security compromised

Hi newsgroup,

it appears someone has broken into my site. This morning I found about 20
files (each called index.htm) suddenly featured this line:

<IFRAME SRC="url-of-bad-site" WIDTH=1 HEIGHT=1></IFRAME>

and their last modified date was set to today between midnight and 1 GMT. In
some files, this line was placed directly after the body opening tag, in
others it was just before </body>. In one file where the whole document is
written in javascript, they had even escaped their quotes!

The malicious url is www.b00gle.com/fa/?d=get
I have no access to the raw server logs and my own log script shows no
strange hits around that time.
How have they done this? And what can I do about it? I ask here because the
site uses PHP a lot but I guess there are more appropriate places to ask.
Thanks
Ivo

> How have they done this? And what can I do about it? I ask here because
the
> site uses PHP a lot but I guess there are more appropriate places to ask.
> Thanks
>

there is no way of telling if you do not provide more details. 1 thing tho
have you tried looking at the raw log files for that time period. It most
likely give you a clue.

On Fri, 4 Jun 2004 15:29:08 +0200, "Ivo" <no@thank.you> wrote:

>Hi newsgroup,
>
>it appears someone has broken into my site. This morning I found about 20
>files (each called index.htm) suddenly featured this line:
>
><IFRAME SRC="url-of-bad-site" WIDTH=1 HEIGHT=1></IFRAME>
>
>and their last modified date was set to today between midnight and 1 GMT. In
>some files, this line was placed directly after the body opening tag, in
>others it was just before </body>. In one file where the whole document is
>written in javascript, they had even escaped their quotes!
>
>The malicious url is www.b00gle.com/fa/?d=get

That document itself contains an Iframe whose document caused my
browser to start downloading stuff from a porn site. Luckily I spotted
its dodgy url before any images appeared!

I think someone was trying to hijack hits to your site for themselves!

>I have no access to the raw server logs and my own log script shows no
>strange hits around that time.

If you are on a shared server, contact the webmaster - other people on
the same server could also have been compromised.

--
David ( @priz.co.uk )

"David Mackenzie" wrote
> "Ivo" wrote:
> >it appears someone has broken into my site. This morning I found about 20
> >files (each called index.htm) suddenly featured this line:
> >
> ><IFRAME SRC="url-of-bad-site" WIDTH=1 HEIGHT=1></IFRAME>
> >
> I think someone was trying to hijack hits to your site for themselves!

Sounds plausible.

> >I have no access to the raw server logs and my own log script shows no
> >strange hits around that time.
>
> If you are on a shared server, contact the webmaster - other people on
> the same server could also have been compromised.

That is a very good idea.

I have a PHP script which allows me to do everything without FTP, and live
in constant fear someone might find the password. The freakin' pimps have
been writing to my admin/index.htm file!
What more info would a newsgroup need to help identify the leak? The server
runs PHP/4.3.1 on Apache/1.3.27 (Unix).
Thanks
Ivo

"Ivo" <no@thank.you> wrote in message
news:40c07b6d$0$842$a344fe98@news.wanadoo.nl...
> Hi newsgroup,
>
> it appears someone has broken into my site. This morning I found about 20
> files (each called index.htm) suddenly featured this line:
>
> <IFRAME SRC="url-of-bad-site" WIDTH=1 HEIGHT=1></IFRAME>
>
> and their last modified date was set to today between midnight and 1 GMT.
In
> some files, this line was placed directly after the body opening tag, in
> others it was just before </body>. In one file where the whole document is
> written in javascript, they had even escaped their quotes!
>
> The malicious url is www.b00gle.com/fa/?d=get
> I have no access to the raw server logs and my own log script shows no
> strange hits around that time.
> How have they done this? And what can I do about it? I ask here because
the
> site uses PHP a lot but I guess there are more appropriate places to ask.
> Thanks
> Ivo
>
>
did a quick google. you are not the only victim...
Here is tiny url link to google results
http://tinyurl.com/39st6

"PhilM" wrote
> "Ivo" wrote
> > it appears someone has broken into my site. This morning I found about
20
> > files (each called index.htm) suddenly featured this line:
> >
> > <IFRAME SRC="url-of-bad-site" WIDTH=1 HEIGHT=1></IFRAME>
< snip >
> did a quick google. you are not the only victim...
> Here is tiny url link to google results
> http://tinyurl.com/39st6
>

My host has taken steps and reconfigured the server. The network status
page,
<URL: http://freeola.info/networkstatus.php > sais:
"An investigation has exposed a software vulnerability which, in certain
circumstances, may allow a malicious user to insert HTML code into other
users web files. Some customers have reported that their web site now
appears to launch extra windows and software installers."

As far as PHP is concerned, some functions are no longer possible,
particularly those that call remote content.
copy(remote file, local file);
now results in 'file does not exist' where it copied just fine last week.
Strange thing is, the 'allow_url_fopen' directive is still 'On' according to
phpinfo. I think I have just traded some freedom for some security.
Ivo

"Ivo" <no@thank.you> wrote in message
news:40c3cb4e$0$1736$abc4f4c3@news.wanadoo.nl...
> "PhilM" wrote
> > "Ivo" wrote
> > > it appears someone has broken into my site. This morning I found about
> 20
> > > files (each called index.htm) suddenly featured this line:
> > >
> > > <IFRAME SRC="url-of-bad-site" WIDTH=1 HEIGHT=1></IFRAME>
> < snip >
> > did a quick google. you are not the only victim...
> > Here is tiny url link to google results
> > http://tinyurl.com/39st6
> >
>
> My host has taken steps and reconfigured the server. The network status
> page,
> <URL: http://freeola.info/networkstatus.php > sais:
> "An investigation has exposed a software vulnerability which, in certain
> circumstances, may allow a malicious user to insert HTML code into other
> users web files. Some customers have reported that their web site now
> appears to launch extra windows and software installers."
>
> As far as PHP is concerned, some functions are no longer possible,
> particularly those that call remote content.
> copy(remote file, local file);
> now results in 'file does not exist' where it copied just fine last week.
> Strange thing is, the 'allow_url_fopen' directive is still 'On' according
to
> phpinfo. I think I have just traded some freedom for some security.
> Ivo
>
I had something similar to this happen to me on a hosted site last year. My
root directory and all subdirectories had a "bad" index.php written in them.
The server administrator said it was an old, unpatched exploit on apache (I
don't know if this was the case or not). Nothing else appeared to have been
disturbed.

Ivo wrote:
>
> I have a PHP script which allows me to do everything without FTP, and
> live in constant fear someone might find the password. The freakin'
> pimps have been writing to my admin/index.htm file!

Ivo,

Given that such a script exists, and is only protected by a simple password,
and you don't have access to the logs to determine what the method of
intrusion is, I'd say you have answered your own question. I couldn't be
sure, but if your PHP scripts allow some sort of PHP code injection, or your
admin script is found, it would be trivial for someone to write to the
filesystem.

Rather than asking for speculation as to the cause of this, you should
probabely practise a little better security policy.

Get access to the logs. Get rid of this script and use FTP/SFTP for file
transfer. Spend some time reading up on writing secure code.


Nathan