1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Site hacked ~ Check your Google cache NOW!

Discussion in 'Site & Server Administration' started by SEbasic, Feb 8, 2006.

  1. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,220
    Likes Received:
    778
    Best Answers:
    0
    Trophy Points:
    0
    #61
    Don't ask, don't get :)
    SEMrush
    It does suck a lot I have to say. It's easy to say 'do this and that' but it's always that one little thing you didn't do or something not even publicly known yet that kills you. Most of us are probably guilty of eagirly getting into the money making, not giving much thought to security. Same why people only start drinking water after they pissed out some kidney bricks. Live and learn. Learning first is boring :)
     
    T0PS3O, Feb 8, 2006 IP
    SEMrush
  2. SEbasic

    SEbasic Peon

    Messages:
    6,318
    Likes Received:
    318
    Best Answers:
    0
    Trophy Points:
    0
    #62
    Trust me, it's a lesson learned...

    I'm gonna employ someone to test this sh1t from now on...

    It's had too big an impact..
     
    SEbasic, Feb 8, 2006 IP
  3. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,220
    Likes Received:
    778
    Best Answers:
    0
    Trophy Points:
    0
    #63
    The way I understand it, if register globals or on, you can put this in the address bar:

    www.dpforums.com?nintendo=wacko
    Code (markup):
    And then in the code:

    echo $nintendo;
    PHP:
    will output "wacko".

    With register globals off you will have to say:

    echo $_GET['nintendo'];
    PHP:
    The voulnerability being that if you know WordPress has a line of code going:

    mysql_query($query); // very silly example for illustrative purposes
    PHP:
    Without initializing $query first (I know, silly example), all the hacker has to do to fuck you up is:

    www.dpforums.com?query=DELETE * FROM known_table WHERE 1
    Code (markup):
    Bye bye known_table.

    Which reminds me to add to the list... Rename your tables. Make sure guesswork won't get lucky.

    That's why you always have to validate GET and POST data and defo validate variables yo use for SQL queries. Not initializing a variable can also cause troubles.
     
    T0PS3O, Feb 8, 2006 IP
    SEbasic and digitalpoint like this.
  4. digitalpoint

    digitalpoint Overlord of no one Staff

    Messages:
    38,297
    Likes Received:
    2,602
    Best Answers:
    461
    Trophy Points:
    710
    Digital Goods:
    29
    #64
    Turn off register_globals, and reference incoming variables with $_REQUEST, $_GET and $_POST arrays.

    And be sure to escape out any variables coming from the outside. For example:

    http://www.php.net/manual/en/function.escapeshellcmd.php
    http://www.php.net/manual/en/function.mysql-escape-string.php

    If you want to get really crazy (and you have access to vBulletin), check out the vB_Input_Cleaner class in under includes/class_core.php to get some ideas... they do an excellent job of sanitizing input.
     
    digitalpoint, Feb 8, 2006 IP
    SEbasic likes this.
  5. Dekker

    Dekker Peon

    Messages:
    4,185
    Likes Received:
    286
    Best Answers:
    0
    Trophy Points:
    0
    #65
    Dekker, Feb 8, 2006 IP
  6. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,220
    Likes Received:
    778
    Best Answers:
    0
    Trophy Points:
    0
    #66
    Once they get write access, it seems they automate pasting in code into every file. Overwrite half a line of PHP and you'll get a load of errors. That's how these people's site 'broke' I believe. That's also the silly part. Had it not cocked up the code, it could have gone unnoticed for months.
     
    T0PS3O, Feb 8, 2006 IP
  7. Dekker

    Dekker Peon

    Messages:
    4,185
    Likes Received:
    286
    Best Answers:
    0
    Trophy Points:
    0
    #67
    gotcha. wow this is scary shit. my site looks clean though from the looks of it

    i just used firefox, set to googlebot view source and did a find "<a href" and look through all of it.
     
    Dekker, Feb 8, 2006 IP
  8. digitalpoint

    digitalpoint Overlord of no one Staff

    Messages:
    38,297
    Likes Received:
    2,602
    Best Answers:
    461
    Trophy Points:
    710
    Digital Goods:
    29
    #68
    If you have shell access to your server, a quick way to check if anything like that might be inserted in any file would be to do something like this:

    grep -r base64_encode *
    Code (markup):
    That will scan all files (current and all sub-folders) for "base64_encode". It's used in some stuff legitimately, but you can quickly find any files that have it that way.
     
    digitalpoint, Feb 8, 2006 IP
  9. SEbasic

    SEbasic Peon

    Messages:
    6,318
    Likes Received:
    318
    Best Answers:
    0
    Trophy Points:
    0
    #69
    Shawn, T0PS... Thanks, I'm gonna try and go through all of it now.

    I just added this to my .htaccess file too...

    php_flag display_errors off
    php_flag register_globals off

    This should give them less info right?

