# Hacked but can't figure out how



## aewarnick (Sep 3, 2002)

My site was hacked by some guy in Russia.
He was able to write code to the bottom of all the index.php pages on my site.

There was at least one place that I didn't parse input data to convert html code to safe code. The reason I didn't is because the data was shown only in a textbox and never seemed to be executed.

The reason I can't figure out how I was hacked is that when I do:

$s="echo 'hi';"
echo $s;

Just outputs:
echo 'hi';

The only way I can see that working is if I write the data they sent to a php file and then executed that php file. Am I right?


----------



## MMJ (Oct 15, 2006)

What is the code that receives the data in that "one place"?

The only way that would work would be:

```
<?php
$s="echo 'hi';";
eval($s);
?>
```


----------



## aewarnick (Sep 3, 2002)

I didn't know about eval, so I would have never used it in my code.

So this is completely safe then:

```
$data="anything a hacker would try to hack my site with.";
<?=$data;?>
```
I shouldn't say completely safe because they can and then do anything they want client side, but at least the server will be safe. So in this case, I would strip out the html tags and then it's perfectly safe both server side and client.


----------



## MMJ (Oct 15, 2006)

aewarnick said:


> So this is completely safe then:
> 
> ```
> $data="anything a hacker would try to hack my site with.";
> ...


Safe from what? 

You are doing anything thats the same as:

anything a hacker would try to hack my site with.

Only if you do something with user input *than* it becomes unsafe.

=-----=

FYI the semicolon is unnecessary because its at the end of the code black.



aewarnick said:


> ```
> <?=$data;?>
> ```


Same rule for applies for css

*
{
color: blue;
font-size: 50px _<<no semicolon necessary here_
}


----------



## aewarnick (Sep 3, 2002)

I thought it would be understood that,
"anything a hacker would try to hack my site with"
represents code that a user would put into the textbox attempting to hack my site.

About the semicolins, thanks, that will save the parser some time.


----------



## aewarnick (Sep 3, 2002)

This was written to the bottom of all my index.php files:

```

```
If anyone has a program to decipher what that is in plain text, it would be a big help in determining how much they know.


----------



## MMJ (Oct 15, 2006)

There is some misunderstanding between us.

There has to be some php code that deals with *user input*. Can you post that code?

It would be something like:

```
echo $_POST['userinput'];
```
The javascript you posted just makes a call to another site:

```

```


----------



## cpscdave (Feb 25, 2004)

doh MMJ beat me to the punch

Just as a warning DO NOT go to that link. I messed up when tyring to decode it and executed the code. it's installed a bunch of trojans on my box now. SOB!!


----------



## MMJ (Oct 15, 2006)

cpscdave said:


> doh MMJ beat me to the punch
> 
> Just as a warning DO NOT go to that link. I messed up when tyring to decode it and executed the code. it's installed a bunch of trojans on my box now. SOB!!


Thats impossible. What makes you think that?

I went to all the links, and I didn't get any download prompts or anything.

What browser are you using?

EDIT:

127.0.0.1 [url]www.gpt-pal.com[/url] #[Javascript.Exploit]
http://www.mvps.org/winhelp2002/hosts.txt


----------



## cpscdave (Feb 25, 2004)

I'm so ashamed.... but IE6. 

When I ran the code and it opened the iframe immediatlly my AV started poping up with infected files in my temporary files directory. 

I was able to remove them all with out too much difficulty. but still


----------



## aewarnick (Sep 3, 2002)

Here is the page that allows sumission of data:
Note that I never use my ToSafeStr function before, like I do now.

```
<?
ob_start();
include($_SERVER['DOCUMENT_ROOT']."/begin.php");

$userName= ToSafeStr($_POST['userName']);
//textarea data always has slashes put in data
$userData= ToSafeStr(stripslashes($_POST['userData']));
$f= $public_html."/ContactData/contact.txt";
$email= aFileRead($public_html."/../email.txt");

if($userName)
{
	$userName= $userName.'@'.$_SERVER['REMOTE_ADDR'];
	$wrote= mail($email, "[".$userName."]", $userData);
	aFileApp($f, "[".$userName."]\n\n".$userData."\n\n\n");
	ob_clean();
	$httpPath= MakeBrowserPath($curDir."/contact.php");
	header("Refresh: 2; URL=$httpPath");
	ob_end_flush();
	if($wrote)
		echo "[CENTER]Success!!
Your message has been sent.

Redirecting...[/CENTER]";
	else
		echo "[CENTER]Error: Could not send message. