473,322 Members | 1,405 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

PHP based web site being hacked

2
This is an annoying situation that we are in at the moment and we are in need of some quick help here please. We have a web site that uses PHP scripts in the shopping cart. There is also an installation of a blogging script (b2evolution) along with a links directory script as well. Lately we noticed that links on our web site were taking people away to a notorious web site where people could buy some crap. Upon investigation it was found that there was a PHP based file on our web server that didn't belong to us. When tried to download, our anti-virus caught it as a PHP based backdoor. OK now what it does is, it inserts a piece of javascript in a page that they want to hack. Javascript itself is nothing apart from a web site hosted in China.

Has somebody ever experienced this kind of situation and what could be the solution? We have taken security measures that you would expect someone to take but there has been a second attempt after that as well.
Jan 22 '10 #1
7 2483
Markus
6,050 Expert 4TB
It sounds like you're allowing your website to run some arbitrary code, known as XSS (cross-site-scripting). You can google to find articles on the subject. Another possibility is that you're allowing visitors to upload files to your website without first sanitising the file. Without having access to your code, though, we can only provide vague answers.
Jan 22 '10 #2
dgreenhouse
250 Expert 100+
I've had a few sites that got hacked because the client had weak passwords or "heaven forbid" I didn't write the code correctly! :-)

There are a tremendous number of automated "vulnerability scans" and "password hacks" running on the Internet that insert code into sites. And yes your problem may have started with an uploaded file.

The last hack that hit a client, inserted a JavaScript script into every index.php, index.html, and index.htm that it found in the site's whole directory tree. Fortunately this particular hack was an obscure Joomla hack that just damaged the files and didn't cause too much havoc - other than lost money and time :-(. This site wasn't even based on Joomla!

Make sure any ftp & admin panel passwords are "STRONG" so at least your site isn't susceptible to these kind of hacks.

As far as XSS and CSRF go - see:
http://en.wikipedia.org/wiki/Cross-site_scripting
http://en.wikipedia.org/wiki/Cross-site_request_forgery

Also, review your raw log files and look for a series of request for files that returned 404 errors from the same IP address. You'll notice that there will be a bunch of requests returning 404's all throughout your raw logs that are in close proximity. This is an indication of an automated vulnerability scan, but sometimes it's just a determined "script kiddy."
Many times these scans are trying to access files such as: admin/index.php, phpMyAdmin/index.php, phpMyAdmin, etc. and as stated they're bunched together in a group.

Also, look at the modification time of the file(s) that that have been hacked to limit your log search to around that time (typically the damage doesn't start to show up until some time after the file changes). Also, look at the file time of the php script file that inserted the bad code. This is of course post-mortem, but it will help in protecting against the problem in the future. CHANGE YOUR PASSWORDS!

Finally, as Markus mentioned, it might just be an XSS attack based upon comments in the blog. Make sure that b2Evolution is properly cleansing any comments being posted by users and no b2evolution installation files are still on the server.
(This last one I'm just making an assumption as I've never installed or used b2evolution on a site.)
Jan 22 '10 #3
kovik
1,044 Expert 1GB
Sanitize ALL user input before using it.

User input includes, but is not limited to:
  • The $_POST array,
  • The $_GET array,
  • The $_FILES array,
  • The $_COOKIE array,
  • The $_SERVER array in regards to client information and URL information,
  • And the the non-recommended $_REQUEST array.

Sanitation is a case-by-case process. In other words, the same data can be filtered differently for MySQL queries (i.e. mysql_real_escape_string) and display on the website (i.e. htmlspecialchars). Just note that whenever you have an occurrence of any elements from the arrays that I mentioned, you are NOT **EVER** taking the data at face value unless you want to run the risk of unwanted data.
Jan 23 '10 #4
itsloop
18
all advices are valuable but i want to add one more advice is... do you have any public area from where your visitors can post sum data which is not validated for the <HTML> and other scripting tags e.g
Expand|Select|Wrap|Line Numbers
  1. <script>document.location.href='whereever.com';</script>
this also can be a problem please also check this thing.

If this is the problem then you can use

Expand|Select|Wrap|Line Numbers
  1. strip_tags 
function for it.
Jan 23 '10 #5
kovik
1,044 Expert 1GB
htmlspecialchars is less invasive and preferred over strip_tags. This is due to the fact that strip_tags actually changes what the user inputs. So, lets say that a user is writing something like command-line arguments for an application that they use. The accepted format for doing this is "command <argument1> <...>".

See how that could be a problem?
Jan 23 '10 #6
alique
2
After looking into logs, we have found some useful information on attack and the method used. I can post the log here if that is OK. During the research, found countless sites infected with this particular r57.php shell.
Jan 27 '10 #7
kovik
1,044 Expert 1GB
Then you need to find out where in your website you allowed this download and quarantine that section until you fix the problem.
Jan 27 '10 #8

Sign in to post your reply or Sign up for a free account.

Similar topics

11
by: Bozo Schmozo | last post by:
Greetings! I've searched groups.google.com already to see if I can determine if using PHP/MySQL (if needed) for a web site I wish to develop. As the subject indicated, it will be a content...
1
by: Royal Denning | last post by:
I have a website that I haven't examined in a while, but recently when I did a view source on the page I found that someone had apparently inserted Javascript that turns the main pages of my site...
0
by: oi | last post by:
http://www.bayerdiag.com/index.cfm is a financial PR site clicking on "diabetes blah blah" links on various sites, just sends one on a multi- branching pseudo-circular goose chase. (just as...
2
by: codefixer | last post by:
Hello: The phpBB sites are hacked. If you search for "HACKED BY CYBER-ATTACK" on msn.com you will get a list of all the sites hacked. Anyone knows what is the way to clean this up ? Thanks.
5
by: David Carter | last post by:
Hello I switched my computer on today and found that a new login of "ASP.net" had been added, it was a full priviledge account. Can anyone tell me what has happened? I have no idea what ASP is so...
4
by: pittendrigh | last post by:
Are there good pre-canned php site search mechanisms? I've worked with lucene in the java servlet context, and I like lucene a lot. But it isn't available on the shared host server I have to...
5
by: smartic | last post by:
How can i know that if my site can be hacked or not ? like sql injection or javascript code
12
by: Ivo | last post by:
I am programming forum. Tech is ASP.NET, C# and SQL Server 2005. I want to see is my site safe, have I made some security problems. Can you try to hack my site untill 10-september-2007.:...
4
Tarantulus
by: Tarantulus | last post by:
Hi guys, I've been hacked. my homepage has had <script> tage inserted into it pointing to a russian site with a trojan... only problem is I don't know how, and don't know where to start...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.