n8w Posted June 5, 2008 Share Posted June 5, 2008 ahhahhhh I thought I solved the problem .. but my site is still getting hacked. turned off register globals changes my password change my permissions to 400 but their is still some problem The problem is with my caching script .. but I can't figure out where .. do you see any security holes? top include file <?php // Settings $cachedir = '../cache/'; // Directory to cache files in (keep outside web root) $cachetime = 3600; // Seconds to cache files for $cacheext = 'cache'; // Extension to give cached files (usually cache, htm, txt) // Ignore List $ignore_list = array( 'ilovejackdaniels.com/rss.php', 'ilovejackdaniels.com/search/' ); // Script $page = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; // Requested page $cachefile = $cachedir . md5($page) . '.' . $cacheext; // Cache file to either load or create $ignore_page = false; for ($i = 0; $i < count($ignore_list); $i++) { $ignore_page = (strpos($page, $ignore_list[$i]) !== false) ? true : $ignore_page; } $cachefile_created = ((@file_exists($cachefile)) and ($ignore_page === false)) ? @filemtime($cachefile) : 0; @clearstatcache(); // Show file from cache if still valid if (time() - $cachetime < $cachefile_created) { //ob_start('ob_gzhandler'); @readfile($cachefile); //ob_end_flush(); exit(); } // If we're still here, we need to generate a cache file ob_start(); ?> bottom include flie // Settings $cachedir = '../cache/'; // Directory to cache files in (keep outside web root) $filesdeleted=""; if ($handle = @opendir($cachedir)) { while (false !== ($file = @readdir($handle))) { if ($file != '.' and $file != '..') { $filesdeleted+=1; echo $filesdeleted.' - '.$file . ' deleted.<br>'; @unlink($cachedir . '/' . $file); } } @closedir($handle); } Quote Link to comment Share on other sites More sharing options...
n8w Posted June 5, 2008 Author Share Posted June 5, 2008 ps .... here are the error I usually get [05-Jun-2008 08:07:29] PHP Warning: session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cookie - headers already sent by (output started at /home/illustra/public_html/index.php:2) in /home/illustration/public_html/inc_session.php on line 1 [05-Jun-2008 08:07:29] PHP Warning: session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cache limiter - headers already sent (output started at /home/illustra/public_html/index.php:2) in /home/illustration/public_html/inc_session.php on line 1 [05-Jun-2008 08:13:58] PHP Warning: session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cookie - headers already sent by (output started at /home/illustra/public_html/index.php:2) in /home/illustration/public_html/inc_session.php on line 1 Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted June 5, 2008 Share Posted June 5, 2008 Is your site actually getting hacked, and if so, what exactly is occurring or are you just getting that error message? The error messages just mean that your code is sending output on line 2 in index.php that is preventing the session_start() statement in inc_session.php from working. You would need to post index.php to get specific help with what it is doing wrong. Quote Link to comment Share on other sites More sharing options...
n8w Posted June 5, 2008 Author Share Posted June 5, 2008 yes it's getting hacked. a page typically looks like this <?php require_once('begin_caching.php'); require_once('inc_session.php'); require_once('inc_header.php'); ?> The page content .. usually database calls .. that is why I am caching it. <?php require_once('inc_footer.php'); require_once('end_caching.php'); ?> The end user see this session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cache limiter - headers already sent (output started at /home/illustration/public_html/index.php:2) but when I view the html source I see this at the top of the page <noscript><a href="http://www.msndesex.com" title="porno">porno</a> <a href="http://www.wikipediatr.com" title="vikipedia">vikipedia</a> <a href="http://www.r57shell.in" title="r57 shell">r57 shell</a> <a href="http://www.galatasarayhaber.org" title="galatasaray haber">galatasaray haber</a></noscript> <br /> <b>Warning</b>: session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cache limiter - headers already sent (output started at /home/illustration/public_html/index.php:2) in <b>/home/illustra/public_html/inc_session.php</b> on line <b>4</b><br /> I delete the cache files on the server and it still shows .. so then I comment out the //require_once('begin_caching.php'); refresh it .. and then put it back in and the problem is solved temporarily I have register globals turned off I have changed the permissions to my scripts to 400 ... but then happens a day later .. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted June 5, 2008 Share Posted June 5, 2008 Was the bad content present in the cache file(s)? It would be possible due to the buffering and caching that operating systems, web servers, and browsers do for the content to appear to be present even after you deleted the cache files. The code posted so far only reads and outputs the cache file(s). If the bad content is present in the cache files, the place to be looking would be the code that creates the pages that are written to the cached files (such as a form that echos $_SERVER['PHP_SELF'] which allows code on the end of the url to be output on a page, which in your case, you are caching in a file to be output later) or other code on your site (such as an upload or a guest book...) that allows writing to folders/locations beside the intended one. Quote Link to comment Share on other sites More sharing options...
discomatt Posted June 5, 2008 Share Posted June 5, 2008 Yes, show us how you generate cache files. There's an xss attack somewhere in here. Quote Link to comment Share on other sites More sharing options...
n8w Posted June 11, 2008 Author Share Posted June 11, 2008 right before it gets hacked I get a post error ... saying it exceed the file size here is the cache file <?php // Settings $cachedir = '../cache/'; // Directory to cache files in (keep outside web root) $cachetime = 3600; // Seconds to cache files for $cacheext = 'cache'; // Extension to give cached files (usually cache, htm, txt) // Ignore List $ignore_list = array( 'ilovejackdaniels.com/rss.php', 'ilovejackdaniels.com/search/' ); // Script $page = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; // Requested page $cachefile = $cachedir . md5($page) . '.' . $cacheext; // Cache file to either load or create $ignore_page = false; for ($i = 0; $i < count($ignore_list); $i++) { $ignore_page = (strpos($page, $ignore_list[$i]) !== false) ? true : $ignore_page; } $cachefile_created = ((@file_exists($cachefile)) and ($ignore_page === false)) ? @filemtime($cachefile) : 0; @clearstatcache(); // Show file from cache if still valid if (time() - $cachetime < $cachefile_created) { //ob_start('ob_gzhandler'); @readfile($cachefile); //ob_end_flush(); exit(); } // If we're still here, we need to generate a cache file ob_start(); ?> Quote Link to comment Share on other sites More sharing options...
Crusader Posted June 11, 2008 Share Posted June 11, 2008 Are you allowing file uploads somewhere? Check for any images that you didn't personally upload. This happened with our photo gallery, someone had embedded code into an image and it was run, changing files with poor permission settings. Quote Link to comment Share on other sites More sharing options...
cocoras Posted June 11, 2008 Share Posted June 11, 2008 yes, that the case .. i can see no other security hole Quote Link to comment Share on other sites More sharing options...
n8w Posted June 11, 2008 Author Share Posted June 11, 2008 yes I allow .jpg image uploads only .. how did you fix it for your gallery? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.