7

A website of mine was recently hacked. Although the actual website remain unchanged, they were somehow able to use the domain to create a link that re-directed to an ebay phishing scam.

I've taken the website down, for obvious reasons, so I can't link to the code. I'm wondering how I can go about finding out what vulnerability they used so that I can avoid this problem in the future. The page used PHP, and also some javascript (for form validation).

Is there a free service that will scan my code for vulnerabilities? What are my other options?

If anyone's willing to take the time to look it over, I will gladly .zip up the code and host it somewhere...

Thanks, Jeff

Jeff
  • 943
  • 1
  • 6
  • 9
  • 3
    If I'm reading your question correctly, it sounds like you left your domain unlocked and they transferred it. – Matthew Read Jan 19 '11 at 05:24
  • 2
    I suggest re-titling the question, as this has nothing to do with ebay. Perhaps a title like "How can I secure my PHP website?". – D.W. Jan 19 '11 at 07:11
  • 1
    This question is also on the main [StackOverflow](http://stackoverflow.com/questions/4731856/ebay-hack-vulnerability) site. – Jonathan Leffler Jan 19 '11 at 09:11
  • @DW good point, I've changed it. – Jeff Jan 19 '11 at 17:38
  • The code of the website is at http://dl.dropbox.com/u/2470468/captcha.zip , the SO listing has some possibly useful information, thanks all! – Jeff Jan 19 '11 at 17:39
  • Detailed comment in answers below (couldn't fit here). Thanks all, I'll consider the issue closed unless anyone has any new information. – Jeff Jan 20 '11 at 16:22

8 Answers8

8

Free doesn't go far, but you can try running the following yourself:

The black box scanners listed above would likely catch the more obvious vulnerabilities (especially if you manually "crawl" your app to ensure the scanners test everything - each tool supports manual crawls, for example, https://netsparker.zendesk.com/entries/351851-manual-crawl-proxy-mode)

Also, you need to do validation on the client AND server:

OWASP: "Performing validation in client side code, generally JavaScript, provides no protection for server-side code. An attacker can simply disable JavaScript, use telnet, or use a security testing proxy such as WebScarab to bypass the client side validation."

Tate Hansen
  • 13,714
  • 3
  • 40
  • 83
7

Firstly, you have what looks like PHP Shells at img/51.php and img/74.php which may have been the source(s) of your problem. These are generally uploaded by someone who has compromised a site in order to easily execute operating system commands and/or interrogate the database.

If that is the case, you may be looking at an issue with an insecure version of your control panel/management software (or an insecure password) or some other problem at the web server level as opposed to an issue in the application itself (note, I haven't had a look at the source in any detail).

Justin Clarke
  • 453
  • 2
  • 5
  • 1
    Thanks, I hadn't noticed these two files. However, there's another one called new.php in the data folder. I'm curious as to how they got there, though. The server can only be accessed from behind a VPN anyway, so I'm hesitant to believe that this my password was compromised. – Jeff Jan 19 '11 at 20:00
  • 2
    There's another suspicious looking file in the funcs directory, func.php. The start of it is "Web Shell by oRB", so I'd guess that was part of the compromise as well... – Rory McCune Jan 19 '11 at 21:09
  • 2
    There are quite a few files (including some with dots in front of them so they may not show up in directory listings), which appear to be part of the phishing kit. I'm presuming the system is Internet facing? You may be better trying scanners like Skipfish/Netsparker etc to see what the original issue was - it may be something as simple as a PHP remote file include. – Justin Clarke Jan 19 '11 at 23:26
3

To me it sounds like you may be experiencing people using Open Redirects (OWASP) to send your users to malicious sites without them realizing it.

I would recommend trying to scan your application with:

I would not mind taking a look at your site aswell. If you can publish it to me and drop it in the comments or send an email to k4rrax[at]gmail[dot]com

EDIT: Tate's link to Netsparker also looks like a nice tool which could help your sitatuation.

EDIT 2: If you are sending source-code, please remember to remove any sensitive information from it before you send.

