SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Enthusiast
    Join Date
    Aug 2007
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    fx29 shell script

    Somehow someone was able to upload a shell script called fx29.php to my site's root directory. Once there, this script can be run from a browser and gives complete access to my site including my database. I don't know what their goal was as all they did was get into my index file and say they hadn't done more than break in and were warning me I had security problems. They made a suggestion that I pass something between pages using session variables to protect my pages. Thanks, but I'd just as soon be left alone, though maybe the warning will lead to my understanding security better. I don't know what anyone could gain from getting into our site. It just exists to share artwork done by my partner, my friends and me.

    I can't figure out how they managed to upload it, though I suspect it may have been through some administration scripts I have written to allow the upload of images of artwork to our site. I have tried to implement various kinds of security in my scripting, though I must say, it is not a simple thing to figure out, especially since I need to feed a lot of info from page to page using gets, which seems to provide a significant point of intro. I am told there are vulnerabilities in the file upload process as well, a lot beyond my understanding.

    I have purchased a couple of ebooks on php security to see where I can tighten things up. The explanations in the books are sometimes a bit abstract and a challenge to apply as they assume a bit more facility with php than my intermediate level skill. I have been coding for a number of years and am getting pretty good at it, though i just do it casually, so there are gaps of even as much as 6 months between when I sit down with it and there are always new things I have to catch up on and old things I need to refresh on. Security is still a challenge for me, obviously.

    Can anyone recommend a good resource that provides practical information about securing a site at a level of a coder like myself? Or even any direct advice from someone with more experience than me.

    Thanks,

    --Kenoli

  2. #2
    SitePoint Zealot 2ndmouse's Avatar
    Join Date
    Jan 2007
    Location
    West London
    Posts
    196
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Just in case you haven't already done it. Change all your access details - ftp, control panel, db - everything. If that file contains all your access details, it's pretty safe to say that your site has been hacked. If your site happens to be wordpress based, install wordfence and wangguard plugins - I've found them both very useful.

    [afterthought]
    You might also take a look at this site's security forum which is where this thread probably should be.
    Detect file changes remotely. SimpleSiteAudit is an early
    warning anti-hacker system which sends an alert on detection.

    PHP Find Orphan Files - Finds all the unreferenced files on your site.

  3. #3
    SitePoint Enthusiast
    Join Date
    Aug 2007
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by 2ndmouse View Post
    Just in case you haven't already done it. Change all your access details - ftp, control panel, db - everything. If that file contains all your access details, it's pretty safe to say that your site has been hacked. If your site happens to be wordpress based, install wordfence and wangguard plugins - I've found them both very useful.

    [afterthought]
    You might also take a look at this site's security forum which is where this thread probably should be.
    Thanks. I'm not using wordpress. I built the site from scratch with just php/mysql.

    I didin't realize there was a security forum. I should have checked before posting the question. I will go there.

    --Kenoli

  4. #4
    SitePoint Enthusiast
    Join Date
    Aug 2007
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    fx29 attack

    I posted this request on the php forum not realizing there was a security forum and someone suggested I post it here.

    My site is one I programmed from scratch so it is not connected wordpress or any other cms that I am told provide some kinds of security for their sites.

    Somehow someone was able to upload a shell script called fx29.php to my site's root directory. Once there, this script can be run from a browser and gives complete access to my site including my database. I don't know what their goal was as all they did was get into my index file and say they hadn't done more than break in and were warning me I had security problems. They made a suggestion that I pass something between pages using session variables to protect my pages. Thanks, but I'd just as soon be left alone, though maybe the warning will lead to my understanding security better. I don't know what anyone could gain from getting into our site. It just exists to share artwork done by my partner, my friends and me.

    I can't figure out how they managed to upload it, though I suspect it may have been through some administration scripts I have written to allow the upload of images of artwork to our site. I have tried to implement various kinds of security in my scripting, though I must say, it is not a simple thing to figure out, especially since I need to feed a lot of info from page to page using gets, which seems to provide a significant point of intro. I am told there are vulnerabilities in the file upload process as well, a lot beyond my understanding.

