By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,350 Members | 1,309 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,350 IT Pros & Developers. It's quick & easy.

Tracking down a hacker (my site has been compromised)

Tarantulus
100+
P: 114
Hi guys,

I've been hacked. my homepage has had [HTML]<script>[/HTML] tage inserted into it pointing to a russian site with a trojan...

only problem is I don't know how, and don't know where to start looking.

the page in question is static HTML, no PHP at all, but I'm assuming the attack vector is somewhere in the PHP or SQL, am I barking up the wrong tree?

any pointers will be muchly appreciated as I'm completely lost.

Thanks in advance
Aug 21 '08 #1
Share this Question
Share on Google+
4 Replies


FLEB
P: 30
- Is the server space managed by someone else? Is it a shared host? If it's a shared host or a server managed by someone else, the attacker may have come in by exploiting some software or services on the server that you have no control over. If it's a shared host, they might have gotten in through someone else's insecure script, and been able to get at your files through inadequate user separation.

- Is that HTML directory set to be world-writable? If so, you may want to look at any scripts that have the ability to write to the server.

As for tracking down the attacker, you might have a look at your access and error logs. IIRC, there are tools you can use to scan and analyze your logs, although I don't know them offhand. Also, if you're running on managed space, talk to the people who run the servers-- they might have more access and insight into what happened.
Aug 21 '08 #2

pbmods
Expert 5K+
P: 5,821
Heya, Tarantulus.

If a file has been overwritten, you might have suffered from a file path injection attack.

Quick example:
Expand|Select|Wrap|Line Numbers
  1. move_uploaded_file($_FILES['upload']['tmp_name'], $_SERVER['DOCUMENT_ROOT'] . '/uploads/' . $_FILES['upload']['name']);
  2.  
If the value of $_FILES['upload']['name'] is "../index.html" for example, your file might get overwritten.

To protect against file path injection, use realpath() (http://php.net/realpath) and do a strpos() against a known good directory.

Also, any script that include()'s or eval()'s User input can be compromised.

For example (and a very crude one, but bear with me):
Expand|Select|Wrap|Line Numbers
  1. include $_GET['script_name'] . '.php';
  2.  
If the value of $_GET['script_name'] is 'http://some-evil-domain.com/evil/script', then you'd be lucky if all that happened was your static index got rewritten!

To protect yourself against PHP code injection, you should get in the following habits:
  • Never ever ever trust input, no matter where it comes from. If it's supposed to be an int, cast it (http://php.net/manual/en/language.ty...e-juggling.php). If it's supposed to be a string, run it through a switch or in_array() to ensure that only "safe" values make it through.
  • Don't trust data from your database, either. If an attacker manages to inject any malicious code into your database, you have to be able to detect it. If you can, trigger some kind of alert when you encounter an attack that originates from database data, as you will have a much easier time tracing an attack if you know what script probably put it there.
  • Always escape output. If it's going to the database, run it through mysql_real_escape_string() (http://php.net/mysql_real_escape_string). If it's going to be sent to the browser, use htmlentities() (http://php.net/htmlentities).
  • Never send ID numbers to the browser. The User's ID might be e.g., 428, but you should never send the browser to profile.php?user=428. Use his (unique) username instead and send the browser to profile.php?user=mickeyc. Best Buy got in trouble for this.

I bring up that last point because a crafty hacker might not be able to crack your login page, but if you rely on a User ID coming from the browser somewhere, then he might be able to use that to execute a script as, say, an Admin User.
Aug 22 '08 #3

P: 22
Hi. The attack on your machine probably came from somebody else's hacked zombie machine.
Aug 22 '08 #4

Tarantulus
100+
P: 114
Thanks for the detailed responses.
I'm not doing any file manipulation in my scripts, and for all of my SQL input I'm
Expand|Select|Wrap|Line Numbers
  1. using mysql_real_escape_string()
so I'm assuming from what you've all said that the attack vector is out of my control (it's a shared host).

thanks a lot
Aug 22 '08 #5

Post your reply

Sign in to post your reply or Sign up for a free account.