4

So, I have a web site that has been compromised twice in two weeks. every index.php and .js file gets a script injecting into the source code of the file. The problem is that I have no idea how they're doing it. I've seen this done via sql injection before, but I don't know how they are actually writing to the file. I've dug through the Apache logs but didn't find anything interesting. The site is built using the cakephp framework on a godaddy shared server.

Anybody know what secturity settings or log files to check to see how they are doing this?

pinniger
  • 53
  • 4
  • 4
    On shared hosting the problem could also be on a different site of the same server. The whole server could be compromised. –  Jun 14 '10 at 12:26
  • how can a .js file "get" a script. furthurmore, how can whatever the .js file got inject into the source code of what. you need to rewrite the question... –  Jun 14 '10 at 14:43
  • @longpoke additional code was added to every .js file on the site. – pinniger Jun 14 '10 at 15:05
  • @pinnigger: Then they have access to the filesystem. Perhaps because there is a vulnerability in your php source, or they have compromised _your_ machine and keep getting your new passwords from that. Or perhaps because the GoDaddy server is insecure in which case there's nothing you can do to fix this. IIRC GoDaddy is retarded and lets other people with accounts access your web stuff if it's chmodded with public write access. – Longpoke Jun 14 '10 at 15:31

3 Answers3

6

Based on the injected files, and it being hosted on GoDaddy, I would take a look at Sucuri.net's blog posts about the continuing infection of websites on GoDaddy's shared servers over the past month.

I would start here: http://blog.sucuri.net/tag/godaddy

-Josh

Josh Brower
  • 1,659
  • 3
  • 18
  • 29
2

This is not sql injection. This is a worm, and getting this level of access with a worm on a custom site isn't realistic. I know this because I write exploits that worms use to spread, and I'm telling you its defiantly not sql injection under MySQL (MS-SQL is a different story, the attacker has xp_cmdshell()).

Never the less you should scan your site for vulnerabilities using both w3af(free) and Wapiti(free), or Acunetix($), or the best tool NTOSpider($$$).

First of all I would make sure all of your libraries are up to date. Any machines with FTP access must be scanned with an anti-virus. I know GoDaddy only has FTP access, because they obviously don't care about security. There are worms that sniff for FTP logins and then infect the site, these are very successful worm because of idiots like GoDaddy. If you don't want to spring for the cash, running AVG on your local system which is better than nothing.

Usually when you are infected Google will throw a browser warning and they will tell you the name of the worm. If you search for the name often times someone has done analysis and that will tell you how it is spreading.

Rook
  • 2,615
  • 5
  • 26
  • 34
  • antivirus?? please. –  Jun 14 '10 at 14:41
  • 1
    @Longpoke yeah if his local machine has a virus that is sniffing for ftp, then yeah he needs an anti-virus. I have personally cleaned up sites that where affected by this. – Rook Jun 14 '10 at 14:42
  • I dont think its sql injection either, my db is clean. anyway, the url the script is requesting a file from is "http://kollinsoy.skyefenton.com:8080/XML.js" (dont go there). is a sniffer the only way to get ftp password? i've ran McAfee and malwarebytes, but they came up empty. – pinniger Jun 14 '10 at 15:12
  • 1. Any two-bit programmer can write malicious code that wont be detected by antivirus (**ESPECIALLY** for web languages which av is typically weaker in) 2. How do you know this is a worm... 3. The entrypoint of the attacker very well could have been SQL injection, there is no way for **you** to know. For instance, the attacker could have used obtained the database and the admin had the same password in the db as the web host, or the sql server could have been on the same host, and he used `load_file()` (I'm assuming this is MySQL here) to read some configs and win. – Longpoke Jun 14 '10 at 15:22
  • 4. No, Google browser wont magically know you are infected and tell you (only if you're lucky). – Longpoke Jun 14 '10 at 15:24
  • @pinniger Change your ftp password anyway, make sure only machines with av's have it. Someone at a internet cafe could also jack your password. Another option is to look for files like fckedtor or old versions php-mailer, they where really common worms. You could try removing the write bit from all files (chmod 500 is usually best). However, this is just addresses the symptom of the problem. – Rook Jun 14 '10 at 15:25
  • @Longpoke Yes chrome and frefox will throw a google warning of an infected site, if you click on more info it will most often tell you the name of the worm. I've done this, you can't tell me otherwise. – Rook Jun 14 '10 at 15:26
  • @Longpoke Yes load_file() does work, but `into outfile "/var/www/backdoor.php"` is more easily automatble. Ubuntu is good about stopping these attacks, although i think GoDaddy uses windows. It is worm, no hacker is going to burn an afternoon breaking some random ass site, he is going to break into tens/hundreds of thousands of sites using an automated agent (worm). – Rook Jun 14 '10 at 15:29
  • @The Rook: Can you give me FTP access to your site and not look at what I change and expect antivirus or your browser to report it? Ubuntu can stop attacks? **how**? I never knew my O/S will stop people from injecting evil code into my PHP `eval()s` or MySQL query strings... Even if "it" is a worm, it could be exploiting a remote code execution vulnerability (or just logging into webpanel/FTP etc...) and then modifying the source, in which case you wont detect the worm, at best you'd only detect the modified source, and restore it to it's previous vulnerable state. – Longpoke Jun 14 '10 at 15:35
  • I'm sorry, this is just a horrible answer, it makes me laugh that it's upvoted, more people will believe this and make my job easier I guess... – Longpoke Jun 14 '10 at 15:36
  • @Longpoke I am happy to discuss exploit development, however i do not appreciate these comments when you do not have a better answer. – Rook Jun 14 '10 at 15:47
  • @Longpoke Ubuntu's AppArmor rule sets jail MySQL from writing to the web root. SELinux under rhel/fedora does something very similar. I am actually working with ubuntu to fix a AppArmor Bypass issue that i have discovered. The worm *could* be doing a vulnerability scan and exploiting common RCE issues (RFI/eval()/file_put_contents()), and this is more likely that sql injection, and i recommend running a vuln scan (w3af is pretty sick). Although i suspect these criminals are more simplistic. – Rook Jun 14 '10 at 15:52
  • @Longpoke If you look at these exploitation methods discussed in these 2 papers I think you'll agree that it would be difficult to pull this off in some kind of super worm thats able to break *any* vulnerable site. http://www.ngssoftware.com/papers/HackproofingMYSQL.pdf http://www.securereality.com.au/studyinscarlet.txt – Rook Jun 14 '10 at 15:54
  • @The Rook: Do you ever talk about anything other than Security Theater? Try coding something that's actually secure for once instead of patching it up with bandaids you found in the toilet. I already know of Mandatory Access Control and it wont really help you in this case... nor will ASLR/SSP and alike, nor will stopping MySQL from accessing the filesystem, because it still has access to the password database, unless that's on a seperate privilege domain than the normal query that is exploited, but it doesn't really matter since the password query is probably vulnerable as well. – Longpoke Jun 14 '10 at 16:46
  • @The Rook: I don't care if a worm can break the site, I care if my site is secure. Even if there is a worm attacking OP's site, he should still be making the site actually secure, not just deflecting the worm........ – Longpoke Jun 14 '10 at 16:48
  • @Longpoke (AppArmor<=SELinux && ASLR/SSP!=AppArmor) – Rook Jun 14 '10 at 17:34
  • @The Rook: what's your point? I mentioned ASLR and stack smash protector since you were talking about Ubuntu (and you seem to like bandaids so much) – Longpoke Jun 14 '10 at 18:26
  • @Longpoke: If you look down your nose anymore, you're going to be looking at the back of your head. This site is for HELPING people. Please be respectful and courteous and use some of your security knowledge to answer questions instead of telling people who have the stones to answer, how wrong they are. – Scott Lundberg Jun 14 '10 at 18:58
  • @Longpoke AppArmor and SElinux are more like a chroot than a canary, its another layer of access control that is per-process instead of per user/group. And btw i just got accepted to speak at Defcon and i'll be talking about the AppArmor bypass that i used in my exploit :) – Rook Jun 14 '10 at 19:44
  • @The Rook: I don't care about the security game. I care about _real_ security. And yes, I know what AppArmor and SELinux are, as you can read above. All you do is hijack posts with answers that have nothing to do with the question and brag about your security candy stuff. It does not help anyone, as they don't know better to not trust you. – Longpoke Jun 14 '10 at 21:34
  • @Longpoke The Register called this exploit an Apocalyptic Infection (http://www.theregister.co.uk/2010/05/11/phpnuke_infection_purged/). Thats a great complement for any security researcher but I prefer the title "masSEXploitation". I guess Russian mob like candy :) – Rook Jun 14 '10 at 22:57
0

Change the credentials for your database, and ftp logins and update the security salt etc in your app/config/core.php.

Although as Fabian said, if you are on a shared server you are at the mercy of everyone elses code also. Do as much as you can and let GoDaddy know about it also.

You might also code a helper which specifically look for this code and strips it from your files when they are executed.

David Yell
  • 124
  • 2
  • I don't think this will help. – Rook Jun 14 '10 at 14:40
  • "if you are on a shared server you are at the mercy of everyone elses code also" No, that's not true for any _sane_ shared hoster, you shouldn't be able to access other people's sites on it. If this is the case, OP needs to move to another host. – Longpoke Jun 14 '10 at 15:50
  • Not access them, but if the host goes down due to someones crap code, or gets ddos'd because they are targeting a specific site, is more what I meant. – David Yell Dec 03 '12 at 09:03