PHP Vulnerabilities

Hi,
I have received a number of emails from my hosting company saying there has been a number of possible viruses within my website. This is the latest message:

This is still occurring, please address the vulnerabilities on your site as soon as
possible to avoid any further attempts to exploit it.

You must ensure that your PHP code on the site is sanitized adequately
to prevent uploads exploits and other potential form submission hacks
etc.

TimeStamp: Wed May
27 21:01:55 2015
Scanning
/home/laneend/public_html/tj.php:

'/home/laneend/public_html/tj.php'
#
Suspicious image file (hidden script file)
# (quarantined to
/home/cxs-safe/cxsuser/laneend/tj.php.1432756915_1) ClamAV detected virus =
[PHP.Hide]

They also said to sanitize the site, but I don’t have a clue what to do. Can someone please point me in the right direction?

Hi there!

Well, you didn’t provide tj.php so we could see what it is and you didn’t give us a URL or describe what CMS/application you’re running on your site so any answers provided will be vague and just general knowledge stuff.

What they’re telling you is that someone used an exploit in a script on your site to upload tj.php. This can be done in a myriad of ways, but the way the script kiddies work is by looking for an easy way in and that’s almost always unpatched (old) versions of known scripts on your site. For instance a Wordpress site that’s not been upgraded in a while, a richtext editor you’re using somewhere on the site with the upload feature not locked down, etc.

They want you to basically upgrade all scripts on your site, either by downloading a newer version from the author or by editing the script yourself.

Hi Schwim, thanks for your reply.
Sorry about the lack of information. The site is a Php system which is no longer in production called Cmsfromscratch. It does not use a database, instead it uses html includes. The url is www.laneendsurgery.co.uk

I know this isn’t what you want to hear, but I think it’s time to update the site and change the CMS.

A quick search for “Cmsfromscratch vulnerabilities” produced a number of results: for example http://www.juniper.net/security/auto/vulnerabilities/vuln29434.html

Hi TechnoBear,
Thanks for the info. Your correct… that’s not what I want to hear. Is there nothing I can do to save the site?

This isn’t my area of expertise, I’m afraid, but as @schwim says, your hosting company is asking you to secure the site vulnerabilities. Since you obviously can’t do this by updating the CMS, your only other option, as far as I can see, is to find and fix the vulnerabilities in the script yourself. Hopefully somebody else will be able to advise on how feasible that approach is.

I’ll give my two cents, but you probably won’t want to hear it. I’d look at moving to a different CMS. If you are wanting a non-database CMS, there are many out there that are still active and provide good support.

It may be wiser to look at what it would take to get on a more active CMS.

Hi there Graisbeck and sorry about all the bad news since we talked last

As a departure from the other guys above me, I’d ask if your site even needs a CMS. Does your site offer something or does it change so often that it requires dynamic content? The reason I ask this is because any CMS on the face of the earth will require regular updates to remain secure. If your site is static, then maybe you just want to transfer the content to html files and change them as needed. If there’s content in some of the pages that need changing more often, a script can be written to allow you to use a WYSIWYG editor to make changes to any of the pages you need it on. The third option that has been mentioned above is to install a full-fledged CMS that is under active development, transfer the content over and keep up with the updates. Patching your current system could be a very tedious option if the code was written poorly, but it is an option nonetheless.

If you have an idea of which direction you’d like to go, more information could be provided on how to make it happen. I feel your pain as anyone that’s been around websites for any period of time has been in your position and none of the options are pleasant when all you want to do is just have a working website.

Hi Schwim,
The site content is updated regularly by the staff at the surgery. It looks like I’m going to have to transfer the content to html files as you mentioned, while I set up another CMS as the staff do not have any html skills and so require a WYSIWYG editor.

You’re somewhat limited in your options unless you know PHP or can hire someone out. If you desire an all in one solution with little programming involved than you will need to change platforms.

If only textual content needs to change in the body of any of the pages, you might consider a home-grown solution. Installing any CMS for something so small would be in my opinion smashing an ant with a hammer. It can be done, but it’s much more than is needed.

The way it works is the php file loads the template and then pulls the body either from a flat file or from the database. On the backend, the person making the changes chooses which page to edit and then makes the necessary changes in richtext editor, like CKEditor or similar opensource(free) editor.

There’s a couple reasons I suggest this:

First, security through obscurity is very successful, no matter what anyone will tell you. The majority of exploit attempts are done by people that don’t have a firm grasp on what they’re doing and use prebuilt scripts that run and look for known scripts that are unpatched. To give you an idea of what I mean, here’s a screenie from one of my projects. The URLs you’re seeing is a script looking for an unpatched WYIWYG editor in a couple hundred popular directory locations. I see this 10 to 20 times a day for different applications and my site has almost zero legitimate traffic. Imagine how many malicious bots are crawling well known and more popular sites.

I’m confident that if you checked your server logs, you would find the same type of traffic right before your script was used to upload that file.

In my case, everything is homegrown and when I see stuff like this, I will add the filename to a autoban list. The next time a script starts looking for that file, the IP gets dropped to a banlist so the server won’t waste any more resources on them loading a dynamic page each time. I’m not in any hurry to do it because I know that the bot will never find a match, since everything was written by myself and the bots have never been written to handle this system.

The second reason I suggest this approach is that your site doesn’t seem to require one of the mammoth frameworks that exist. It will do what you want, but you’ll forever be tied to updating the system to stay secure as opposed to a very small editing script that has hundreds of thousands less line of code to find exploits in and that nobody has ever seen the source code to.

Oddz has already mentioned that you would either need to learn to write php, or find someone to hire to do it. I’ve seen websites devoted to matching clients and scripters, like classifieds for scripts. That might be an option for you or you could find someone local to you. I think the up front cost would be worth not having to worry about when Joomla or similar issues a security update.

Sorry for the delay in answering your posts. We decided to transfer the html into a static site with me doing any content updates that are needed for the time being. I would like to build a basic cms but I don’t know any php. I know there is an abundance of tutorials and scripts etc. But could you point me in the right direction for starting from scratch? I am proficient in html, css and using photoshop, but it stops there I’m afraid.
By the way a big thanks to everyone who gave their help with this issue.

If you are going a static file route, you really don’t need a CMS. If you want a CMS, don’t build it from scratch, use any of the already existing ones out there!

Perch, Bolt, Wordpress, Concrete, Pelican, Jekyll, Ghost, InstantUpdate, etc.

Thanks cpradio, the reason for a cms is because the staff don’t have the knowledge to change the content without a text editor.

In which case, I highly recommend not rolling your own (unless you want to get back into the vulnerability issues again). I’d strongly recommend using an already proven product.

I imagine you have time restraints then. I would seriously recommend hiring someone to do the PHP, learning it from scratch (particularly if you dont know any other programming languages) and implementing a solid, secure solution is a overly ambitious goal. Save yourself a whole world of hurt and hire someone to implement a secure CMS that meets your needs.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.