Security Hole

n8w · June 5, 2008

ahhahhhh I thought I solved the problem .. but my site is still getting hacked.

turned off register globals

changes my password

change my permissions to 400 but their is still some problem

The problem is with my caching script .. but I can't figure out where .. do you see any security holes?

top include file

  <?php

// Settings
$cachedir = '../cache/'; // Directory to cache files in (keep outside web root)
$cachetime = 3600; // Seconds to cache files for
$cacheext = 'cache'; // Extension to give cached files (usually cache, htm, txt)

  // Ignore List
  $ignore_list = array(
    'ilovejackdaniels.com/rss.php',
    'ilovejackdaniels.com/search/'
  );

  // Script
  $page = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; // Requested page
  $cachefile = $cachedir . md5($page) . '.' . $cacheext; // Cache file to either load or create

  $ignore_page = false;
  for ($i = 0; $i < count($ignore_list); $i++) {
    $ignore_page = (strpos($page, $ignore_list[$i]) !== false) ? true : $ignore_page;
  }

  $cachefile_created = ((@file_exists($cachefile)) and ($ignore_page === false)) ? @filemtime($cachefile) : 0;
  @clearstatcache();

  // Show file from cache if still valid
  if (time() - $cachetime < $cachefile_created) {

    //ob_start('ob_gzhandler');
    @readfile($cachefile);
    //ob_end_flush();
    exit();

  }

  // If we're still here, we need to generate a cache file

  ob_start();

?>

bottom include flie

// Settings
$cachedir = '../cache/'; // Directory to cache files in (keep outside web root)
$filesdeleted="";
if ($handle = @opendir($cachedir)) {
while (false !== ($file = @readdir($handle))) {
if ($file != '.' and $file != '..') {
$filesdeleted+=1;
echo $filesdeleted.' - '.$file . ' deleted.<br>';
@unlink($cachedir . '/' . $file);
}
}
@closedir($handle);
}

n8w · June 5, 2008

ps .... here are the error I usually get

[05-Jun-2008 08:07:29] PHP Warning: session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cookie - headers already sent by (output started at /home/illustra/public_html/index.php:2) in /home/illustration/public_html/inc_session.php on line 1

[05-Jun-2008 08:07:29] PHP Warning: session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cache limiter - headers already sent (output started at /home/illustra/public_html/index.php:2) in /home/illustration/public_html/inc_session.php on line 1

[05-Jun-2008 08:13:58] PHP Warning: session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cookie - headers already sent by (output started at /home/illustra/public_html/index.php:2) in /home/illustration/public_html/inc_session.php on line 1

PFMaBiSmAd · June 5, 2008

Is your site actually getting hacked, and if so, what exactly is occurring or are you just getting that error message?

The error messages just mean that your code is sending output on line 2 in index.php that is preventing the session_start() statement in inc_session.php from working. You would need to post index.php to get specific help with what it is doing wrong.

n8w · June 5, 2008

yes it's getting hacked.

a page typically looks like this

<?php
require_once('begin_caching.php');
require_once('inc_session.php');
require_once('inc_header.php');
?>
The page content .. usually database calls .. that is why I am caching it.
<?php
require_once('inc_footer.php');
require_once('end_caching.php');
?>

The end user see this

session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cache limiter - headers already sent (output started at /home/illustration/public_html/index.php:2)

but when I view the html source I see this at the top of the page

<noscript><a href="http://www.msndesex.com" title="porno">porno</a> <a href="http://www.wikipediatr.com" title="vikipedia">vikipedia</a> <a href="http://www.r57shell.in" title="r57 shell">r57 shell</a> <a href="http://www.galatasarayhaber.org" title="galatasaray haber">galatasaray haber</a></noscript>
<br />
<b>Warning</b>:  session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cache limiter - headers already sent (output started at /home/illustration/public_html/index.php:2) in <b>/home/illustra/public_html/inc_session.php</b> on line <b>4</b><br />

I delete the cache files on the server and it still shows .. so then I comment out the //require_once('begin_caching.php'); refresh it .. and then put it back in and the problem is solved temporarily

I have register globals turned off

I have changed the permissions to my scripts to 400

... but then happens a day later ..

PFMaBiSmAd · June 5, 2008

Was the bad content present in the cache file(s)?

It would be possible due to the buffering and caching that operating systems, web servers, and browsers do for the content to appear to be present even after you deleted the cache files.

The code posted so far only reads and outputs the cache file(s). If the bad content is present in the cache files, the place to be looking would be the code that creates the pages that are written to the cached files (such as a form that echos $_SERVER['PHP_SELF'] which allows code on the end of the url to be output on a page, which in your case, you are caching in a file to be output later) or other code on your site (such as an upload or a guest book...) that allows writing to folders/locations beside the intended one.

discomatt · June 5, 2008

Yes, show us how you generate cache files. There's an xss attack somewhere in here.

n8w · June 11, 2008

right before it gets hacked I get a post error ... saying it exceed the file size

here is the cache file

<?php

// Settings

$cachedir = '../cache/'; // Directory to cache files in (keep outside web root)

$cachetime = 3600; // Seconds to cache files for

$cacheext = 'cache'; // Extension to give cached files (usually cache, htm, txt)

// Ignore List

$ignore_list = array(

'ilovejackdaniels.com/rss.php',

'ilovejackdaniels.com/search/'

);

// Script

$page = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; // Requested page

$cachefile = $cachedir . md5($page) . '.' . $cacheext; // Cache file to either load or create

$ignore_page = false;

for ($i = 0; $i < count($ignore_list); $i++) {

$ignore_page = (strpos($page, $ignore_list[$i]) !== false) ? true : $ignore_page;

}

$cachefile_created = ((@file_exists($cachefile)) and ($ignore_page === false)) ? @filemtime($cachefile) : 0;

@clearstatcache();

// Show file from cache if still valid

if (time() - $cachetime < $cachefile_created) {

//ob_start('ob_gzhandler');

@readfile($cachefile);

//ob_end_flush();

exit();

}

// If we're still here, we need to generate a cache file

ob_start();

?>

Crusader · June 11, 2008

Are you allowing file uploads somewhere?

Check for any images that you didn't personally upload. This happened with our photo gallery, someone had embedded code into an image and it was run, changing files with poor permission settings.

cocoras · June 11, 2008

yes, that the case .. i can see no other security hole

n8w · June 11, 2008

yes I allow .jpg image uploads only .. how did you fix it for your gallery?

Sign In

Security Hole

Recommended Posts

n8w

Link to comment

Share on other sites

n8w

Link to comment

Share on other sites

PFMaBiSmAd

Link to comment

Share on other sites

n8w

Link to comment

Share on other sites

PFMaBiSmAd

Link to comment

Share on other sites

discomatt

Link to comment

Share on other sites

n8w

Link to comment

Share on other sites

Crusader

Link to comment

Share on other sites

cocoras

Link to comment

Share on other sites

n8w

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information