/    Sign up×
Community /Pin to ProfileBookmark

Site Hacked

Copy linkTweet thisAlerts:
Feb 03.2011

My site’s database was getting hacked into through the GET variable of a url that I didn’t properly sanitize. I think it’s fixed now. But I checked out the remote folder where I stored some images on that page and there were .php files uploaded into it along with other pictures that I never uploaded.

How does someone upload files through the GET variables of a URL???

And the .php file that was in this folder was about 7,000 lines long and looked like it was sending out mail at the very end.

Any idea on what was happening with this website for the past few days??

to post a comment
PHP

3 Comments(s)

Copy linkTweet thisAlerts:
@dch3Feb 03.2011 — Not that familiar with security, but from what I've read, I'd guess that the permissions on the folder need to be looked at. I'd search around and google terms like 'web server security' for best practices.
Copy linkTweet thisAlerts:
@DasherFeb 03.2011 — If the $_GET variable is used to get a file, it can also get an external file which can then obtain access to your server. I had a problem like that once, and my solution was to only allow file names that were listed in an array.
Copy linkTweet thisAlerts:
@Jarrod1937Feb 03.2011 — Its probably too late now, but the best thing you can do when this sort of thing happens is download all of the raw access logs you can get your hands on for a post mortem analysis.

The best thing to do though is to develop filtering functions for $_GET, $_POST and $_COOKIE values. You can walk through each as an array and filter each item with a general filter function (will any of your variables need - or _ or `...etc), and can even then use the array's associative index key as an identification for specific variables that require specifc filtering (is the field alphanumeric only), though this method depends on your code style preference.

Then you should go to each variable individually and apply the filtering at their level too (if $_GET['page'] is passed to $page. then $page=myFilterFunction($_GET['page']); ). This is a multi-layered approach and helps make sure no user vars are unfiltered.

The filtering should be a whitelist approach if at all possible. This means that instead of saying "This character is bad... and so is this one... and this one...etc", you're actually saying "only this set of characters are good, and all others are bad", this is a far more robust methodology. The more restrictive you make your whitelist filters the better. You can also cast the variable values to specific datatypes before use:

$_GET['page']='999';

$page=(int)$_GET['page'];

Which forces the variable to be an int.

If the variable is for a file of some sort, make sure you limit what it can grab. Again, a whitelist method is best. Create an array or a switch statement with the allowed files, and if the variable matches none, have it select a default file.

And lastly, use mysql_real_escape_string(); which will properly escape variables before they're used in a database query.

As mentioned, you may also need to check your directory and file permissions, make sure they only have the permissions they need to operate and no more.

I could give information on how they were able to upload files... but considering you (probably) don't have raw access logs, and have not shown any code, i would be completely guessing. Without the logs, it is possible they utilized more than one attack vector, but we wouldn't know it (like a server vulnerability for example).
×

Success!

Help @Ntrimgs spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.17,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @nearjob,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,
)...