inserting php trojans using JPEG in site

Forum Moderators: coopster

Message Too Old, No Replies

inserting php trojans using JPEG in site

NeilsPHP

3:00 pm on Oct 29, 2008 (gmt 0)

i noticed on one of my sites,i let public upload pictures,which will go to a folder in public directory along with all other pics that will be used to display them on different pages as needed.i found 2 files with extension php among those pics and when i tried to back up that folder,my local pc rejected copying those two files and displayed message that its a trojan virus.(and thats how i came to know).
i have put it place in my script a filter that will only allow JPEG,JPG kind of picture files only and reject everything.Can somebody help me figure out how can php files were able to upload ?
luckily,so far no damage has been done(or may be i can not see it) and everything is working how its suppose to work,but wanted to stop it from happening.if somebody is trying to upload files that may fool the script as being JPEG files but will establish themselves later (don't know how)
any help would be appreciated

jatar_k

6:14 pm on Oct 29, 2008 (gmt 0)

what checks does your upload script do?

NeilsPHP

6:30 pm on Oct 29, 2008 (gmt 0)

It will first check extension using this function:

function getExtension($str)

{
$i = strrpos($str,".");
if (!$i) { return ""; }
$l = strlen($str) - $i;
$ext = substr($str,$i+1,$l);
return $ext;
}

then following code:

$tmpName = $_FILES['userfile1']['tmp_name'];

IF(file_exists($tmpName))
{
IF(is_uploaded_file($_FILES['userfile1']['tmp_name']))
{
$fileName1 = basename($_FILES['userfile1']['name']);
$ext = getExtension($fileName1);

if ((in_array($ext, $valid_extensions)) && ($_FILES["userfile1"]["size"] < 2000000))

$tmpName = $_FILES['userfile1']['tmp_name'];
$fileSize1 = $_FILES['userfile1']['size'];
$fileType = $_FILES['userfile1']['type'];

after this i will sanitize the data using

$data = trim($data);
$data = stripslashes($data);
$data = strip_tags($data);
$data = rtrim($data);
$data = ltrim($data);
$data = htmlspecialchars($data);
$data = mysql_real_escape_string($data);

then i will change name of original file and attach the extension $ext that i stripped above and save this file under new name at a location in a folder in public_html

Interesting part is,when I tried to open the file,it will open as a JPG file and a picture will display but when i look through folder,it will show as php extension file.

NeilsPHP

6:36 pm on Oct 29, 2008 (gmt 0)

i forgot

$valid_extensions = array("jpg", "jpeg","pjpeg","PJPEG", "JPG", "JPEG", "gif", "GIF", "png", "PNG");

NeilsPHP

12:29 am on Oct 30, 2008 (gmt 0)

other info,i found zip file hiding in another folder(tmp)created.it seems like its a folder with bunch of pictures,buttons,php files,css files,javascripts etc that can be used to logon a bank website.(it is some bank 'lloydsstb' in scotland uk).I can not figure out what is going on.is somebody trying to attack using my webserver ?

jatar_k

4:02 pm on Oct 30, 2008 (gmt 0)

have you spoken to your host?

NeilsPHP

6:18 pm on Nov 3, 2008 (gmt 0)

yes,no help from them.All they said is they will help delete it.fortunately no harm so far..i have to keep my public_html permission 0777 due to thumbnail creating script,which I changed it now.any ideas on that ?

jatar_k

3:59 pm on Nov 4, 2008 (gmt 0)

well, you could upload to a dir above the root, this would allow you to set 777 permissions on a folder not viewable

if you recreate the image it should remove the issue

you need to do some better checks, maybe this will help
[webmasterworld.com...]