bannedone
Posts: 273
|
| Posted: 11/09/2012, 10:51 PM |
|
Hi Group
The other day one of my sites was attacked / hacked by some jerks in Yemen.
What they did was upload malicious php code on this site with php scripts disguised as JPG images.
These files were the r57shell and the WOS 2.4. (Along with many others) These malicious scripts were disguised as JPG images just by adding
the JPG extension to these scripts. By doing this they were able to upload them with my CCS fileupload control as this particular control allowed the upload of JPG images.
The bad news is if you call them in a URL even with the JPG extension they still run as PHP scripts thus getting control of your server.
So here are a few things you should do.
1. Setup openbase_dir to just the sites location only. This prevents the culprits from being able to hack your entire server.
2. Install this code in your file upload control AfterProcessFile event as Custom Code.
$image=$Container->Your_Upload_Control_Name->GetValue();
$db=new clsDBConnection1(); //Your Databse Connection Name
$uploadDir="uploads/"; //Set this to your target upload directory
$file = @fopen($uploadDir.$image, "r");
$fileContents = fread($file,filesize($uploadDir.$image));
@fclose($file);
if(stristr($fileContents,"<?php")||stristr($fileContents,"eval")){
$Component->Errors->addError("<font color='#FF0000'><b>Uploaded File ".CCGetOriginalFileName($image)." Contains Potentially Malicious Code! FILE DELETED!</b></font>");
$Container->Your_Upload_Control_Name->SetValue("");
unlink($uploadDir.$image);
$SQL="UPDATE your_table_where_image_name_is SET Your_Image_Field='' WHERE Your_Image_Field=".$db->ToSQL($image,ccsText);
$db->query($SQL);
}
I have tested this with all the flavors of the hacking code uploaded to this site. (They actually uploaded about 1/2 dozen malicious scripts). It seems to catch all of them.
Doing this might help prevent you some pain!!
I Live and learn every day.
Having Fun
BTW. To ensure I got rid of any damage they might have done with the hacking code,
I completely scrubbed the domain and am rebuilding it in CCS5 using my new CMS System.
You can keep track of it here: http://realtest.biz LOL
_________________
John Real
CodeCharge Studio Support, Training, Consulting, Development, Web based solutions
http://realsites.biz
http://ccselite.com
Other Banned IDs on this Forum. jjrjr1, jjrjr2 |
 |
 |
Lucius
Posts: 220
|
| Posted: 11/10/2012, 1:32 AM |
|
Ouch, this is bad.
I hope you send it also to support, it should be secured in the designer.
A PHP script may also start with short version of php tag "<?" instead of "<?php", so this also should be protected against.
|
|
|
|
bannedone
Posts: 273
|
| Posted: 11/10/2012, 1:44 AM |
|
Lucius
I am aware of this.. But in my testing I found that scanning for just the "<?" would be found in legitimate image files.
That is why I also scanned for "eval", a common signature for these type of exploits.
In the bad code uploaded as images to my site, this was the best so called "Virus Database" I could develop at this time
I do know this stops r57shell and WOS 2.4, which are insidious...
(Several of the files uploaded to my site, in fact, only had "<?" as the start tag)
Another possiility to solve the <? short tag issue would be to set the php.ini setting short_opentag=Off.
_________________
John Real
CodeCharge Studio Support, Training, Consulting, Development, Web based solutions
http://realsites.biz
http://ccselite.com
Other Banned IDs on this Forum. jjrjr1, jjrjr2 |
|
|
|
MichaelMcDonald
Posts: 640
|
| Posted: 12/24/2012, 3:48 AM |
|
mmm... fopen stops file with <?php, but what if string contains other language for example script which CHMODS server and overwrites index. php with a POST that sends SELECT to retrieve user table contents and streams results into string which is then emailed tohacker@crazymuthereffers.com ?
Just asking....
_________________
Central Coast, NSW, Australia.
|
|
|
|
bannedone
Posts: 273
|
| Posted: 12/24/2012, 11:31 AM |
|
I do not think your scenario is possible.
The uploaded faked image must be a PHP file since it is accessed by an http request to the server.
Do not think you can execute a script through an http request.
I have no clue how to implement something like this for ASP or any other besides PHP.
fopen will open files with <?php in it.
The code above does catch all the exploits I have come across. If you know of any others, let me know and I will check it out.
Have fun
_________________
John Real
CodeCharge Studio Support, Training, Consulting, Development, Web based solutions
http://realsites.biz
http://ccselite.com
Other Banned IDs on this Forum. jjrjr1, jjrjr2 |
|
|
|
|