Community
  • 1
Chris Dale
  • 16,119
  • 10
  • 56
  • 97
  • I've put a link to the code in the comments, also the SO version of this Q may have some useful info. Thanks so much! – Jeff Jan 19 '11 at 17:41
2

I had trouble installing skipfish, but NetSparker works great, thanks for the tip. However, no major security holes were found.

I've come to the conclusion that I most likely enabled the wrong permissions on the site dir in the first place (+w for others). It could be that simple, couldn't it?

I usually enable +w for the server, so that it can write data to a text file, but perhaps I was just careless when setting the flags. On the one hand, I hope this is not the case, as not only is it a stupid mistake, but I've probably wasted everyone's time. On the other hand, knowing this was the case would make me feel a lot better about deploying similar scripts in the future (as I usually re-use a lot my code).

My one qualm is that netsparker community doesn't allow scanning of local files, so it doesn't look through the PHP code. But then again, an attacker wouldn't be able to see that code either...

If anyone came across any other security flaws in the code, I would be most grateful, but otherwise I'll consider the issue closed. Thanks all for being very helpful-- at the very least, I've learned a few tips that will ensure my site's security in the future.

Thanks! Jeff

Jeff
  • 943
  • 1
  • 6
  • 9
  • 1
    if you have additional information, please edit the original question and add the information there. Answers should be used, well, to *answer* the question. – AviD Jan 23 '11 at 07:30
  • @AviD I tried putting it in the comments first, but it was too long. However, if you read my response, it _is_ an answer! – Jeff Jan 23 '11 at 21:10
1

A website of mine was recently hacked

...

website remain unchanged

Hmmm, those seem to be contradictory - how do you know the website has not been compromised? And if the website wasn't compromised, what's the point in running a vulnerability scanner against it?

There are free scanners available - but they look for well known vulnerabilities or just do very basic fuzzing. There's an old list here but there's a huge gap between what these can detect and what a good investigator could find. You seem to be under the impression that there's some sort of magic fix out there.

You should be running a full OS check, looking for backdoors/rootkits - for preference reformat the disks and reinstall the OS and patches from scratch. And then carry out a proper security review of your site. As a minimum its going to take someone who knows what they're doing at least 3 days to find any obvious problem. Even for a small site, a comprehensive security review could take months of FTE, even years.

they were somehow able to use the domain to create a link that re-directed to an ebay phishing scam

That doesn't really mean much. Do you mean they put a href link in your content pointing to the phishing site? That your DNS records were changed to point to the other site? That they added a meta redirect? A javascript redirect? Understanding what they changed is the first step to working out how they changed it.

symcbean
  • 18,278
  • 39
  • 73
1

If you want to start to check the vulnerabilities of your own website, and you have no idea of what software best fit your needs, I think that some online services could come in help.

Generally they are not free services, but probably some of them offers a first scan for free.

I think that sites like http://www.websecurify.com/ whit its plugin for chrome browser, http://www.gamasec.com/Gamascan.aspx or http://www.websafe.ie/ for example, can be usefull to start.

Software that can help you to manually check the security of your site, directly from your pc are for example, nessus, w3af, owasp-zap etc... some of these are listed in http://sectools.org/tag/web-scanners/ and some of them was listed by Karrax in his answer.

To start using some of these tools without the hassle of install them, I suggest you to download and boot security linux distributions like http://www.backtrack-linux.org/ or http://spins.fedoraproject.org/security/

tombolinux
  • 222
  • 1
  • 8
0

Free? You're mostly out of luck. Most of the tools are commercial (for-pay) tools.

The best defense you can get, for free, is to learn a little bit about some of the most common attacks on web sites, so you can protect yourself. I suggest learning about:

D.W.
  • 98,420
  • 30
  • 267
  • 572
0

I have to echo karrax's comment but an not cool enough on this site to vote anything up. I doubt your site was "hacked" at all, this sounds more like an Unvalidated redirect. Generally when your site performs a redirect, you know the valid destinations. Restrict your forwarding to these locations and then a spammer cannot use your site as an intermediary.

This is an incredibly commmon problem and just about any site that does redirects based on user supplied data will be vulnerable. Common web scanners are only moderately good at catching this.

http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards

Generally, spammers use this to send users to malware sites.

oreoshake
  • 309
  • 1
  • 9