    Like T0PS says, it could be pretty widespread ~ how many sites out there *didn't* show that error?

    Mine didn't...

    For the time being I'm scraping most of the sites and uploading a hard copy...

    I think it's time I got the sites moved onto a server I have that much control over...
     
    SEbasic, Feb 8, 2006 IP
  10. digitalpoint

    digitalpoint Overlord of no one Staff

    Messages:
    38,297
    Likes Received:
    2,602
    Best Answers:
    461
    Trophy Points:
    710
    Digital Goods:
    29
    #70
    digitalpoint, Feb 8, 2006 IP
    subseo likes this.
  11. Dekker

    Dekker Peon

    Messages:
    4,185
    Likes Received:
    286
    Best Answers:
    0
    Trophy Points:
    0
    #71
    all i got eturned was

    ZenOptimzer-2.6.2-linux-glibc21-1386/zui_files/util.inc: chunk_split(base64_encode($data))."\n"
    Binary File Zendoptimizer-2.6.2-linux-glibc21-i386.zui_files/php matches

    guess not?
     
    Dekker, Feb 8, 2006 IP
  12. SEbasic

    SEbasic Peon

    Messages:
    6,318
    Likes Received:
    318
    Best Answers:
    0
    Trophy Points:
    0
    #72
    I've been thinking about that more and more recently...

    I've always been worried that I couldn't maintain it, but I think I'll take the plunge...

    There have been too many times recently where I've had problems to fix and wasn't able to without shell access...

    It would make life easier think.
     
    SEbasic, Feb 8, 2006 IP
  13. Dekker

    Dekker Peon

    Messages:
    4,185
    Likes Received:
    286
    Best Answers:
    0
    Trophy Points:
    0
    #73
    i'll be your best friend if you manage my server SEbasic :p

    i got alot of unused space and bandwidth :p
     
    Dekker, Feb 8, 2006 IP
  14. SEbasic

    SEbasic Peon

    Messages:
    6,318
    Likes Received:
    318
    Best Answers:
    0
    Trophy Points:
    0
    #74
    Ha!

    No way man - I wish I could help out, but I couldn't take the responsibility until I learned a bit ; )
     
    SEbasic, Feb 8, 2006 IP
  15. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,220
    Likes Received:
    778
    Best Answers:
    0
    Trophy Points:
    0
    #75
    Here's a tip: Every new command you learn and apply to your server, write it down and document it. It's very slow at first but the learning curve is steep that way. Soon you'll feel the joy of a silently killed apache restart. PuTTy is your friend in need.
     
    T0PS3O, Feb 8, 2006 IP
  16. Dekker

    Dekker Peon

    Messages:
    4,185
    Likes Received:
    286
    Best Answers:
    0
    Trophy Points:
    0
    #76
    you should turn off register_globals as well unless you really need it.

    advice from a friend :D
     
    Dekker, Feb 8, 2006 IP
  17. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,220
    Likes Received:
    778
    Best Answers:
    0
    Trophy Points:
    0
    #77
    We'll add that to the list, strange it wasn't mentioned before, such an obvious one :rolleyes:
     
    T0PS3O, Feb 8, 2006 IP
    subseo likes this.
  18. subseo

    subseo Guest

    Messages:
    652
    Likes Received:
    38
    Best Answers:
    0
    Trophy Points:
    0
    #78
    Thank you guys. I reported this about 4 days ago on another forum, but didn't pay much attention, as it didn't show in the browser. Silly me! Now with User Agent Switcher, all is present.

    Temporary fix was by deleting common.php and finfo.php (though I realize might be named differently elsewhere) from folders like tmp and backup. Also deleted the cached files (the script that I had it on, uses Smarty templating). Now off to implement safeguards so that it doesn't happen in the future. All the info in this thread was a BIG help! Thanks once again.
     
    subseo, Feb 8, 2006 IP
  19. frankm

    frankm Active Member

    Messages:
    915
    Likes Received:
    63
    Best Answers:
    0
    Trophy Points:
    83
    #79
    Thanks SEBasic for the warning - none of my sites seem to be infected with this shit, but as a precaution i did this
    
    # route add 208.185.80.113 reject
    
    Code (markup):
    where 208.185.80.133 is user7.phpinclude.ru

    There seems to be some communication with your webserver and user7.phpinclude.ru, so why not just deny all traffic from and to that ip address?
    (you need to have root access to your server to do this btw)
     
    frankm, Feb 8, 2006 IP
  20. SEbasic

    SEbasic Peon

    Messages:
    6,318
    Likes Received:
    318
    Best Answers:
    0
    Trophy Points:
    0
    #80
    I know the relationship (It looks like they are sending visitor data to their own servers, and pulliing the links to be displayed on your pages from the URL I posted previously (It's in the first post)), but unfortunatley I don't have root access. :(

    I wonder how many people have been infected with this?
     
    SEbasic, Feb 8, 2006 IP