    I have purchased a couple of ebooks on php security to see where I can tighten things up. The explanations in the books are sometimes a bit abstract and a challenge to apply as they assume a bit more facility with php than my intermediate level skill. I have been coding for a number of years and am getting pretty good at it, though i just do it casually, so there are gaps of even as much as 6 months between when I sit down with it and there are always new things I have to catch up on and old things I need to refresh on. Security is still a challenge for me, obviously.

    Can anyone recommend a good resource that provides practical information about securing a site at a level of a coder like myself? Or even any direct advice from someone with more experience than me.

    Thanks,

    --Kenoli

  5. #5
    Foozle Reducer ServerStorm's Avatar
    Join Date
    Feb 2005
    Location
    Burlington, Canada
    Posts
    2,699
    Mentioned
    89 Post(s)
    Tagged
    6 Thread(s)
    Hi Kenoli,

    If you ever post in the wrong forum you can ask an advisor to move a thread, just click on the red flag (bottom left) and request a move. I've moved your thread to this security forum.

    Depending on the scope of your site this could be a lot of work, but here are list of suggestions to tighten up the security:

    1. If you manage the server then harden PHP Security Tips For Hardening PHP & MySQL
    2. If you have access to the firewall then make sure you have only the minimum ports that you need to have access to the website. There should not be any NAT(ed) public ports for you database if it runs in the same private network or server where the site runs.
    3. Review each area with data can be inputted into your application. This includes $POST, $GET, file uploads, AJAX, executed Shell Scripts. To learn more about this you may review www.owasp.org cheat sheet or read Chris Shiflett's blog (it may be older but is still very relevant). Chris has well written and easier to understand methods of presenting these security ideas.
    4. If it is shared server then you need to talk to your host as an attack can come from any busted site on the shared host. Ask if they are aware of any other sites being hacked on this server and ask to review the web logs or for them to take a look.


    One positive sign is that you are not using a CMS and it is your-own-rolled solution as plugins and modules in these environments can often add security bugs.

    Hope this helps
    Steve
    ictus==""

  6. #6
    SitePoint Enthusiast
    Join Date
    Aug 2007
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Steve -- These are great ideas. I look forward to digging into the resources. I will check with my web host. I think they are shared servers, though when I spoke to them about the situation, they didn't raise that issue, simply assumed it was a breach in my security and not their responsibility.

    I'll let you know how things turn out.

    --Kenoli

  7. #7
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,559
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by kenoli View Post
    I don't know what anyone could gain from getting into our site. It just exists to share artwork done by my partner, my friends and me.
    They can gain hosting for any number of illegal or immoral uses in which they would want to remain anonymous. Phishing sites, spamming, pirated software and media, anonymous proxies for other scams..

    Quote Originally Posted by kenoli View Post
    I suspect it may have been through some administration scripts I have written to allow the upload of images of artwork to our site.
    This would be a likely attack location. Any time I have a look through the php forum at people's file upload issues, the majority of code I see isn't fully insecure. If you want you can post up a section of the code relating to processing uploads and we can take a look to see if there's anything obviously amiss.

  8. #8
    SitePoint Enthusiast
    Join Date
    Aug 2007
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by EastCoast View Post
    Any time I have a look through the php forum at people's file upload issues, the majority of code I see isn't fully insecure. If you want you can post up a section of the code relating to processing uploads and we can take a look to see if there's anything obviously amiss.
    Great! I will do that after I take a look at it. I have been thinking about this and realize that this is one of the reasons uploaded files are first loaded into a temporary directory. It should give me a couple of places to check to see where they are being uploaded to. My script does currently check to see if the uploaded file is an image file, though I am not sure if it does this by simply checking the extension or by some more secure method.

    --Kenoli

  9. #9
    SitePoint Enthusiast
    Join Date
    Nov 2009
    Posts
    37
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by kenoli View Post
    Great! I will do that after I take a look at it. I have been thinking about this and realize that this is one of the reasons uploaded files are first loaded into a temporary directory. It should give me a couple of places to check to see where they are being uploaded to. My script does currently check to see if the uploaded file is an image file, though I am not sure if it does this by simply checking the extension or by some more secure method.

    --Kenoli
    It could also be from a remote file inclusion vulnerability (RFI). If you are sending Params like file=filename.jpg. Make sure you can't load files from urls.
    phpSiteMinder - website backup and file integrity monitoring.
    Been hacked? phpSiteScanner can help you clean your site up.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •