Just in case any of you are infected...
6 Replies
cat, otherwise you are open to an injection attack. What if filenames have spaces? Or what if attackers create a file somewhere in your www root called '; rm -rf *; '? Also, why not fread() the file, or better yet, just a recursive grep instead?
Also, if you're distributing a PHP script of this nature, you can get the command line arguments with $argv so users don't have to edit the script.
Any indication of how the server was exploited in the first place?
@funkytastic:
The "findinfections.php" script you posted has some problems. You should escape the argument to
cat, otherwise you are open to an injection attack. What if filenames have spaces? Or what if attackers create a file somewhere in your www root called '; rm -rf *; '? Also, why not fread() the file, or better yet, just a recursive grep instead?Also, if you're distributing a PHP script of this nature, you can get the command line arguments with $argv so users don't have to edit the script.
Any indication of how the server was exploited in the first place?
We have no idea how the server was exploited. We think it was most likely an injection attack though.
@funkytastic:
The "findinfections.php" script you posted has some problems.
I don't mean to sound rude, but if that script is representative of the quality of PHP scripts on OP's server, no wonder it got infected. Seriously, using shellexec to cat a file? What happened to good old fileget_contents?
Here's a shell version:
grep -lir "htaccess" *
grep -lir "unlink" *
grep -lir "fwrite" *
Whatever file appears in the output of all three commands is the one you're looking for. If you have a lot of files, save the output of each command to a file or variable, and use the "comm" command or some PHP function to find out which file appears in all three.
@hybinet:
@funkytastic:The "findinfections.php" script you posted has some problems.
I don't mean to sound rude, but if that script is representative of the quality of PHP scripts on OP's server, no wonder it got infected. Seriously, using shellexec to cat a file? What happened to good old fileget_contents?Here's a shell version:
grep -lir "htaccess" * grep -lir "unlink" * grep -lir "fwrite" *Whatever file appears in the output of all three commands is the one you're looking for. If you have a lot of files, save the output of each command to a file or variable, and use the "comm" command to find out which file appears in all three.
I don't take any offense to what you are saying, but at the time, we were about to quit, and on top of that, it was late. Our other code isn't this bad. This was just an attempt to solve the problem one last time before we went home and gave up. I knew there were many more secure ways to do this, but in our situation, it wasn't required. This is not public, so for us, it doesn't affect security. I appreciate your concerns, and the file is being updated to respect the fact that it is exploitable.
@clayfreeman:
I don't take any offense to what you are saying, but at the time, we were about to quit, and on top of that, it was late. Our other code isn't this bad. This was just an attempt to solve the problem one last time before we went home and gave up. I knew there were many more secure ways to do this, but in our situation, it wasn't required. This is not public, so for us, it doesn't affect security. I appreciate your concerns, and the file is being updated to respect the fact that it is exploitable.
I understand. You've gotta do whatever works if you're getting attacked and you don't have time. But when you post a script on a public web site, please remember that other people will download it and run it in the most stupid manner possible. The world would be a better place without all those insecure PHP code snippets littering the blogosphere.
Just for fun, here's a one-liner (in bash) that improves upon the code I posted above:
grep -li "htaccess" $(grep -li "unlink" $(grep -lir "fwrite" *))
Just go to /var/www and run it in a bash shell!
@hybinet:
@clayfreeman:I don't take any offense to what you are saying, but at the time, we were about to quit, and on top of that, it was late. Our other code isn't this bad. This was just an attempt to solve the problem one last time before we went home and gave up. I knew there were many more secure ways to do this, but in our situation, it wasn't required. This is not public, so for us, it doesn't affect security. I appreciate your concerns, and the file is being updated to respect the fact that it is exploitable.
I understand. You've gotta do whatever works if you're getting attacked and you don't have time. But when you post a script on a public web site, please remember that other people will download it and run it in the most stupid manner possible. The world would be a better place without all those insecure PHP code snippets littering the blogosphere.Just for fun, here's a one-liner (in bash) that improves upon the code I posted above:
grep -li "htaccess" $(grep -li "unlink" $(grep -lir "fwrite" *))Just go to /var/www and run it in a bash shell!
Thanks for the shell command! I will post that to the site instead. I appreciate your help and concerns!