SitePoint Sponsor

User Tag List

Results 1 to 10 of 10

Thread: Hacker Test

  1. #1
    SitePoint Enthusiast
    Join Date
    Jul 2005
    Posts
    36
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Hacker Test

    I have a client web site that has been dealing with a hacker/spammer for many months now. The sphacker was using injection techniques to wreak havac on the site, and (I believe) send out spam emails through the site.

    I have been able to stop the sphacker from affecting the site functions, but I know that the sphacker is still trying. My fear is that the sphacker is somehow still sending out spam through the site. So I created a little snippet of code:

    Code:
    foreach ($_REQUEST as $key => $value) {
    			
     $found = false;
     $vars .= "$key=$value<br>";
    			
    	foreach ($keynames as $test) {
    			
    		if ($key == $test) {
    				
    			$found = true;
    			break;
    					
    		}
    	}
    			
    	if ($found == false) {
    			
    		$sendit = true;
    				
    	}		
    }
    where $keynames is a list of variables that are actually supposed to be posted. (The code is the at the beginning of the document, btw)

    The point is to catch any requests that are not part of the list, and if even one is found, it emails an alert message to me that lists all of the $_REQUESTs $keys and $values.

    The problem is that I periodically get the alert emails, but I have yet to see any $key/$values that out of line.

    So my questions are:
    Is there a way that a sphacker could be injecting $REQUESTs that somehow do not make it to my $vars list?

    Why would I get an email if everything that shows up on the list is valid?

    Is there are error in my code?

    Any thought?

    Thanks for listening!
    Last edited by lusus; Feb 15, 2007 at 19:28.

  2. #2
    SitePoint Evangelist superuser2's Avatar
    Join Date
    Aug 2006
    Posts
    598
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I can't really read your code. Would you mind posting the whole thing? You are referencing variables which you are not showing the definition of.

    I'm not security expert, but one thing you could do is to initalize all variables that should not recieve user input.
    Ex:
    PHP Code:
    $msg '';
    $loggedin ''
    Of course, really what you should do is just disable register_globals.

  3. #3
    SitePoint Addict
    Join Date
    Sep 2006
    Posts
    219
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by superuser2 View Post
    but one thing you could do is to initalize all variables that should not recieve user input.
    How can someone initialize variables that should not be sent - if a non expected variable is sent you never know what var name to expect.

    If you really want to know what variables are being sent to a request and filter the ones that get through, try defining an array of 'allowed' variables and do an in_array(check) - if it's in the array, allow your processing to continue, if it's not in your allowed array, then alert you.

    However, if your code is allowing variables that you don't expect to be used and actioned, you really need to look at you design again.

    HTH

    Dan

  4. #4
    SitePoint Enthusiast
    Join Date
    Jul 2005
    Posts
    36
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for your input. Here is the code again, but commented. Hope this helps. The only things left out are the actual list of "acceptabl" variables, The part of the code that actually emails me, and the html for the rrest of the page.

    Code:
    foreach ($_REQUEST as $key => $value) { //interate through all requests
    			
    	$found = false; // initialize alert variable
    	$vars .= "$key=$value<br>"; //compile every request into one string
    			
    	foreach ($keynames as $test) { //$keynames is a list of the variables that are actually supposed to be posted
    			
    		if ($key == $test) { //test to see if request variable is in the list
    				
    			$found = true; //if it is, move on
    			break;
    					
    		}
    	}
    			
    	if ($found == false) { //if the variable is NOT found in the list the set the "send it" flag to true... which later emails me with the string of $REQUEST keys and values
    			
    		$sendit = true;
    				
    	}		
    }

    AND...

    If you really want to know what variables are being sent to a request and filter the ones that get through, try defining an array of 'allowed' variables and do an in_array(check) - if it's in the array, allow your processing to continue, if it's not in your allowed array, then alert you.
    That is basically what this code does...

    I guess the most important question is if there is any way that the sphacker can be injecting $REQUESTs that somehow do NOT show up in the list?

    Thanks again.

  5. #5
    SitePoint Addict
    Join Date
    Sep 2006
    Posts
    219
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lusus View Post
    I guess the most important question is if there is any way that the sphacker can be injecting $REQUESTs that somehow do NOT show up in the list?
    Thanks again.
    No, you'll be fine if you are filtering the $_REQUEST method... personally, I like to be a bit more specific though and deal explicitly with $_GET or $_POST - get is for sending vars to get data $_POST is for sending vars that update data.

    There will be very few instances where you need to leave the request method open (unless you accept posts from external sites and don't want to limit the request type).

  6. #6
    &lt;!-- Insert thoughts here --&gt; pitcher17's Avatar
    Join Date
    Apr 2004
    Location
    The great white north
    Posts
    293
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    One other thing to watch for that I had to contend with in the past was the hijacking of a webform to send out spam. They were using the existing fields to add in additional headers and fool the mail function into thinking that the email was going to be a multipart message. This allowed them to append whatever they wanted.

    To avoid this problem I took all the data arriving from the form, concatenated it together and did a search on the string for "Content-Type: multipart/"

    Just something to think about.
    The more time I save by not planning and documenting,
    the more time I have left to debug.


  7. #7
    SitePoint Zealot ninjayong's Avatar
    Join Date
    May 2006
    Location
    Holland
    Posts
    135
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I use a great piece of software for penetration testing of web applications, it's called AppScan. You get a report after the scan which points out vulnerabilities in your code with explanations as to how to fix. You can also produce ISO reports to say your code is standards compliant. It's a bit on the pricey side though.

  8. #8
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Be sure to test for header injection attacks as well.
    http://www.securephpwiki.com/index.php/Email_Injection

  9. #9
    SitePoint Enthusiast
    Join Date
    Jul 2005
    Posts
    36
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for all the input everyone.

    This code is simply what I am using to try and get a glimpse at what sphacker is doing. I also have a separate bit of code that filters the $_GET and $_POST vars individually, looks for "content-type", and empties the variable if it find it. So it would seem that I have done what I need to do.

    Still this sphacker keeps trying. Everyday I get email alerts. I don't know why it would continue, if it wasn't accomplishing something. I guess what I am looking for is a way to "see" any code that the sphacker is injecting, and that does not seem to be working. Any ideas?

    I was realizing that MY code is listing the $keys and $values, but if sphacker \escaped out of variable (i.e. $title=test'&some extra code) then the code would not show up in my generated list of $REQUESTs - right?

    So how can I grab that extra code if it is not in $key/$value form?
    Does that question make sense?

    Thanks again, again

  10. #10
    SitePoint Evangelist superuser2's Avatar
    Join Date
    Aug 2006
    Posts
    598
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by danh2000
    How can someone initialize variables that should not be sent - if a non expected variable is sent you never know what var name to expect.
    If they are variables that are never going to be used in your script, there's no need to initialize them, but if they're variables used later in the script that shouldn't be receiving direct user input, you should clear them out. Of course, this only applies if REGISTER_GLOBALS is on.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •