Finding vulnerabilities in code?

[mattachoo]

My brother works for a company as a graphic designer.  A few years ago, I helped him out with the website by doing the PHP for it so he could add new information dynamically using PHP instead of uploading a new HTML file via FTP (The site gets updated almost every day). 

He got an email today from the host that a phishing site had been installed on the server.  The page looked like a legit log-in screen for a bank, but it stole you information instead.  He now needs to go back through and look at the code on the site to find the vulnerability that allowed this malicious user to place this malicious code on the site in the first place. 

 

Now I made this site a while ago, and didn't know anything about security much then and don't know too much about it now either.  So my question to you guys is, what should I look for?  Where might this vulnerability be?  Would it be only when I submit forms, or when a form has someone upload information from their harddrive to the server?  What might these people have been able to exploit? 

 

Keep in mind the malicious user was able to create a whole directory and upload these scripts to that directory.  Any help pointing me in the right direction would be helpful.  What to look for, how someone might do this, etc. 

 

Thanks for the help. 

[phporcaffeine]

Alright, without seeing your code I would say that if a user from the internet actually installed something of the nature that you describe I would say your issue extends far beyond PHP code weaknesses.

 

Personally, I would say the box has probably been rooted (i.e. a root kit was installed) and I would not trust the box at all.  I would whack the box and start over.

 

Now a PHP code weakness may have been what allowed the attacker to cause the server to download the root kit mind you.

 

My first recommendation is to stop outbound port 80 from the server. If your app needs outbound 80: (i.e RSS ... etc) then use a proxy like squid or something.

 

The second recommendation is to format the server and build the OS again from scratch.  Reinstall your PHP app.

 

As far as code weaknesses go, pay attention to any upload abilities that the script has. Are you properly validating uploads (i.e mime types, expected file sizes, file extensions ... etc).

 

[phporcaffeine]

Assuming a linux distro ...

 

In the case of a root kit, what typically happens is an attacker uploads 'something' to the web server that is seemingly harmless by itself.  Within the file that the attacker uploaded however, is a set of instructions to download binary files from somewhere else on the internet using something like curl or wget. Those binary files get downloaded and then escalate their user privileges to root and then start doing some really nasty stuff like messing with your SSH/FTP service ... etc.

[gevensen]

I am coding to expect attacks

Firefox has a nice addon that checks for vulnerabilities for xss attacks (css)

Look up htmlspecialchars,mysql_real_escape

Take apart upload file names and analyze them

Check your page referrer

There's a lot you can do

Do a search for php security