Current time: 04-20-2014, 02:39 PM Hello There, Guest! (LoginRegister)

Post Reply 
PHP code injection; how to prevent it?
11-10-2011, 07:37 PM (This post was last modified: 11-10-2011 07:48 PM by ozort.)
Post: #1
PHP code injection; how to prevent it?
I've had an ongoing issue with my PHP files on one of my websites being edited to include a line at the top that starts with <?php /**/ eval(("aWYoZnVuY3Rpb25fZXhpc3R or base64_decode( functions. My images folder contained 2 .php files with weird names (randy_mcqueen.php and tommy_confidence.php) that were similar jibberish and certainly were not put there by me.

I've had issues with my entire MYSQL database being dropped more than once, and right now google has my website flagged as malicious. I've cleaned up the problem on 2 prior occasions and appealed to google, but within a few months it happens again.

Nobody has my password and it's fairly secure, and I don't have anything that allows uses to upload files of their choosing. I have my CHMOD settings on 755 for all files (php, html, core, folders, images).

Any suggestions would be great, I suppose I can keep cleaning it up by hand every 3 months but I'd rather figure out why it keeps getting reinfected and how to truly clean it up.

(edit)
As a side note, the problems started immediately after I blocked registration on my PHPBB forum. The first year I had PHPBB bots were registering accounts to put porn on the site. After a year of deleting posts and having literally thousands of junk accounts created I disabled registration and within a month all of the posts and tables and user accounts were dropped. Since the SQL wouldn't allow me to log in as localhost I had to set chmod so the PHPBB folders could be written by group, which I suppose would allow any dreamhost user (or infected dreamhost website) write files into my folders. Given the ability to stick files into the /forum folder, they should be able to put files into ../ The issue didn't happen with any of my other websites. Since then I've completely gotten rid of PHPBB and turned off group write, but the problem is still occurring.

----------------------------------
What do you mean by "RL"? Hang on, lemme check wikipedia...
Visit this user's website Find all posts by this user
Quote this message in a reply
11-13-2011, 04:32 AM
Post: #2
RE: PHP code injection; how to prevent it?
Just to clarify, you have multiple sites under the same user, but only one is affected? If that's the case, then the most likely cause would be a security flaw in the web app you are using.

I'm not sure what you mean about logging in as localhost. You should connect to your DB through a subdomain set up in the panel.

As I understand it, other users won't be able to read / write to your files because a) they don't belong to the same group as you and b) your home folder has pretty restrictive settings.
Find all posts by this user
Quote this message in a reply
11-13-2011, 09:48 PM (This post was last modified: 11-13-2011 09:48 PM by ozort.)
Post: #3
RE: PHP code injection; how to prevent it?
(11-13-2011 04:32 AM)bobocat Wrote:  Just to clarify, you have multiple sites under the same user, but only one is affected? If that's the case, then the most likely cause would be a security flaw in the web app you are using.

I'm not sure what you mean about logging in as localhost. You should connect to your DB through a subdomain set up in the panel.

As I understand it, other users won't be able to read / write to your files because a) they don't belong to the same group as you and b) your home folder has pretty restrictive settings.

Thanks for the reply. As for the SQL, disabling group read/write causes my board to throw MYSQL errors. If that's not the cause then I have no idea how someone is rewriting my files and forcing uploads into my images folder. All I know is that my users are being redirected to sweepstakesandcontestsnow.com and Google has me flagged as a virus distributor, and every time I clean it up it's infected again in a matter of days.

Maybe I can ask a few more direct questions: If I allow uses to upload images, is there a problem if they're marked as guest executable? What kind of PHP functions do I need to be careful of? What CHMOD settings should I use for PHP/html/htaccess/folders? Should a folder with executable content also be executable?

----------------------------------
What do you mean by "RL"? Hang on, lemme check wikipedia...
Visit this user's website Find all posts by this user
Quote this message in a reply
11-13-2011, 10:38 PM
Post: #4
RE: PHP code injection; how to prevent it?
In general you should not change any permissions, especially to be more lax than what the application comes with or recommends. You are using something such as phpBB or something like that? You MySQL errors are not related to folder permissions. The app might be trying to modify a file based on a result from a MySQL query, but MySQL doesn't care one bit about any folders or permissions in your account. They are simply not related at all. It might be that the config file used to connect to the MySQL server has the wrong permissions so the webapp can't read it or something that makes it look like the problem is MySQL, but I can't think of any way it could happen.

Change all of your permissions back to the standard settings and look for the real problem.

Nothing that users upload should be executable. No, no, no, and no. By the way, nothing that your users upload should be executable. Nothing. Nada....

Do a search for that sweepstakes thing. There have been other reports on these forums with the same address. I can't tell you exactly what caused it, but in general, most of these things are exploits of insecure plugins, addons, or apps themselves, usually written in PHP. Upgrade to the latest version, disable any sketchy plugins and addons, reset all permissions, and look long and hard for any backdoors. You might even try wiping everything that ends in php and reinstalling. Backup first, just in case.
Find all posts by this user
Quote this message in a reply
11-15-2011, 12:55 PM
Post: #5
RE: PHP code injection; how to prevent it?
I was recently hacked and found a bunch of php files with similar code to what you describe and weird names a la: someword_anotherword.php

The hacker also

- added <script>s to a bunch of html pages, mostyl just before </body>
- added some redirect code to the .htaccess files

FYI.

I have *not* figured out how they got in yet.

Cheers,
Colin
Find all posts by this user
Quote this message in a reply
11-15-2011, 04:06 PM
Post: #6
RE: PHP code injection; how to prevent it?
We're actually about to send out a mass notice to a number of customers that were affected by the "sweepstakes and contests info" injection. You should be getting the email in a few hours.

There'll be details on your specific situation in the message you get, but in general it looks like that a lot of these injections resulted from attackers placing PHP scripts in world-writable (e.g, chmod 777) web directories.
Find all posts by this user
Quote this message in a reply
11-15-2011, 05:14 PM
Post: #7
RE: PHP code injection; how to prevent it?
(11-15-2011 04:06 PM)andrewf Wrote:  There'll be details on your specific situation in the message you get, but in general it looks like that a lot of these injections resulted from attackers placing PHP scripts in world-writable (e.g, chmod 777) web directories.

It would be great if you could add info to the wiki as well for those who weren't caught up in it but wish to avoid similar exploits in future...
Find all posts by this user
Quote this message in a reply
11-15-2011, 08:09 PM
Post: #8
RE: PHP code injection; how to prevent it?
It might have been this (or something similar):

http://markmaunder.com/2011/08/01/zero-d...ss-themes/

Customer since 2000 Cool openvein.org | Please don't feed the trolls. Angry
Visit this user's website Find all posts by this user
Quote this message in a reply
11-16-2011, 06:02 AM
Post: #9
RE: PHP code injection; how to prevent it?
@andrewf - yes, I should have mentioned this was the sweepstakesandcontestsinfo.net injection

that's great - looking forward to getting that email.
Find all posts by this user
Quote this message in a reply
12-15-2011, 03:25 PM (This post was last modified: 12-15-2011 03:26 PM by nataliepants.)
Post: #10
RE: PHP code injection; how to prevent it?
I am having this exact same problem with all my Dreamhost sites. I have edited the htaccess file, but it is rewritten with the offending site redirect, AFTER changing my FTP password. I have also discovered over 8 separate php files with the naming convention detailed above across all my domains.
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: