473,385 Members | 2,243 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > security compromised

Join Bytes to post your question to a community of 473,385 software developers and data experts.

security compromised

Ivo
Hi newsgroup,

it appears someone has broken into my site. This morning I found about 20
files (each called index.htm) suddenly featured this line:

<IFRAME SRC="url-of-bad-site" WIDTH=1 HEIGHT=1></IFRAME>

and their last modified date was set to today between midnight and 1 GMT. In
some files, this line was placed directly after the body opening tag, in
others it was just before </body>. In one file where the whole document is
written in javascript, they had even escaped their quotes!

The malicious url is www.b00gle.com/fa/?d=get
I have no access to the raw server logs and my own log script shows no
strange hits around that time.
How have they done this? And what can I do about it? I ask here because the
site uses PHP a lot but I guess there are more appropriate places to ask.
Thanks
Ivo
Jul 17 '05 #1
7 1946
> How have they done this? And what can I do about it? I ask here because
the
site uses PHP a lot but I guess there are more appropriate places to ask.
Thanks


there is no way of telling if you do not provide more details. 1 thing tho
have you tried looking at the raw log files for that time period. It most
likely give you a clue.
Jul 17 '05 #2
On Fri, 4 Jun 2004 15:29:08 +0200, "Ivo" <no@thank.you> wrote:
Hi newsgroup,

it appears someone has broken into my site. This morning I found about 20
files (each called index.htm) suddenly featured this line:

<IFRAME SRC="url-of-bad-site" WIDTH=1 HEIGHT=1></IFRAME>

and their last modified date was set to today between midnight and 1 GMT. In
some files, this line was placed directly after the body opening tag, in
others it was just before </body>. In one file where the whole document is
written in javascript, they had even escaped their quotes!

The malicious url is www.b00gle.com/fa/?d=get
That document itself contains an Iframe whose document caused my
browser to start downloading stuff from a porn site. Luckily I spotted
its dodgy url before any images appeared!

I think someone was trying to hijack hits to your site for themselves!
I have no access to the raw server logs and my own log script shows no
strange hits around that time.


If you are on a shared server, contact the webmaster - other people on
the same server could also have been compromised.

--
David ( @priz.co.uk )
Jul 17 '05 #3
Ivo
"David Mackenzie" wrote
"Ivo" wrote:
it appears someone has broken into my site. This morning I found about 20
files (each called index.htm) suddenly featured this line:

<IFRAME SRC="url-of-bad-site" WIDTH=1 HEIGHT=1></IFRAME>

I think someone was trying to hijack hits to your site for themselves!


Sounds plausible.
I have no access to the raw server logs and my own log script shows no
strange hits around that time.


If you are on a shared server, contact the webmaster - other people on
the same server could also have been compromised.


That is a very good idea.

I have a PHP script which allows me to do everything without FTP, and live
in constant fear someone might find the password. The freakin' pimps have
been writing to my admin/index.htm file!
What more info would a newsgroup need to help identify the leak? The server
runs PHP/4.3.1 on Apache/1.3.27 (Unix).
Thanks
Ivo

Jul 17 '05 #4

"Ivo" <no@thank.you> wrote in message
news:40*********************@news.wanadoo.nl...
Hi newsgroup,

it appears someone has broken into my site. This morning I found about 20
files (each called index.htm) suddenly featured this line:

<IFRAME SRC="url-of-bad-site" WIDTH=1 HEIGHT=1></IFRAME>

and their last modified date was set to today between midnight and 1 GMT. In some files, this line was placed directly after the body opening tag, in
others it was just before </body>. In one file where the whole document is
written in javascript, they had even escaped their quotes!

The malicious url is www.b00gle.com/fa/?d=get
I have no access to the raw server logs and my own log script shows no
strange hits around that time.
How have they done this? And what can I do about it? I ask here because the site uses PHP a lot but I guess there are more appropriate places to ask.
Thanks
Ivo

did a quick google. you are not the only victim...
Here is tiny url link to google results
http://tinyurl.com/39st6
Jul 17 '05 #5
Ivo
"PhilM" wrote
"Ivo" wrote
it appears someone has broken into my site. This morning I found about 20 files (each called index.htm) suddenly featured this line:

<IFRAME SRC="url-of-bad-site" WIDTH=1 HEIGHT=1></IFRAME>
< snip > did a quick google. you are not the only victim...
Here is tiny url link to google results
http://tinyurl.com/39st6


My host has taken steps and reconfigured the server. The network status
page,
<URL: http://freeola.info/networkstatus.php > sais:
"An investigation has exposed a software vulnerability which, in certain
circumstances, may allow a malicious user to insert HTML code into other
users web files. Some customers have reported that their web site now
appears to launch extra windows and software installers."

As far as PHP is concerned, some functions are no longer possible,
particularly those that call remote content.
copy(remote file, local file);
now results in 'file does not exist' where it copied just fine last week.
Strange thing is, the 'allow_url_fopen' directive is still 'On' according to
phpinfo. I think I have just traded some freedom for some security.
Ivo

Jul 17 '05 #6
Dan

"Ivo" <no@thank.you> wrote in message
news:40**********************@news.wanadoo.nl...
"PhilM" wrote
"Ivo" wrote
it appears someone has broken into my site. This morning I found about 20 files (each called index.htm) suddenly featured this line:

<IFRAME SRC="url-of-bad-site" WIDTH=1 HEIGHT=1></IFRAME>
< snip >
did a quick google. you are not the only victim...
Here is tiny url link to google results
http://tinyurl.com/39st6


My host has taken steps and reconfigured the server. The network status
page,
<URL: http://freeola.info/networkstatus.php > sais:
"An investigation has exposed a software vulnerability which, in certain
circumstances, may allow a malicious user to insert HTML code into other
users web files. Some customers have reported that their web site now
appears to launch extra windows and software installers."

As far as PHP is concerned, some functions are no longer possible,
particularly those that call remote content.
copy(remote file, local file);
now results in 'file does not exist' where it copied just fine last week.
Strange thing is, the 'allow_url_fopen' directive is still 'On' according

to phpinfo. I think I have just traded some freedom for some security.
Ivo

I had something similar to this happen to me on a hosted site last year. My
root directory and all subdirectories had a "bad" index.php written in them.
The server administrator said it was an old, unpatched exploit on apache (I
don't know if this was the case or not). Nothing else appeared to have been
disturbed.

Jul 17 '05 #7
Ivo wrote:

I have a PHP script which allows me to do everything without FTP, and
live in constant fear someone might find the password. The freakin'
pimps have been writing to my admin/index.htm file!


Ivo,

Given that such a script exists, and is only protected by a simple password,
and you don't have access to the logs to determine what the method of
intrusion is, I'd say you have answered your own question. I couldn't be
sure, but if your PHP scripts allow some sort of PHP code injection, or your
admin script is found, it would be trivial for someone to write to the
filesystem.

Rather than asking for speculation as to the cause of this, you should
probabely practise a little better security policy.

Get access to the logs. Get rid of this script and use FTP/SFTP for file
transfer. Spend some time reading up on writing secure code.
Nathan
Jul 17 '05 #8
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
PHP and MySQL Security for a Newb
by: Xizor | last post by:
Ok, I'm new to PHP and MySQL. I've been going through tutorials, reading the documentation, and looking through web sites. PHP to me seems great! With MySQL it seems even better. However, I'm an...
PHP
116
Security - more complex than I thought
by: Mike MacSween | last post by:
S**t for brains strikes again! Why did I do that? When I met the clients and at some point they vaguely asked whether eventually would it be possible to have some people who could read the data...
Microsoft Access / VBA
5
about high security field
by: Suresh | last post by:
Hi All I am designing DB2 database. I have some entities each has nearly 40-60 attributes. Each of these entity (table) have password, some other information as high security attribute. So...
DB2 Database
4
Looking for general advice on security
by: tony | last post by:
I'm designing a survey form page that will be fairly complex and am becoming confident enough with PHP now to tackle most things. (Thanks to everyone here who has helped) Before I go too far...
PHP
8
Critical javascript security flaw in firefox
by: Matt Kruse | last post by:
http://news.zdnet.com/2100-1009_22-6121608.html Hackers claim zero-day flaw in Firefox 09 / 30 / 06 | By Joris Evers SAN DIEGO--The open-source Firefox Web browser is critically flawed in...
Javascript
15
Security - PHP Vs Java
by: himilecyclist | last post by:
My State government organization has written a PHP/MySQL application which has been in production for about 6 months and has been highly successful. We are now embarking on a similar database...
PHP
19
Choosing a host based on their PHP "security" measures
by: hansBKK | last post by:
Upfront disclaimer - I am a relative newbie, just starting out learning about PHP, mostly by researching, installing and playing with different scripts. I am looking for a host that will provide...
PHP
9
Javascript and security
by: Ed Jay | last post by:
Someone posted the following statement in another ng: "One significant reason for disabling JavaScript when browsing the Internet is that it is a definite security hazard to the user if they...
Javascript
2
Adding security question/answer check to ASP.NET *ChangePassword* control
by: Ken Fine | last post by:
I want to add the security question and answer security feature to the ChangePassword control. I am aware that this functionality is built into the PasswordRecovery tool. I have implemented the...
ASP.NET
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!