Code Injection

Kudose

'ello all.

The company I work has a client who had their site attacked. I am pretty sure this happened due to template files being world writable.

I am curious to know if anyone has any links or info on how someone can inject code into your files (other than the simple include($page) no-no).

What happened here was all of his template files and even a few non-template files were subject to an eval/base64_decode attack. The code was placed at the top of each file, wrapped in PHP tags.

I am in the prevention area as opposed to the attacking area, so I am not really sure how someone would go about doing this. I should know to help secure things ... which is why I am asking.

TIA!

bradgrafelman

Kudose wrote:
I am in the prevention area as opposed to the attacking area, so I am not really sure how someone would go about doing this.

In order to be "in" one of those areas, you really should learn a lot about the opposite, don't you think? A "know thy enemy" type of approach? :p

Where is the site hosted? Is this an internal server, or some 3rd party (shared?) provider? Is there a reason that anyone other than the owner of the template/PHP files would need write access?

Kudose

This site is hosted with bluehost (thankfully not on our servers) ... the client made the error of changing the file permissions to edit them via the software package he was using. He failed to change the permissions back.

I guess my real question would be (which tends not to get an answer); how do you exploit world writable files?

I agree that I should learn how they exploit and know a bit, just not enough and I tend to get funny looks and talks from the network admins when I search for php exploit tutorials. 🙂

Any good books out there? I am aware how buffer overflows and external includes are executed. Also how you can upload a PHP file in a file upload and execute the moved file, even how to use extract($_REQUEST) against the server. I just need more info I guess and don't know where to look. Not to slam Google, but it isn't as easy to find useful stuff as it used to be. I am looking to be proactive in learning instead of reactive. 🙂

dalecosp

This help?

http://theandystratton.com/2010/shared-godaddy-hosting-wordpress-malware-hack-fix

Kudose

Thanks a lot. Got any more good links? 🙂

mrbaseball34

We had a similar incident last month, Have them double-check their FTP logs as that is how they got in and modified our files. Ours were even 644, yet the managed to modify most of our index.php and 404.php files on several of our websites.

Don't know how they got our FTP pwds but we quickly changed them. Somehow, they got in again after we changed them and that led me to believe it was a server issue but the ISP would never admit it. We have since changed them again, removed the pwds from any FTP utilities, everyone MUST type in the pwds, and we also added the IP block that the intruder came from to our exclude list on our firewall.

Funny because the FTP pwd was the same as the WHM/cPanel login pwd for all our sites and we were surprised that all they did was put an iframe at the bottom of each PHP file.

laserlight

mrbaseball34 wrote:
Don't know how they got our FTP pwds but we quickly changed them.

If you were really using FTP rather than something more secure like SFTP, your passwords would have been sent in the clear.

dalecosp

Righty-o. Can't hardly imagine anyone allowing FTP over the WAN anymore. SFTP is easy to use as it's a subset of SSH which is generally installed by default if you have a real server 😉

I'm paranoid enough my SSH doesn't even use passphrases ... keys, baby.

mrbaseball34

Yes, we recently moved to SFTP. I am the only one that uses it as no one else connects to the site using any kind of FTP.