that time.[/color]
>
> If you are on a shared server, contact the webmaster - other people on
> the same server could also have been compromised.[/color]

That is a very good idea.

I have a PHP script which allows me to do everything without FTP, and live
in constant fear someone might find the password. The freakin' pimps have
been writing to my admin/index.htm file!
What more info would a newsgroup need to help identify the leak? The server
runs PHP/4.3.1 on Apache/1.3.27 (Unix).
Thanks
Ivo
PhilM
Guest
  
Posts: n/a
#5: Jul 17 '05

re: security compromised


"Ivo" <no@thank.you> wrote in message
news:40c07b6d$0$842$a344fe98@news.wanadoo.nl...[color=blue]
> Hi newsgroup,
>
> it appears someone has broken into my site. This morning I found about 20
> files (each called index.htm) suddenly featured this line:
>
> <IFRAME SRC="url-of-bad-site" WIDTH=1 HEIGHT=1></IFRAME>
>
> and their last modified date was set to today between midnight and 1 GMT.[/color]
In[color=blue]
> some files, this line was placed directly after the body opening tag, in
> others it was just before </body>. In one file where the whole document is
> written in javascript, they had even escaped their quotes!
>
> The malicious url is www.b00gle.com/fa/?d=get
> I have no access to the raw server logs and my own log script shows no
> strange hits around that time.
> How have they done this? And what can I do about it? I ask here because[/color]
the[color=blue]
> site uses PHP a lot but I guess there are more appropriate places to ask.
> Thanks
> Ivo
>
>[/color]
did a quick google. you are not the only victim...
Here is tiny url link to google results
http://tinyurl.com/39st6
Ivo
Guest
  
Posts: n/a
#6: Jul 17 '05

re: security compromised

"PhilM" wrote[color=blue]
> "Ivo" wrote[color=green]
> > it appears someone has broken into my site. This morning I found about[/color][/color]
20[color=blue][color=green]
> > files (each called index.htm) suddenly featured this line:
> >
> > <IFRAME SRC="url-of-bad-site" WIDTH=1 HEIGHT=1></IFRAME>[/color][/color]
< snip >[color=blue]
> did a quick google. you are not the only victim...
> Here is tiny url link to google results
> http://tinyurl.com/39st6
>[/color]

My host has taken steps and reconfigured the server. The network status
page,
<URL: http://freeola.info/networkstatus.php > sais:
"An investigation has exposed a software vulnerability which, in certain
circumstances, may allow a malicious user to insert HTML code into other
users web files. Some customers have reported that their web site now
appears to launch extra windows and software installers."

As far as PHP is concerned, some functions are no longer possible,
particularly those that call remote content.
copy(remote file, local file);
now results in 'file does not exist' where it copied just fine last week.
Strange thing is, the 'allow_url_fopen' directive is still 'On' according to
phpinfo. I think I have just traded some freedom for some security.
Ivo
Dan
Guest
  
Posts: n/a
#7: Jul 17 '05

re: security compromised


"Ivo" <no@thank.you> wrote in message
news:40c3cb4e$0$1736$abc4f4c3@news.wanadoo.nl...[color=blue]
> "PhilM" wrote[color=green]
> > "Ivo" wrote[color=darkred]
> > > it appears someone has broken into my site. This morning I found about[/color][/color]
> 20[color=green][color=darkred]
> > > files (each called index.htm) suddenly featured this line:
> > >
> > > <IFRAME SRC="url-of-bad-site" WIDTH=1 HEIGHT=1></IFRAME>[/color][/color]
> < snip >[color=green]
> > did a quick google. you are not the only victim...
> > Here is tiny url link to google results
> > http://tinyurl.com/39st6
> >[/color]
>
> My host has taken steps and reconfigured the server. The network status
> page,
> <URL: http://freeola.info/networkstatus.php > sais:
> "An investigation has exposed a software vulnerability which, in certain
> circumstances, may allow a malicious user to insert HTML code into other
> users web files. Some customers have reported that their web site now
> appears to launch extra windows and software installers."
>
> As far as PHP is concerned, some functions are no longer possible,
> particularly those that call remote content.
> copy(remote file, local file);
> now results in 'file does not exist' where it copied just fine last week.
> Strange thing is, the 'allow_url_fopen' directive is still 'On' according[/color]
to[color=blue]
> phpinfo. I think I have just traded some freedom for some security.
> Ivo
>[/color]
I had something similar to this happen to me on a hosted site last year. My
root directory and all subdirectories had a "bad" index.php written in them.
The server administrator said it was an old, unpatched exploit on apache (I
don't know if this was the case or not). Nothing else appeared to have been
disturbed.
Nathan Gardiner
Guest
  
Posts: n/a
#8: Jul 17 '05

re: security compromised

Ivo wrote:[color=blue]
>
> I have a PHP script which allows me to do everything without FTP, and
> live in constant fear someone might find the password. The freakin'
> pimps have been writing to my admin/index.htm file![/color]

Ivo,

Given that such a script exists, and is only protected by a simple password,
and you don't have access to the logs to determine what the method of
intrusion is, I'd say you have answered your own question. I couldn't be
sure, but if your PHP scripts allow some sort of PHP code injection, or your
admin script is found, it would be trivial for someone to write to the
filesystem.

Rather than asking for speculation as to the cause of this, you should
probabely practise a little better security policy.

Get access to the logs. Get rid of this script and use FTP/SFTP for file
transfer. Spend some time reading up on writing secure code.


Nathan
Closed Thread

« previous question | next question »

Similar PHP bytes

/bytes/development

/bytes/it

Forums
Visit our community forums for general discussions and latest on Bytes

Our staff and community areas have moved to bytes.com/forums/

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,439 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved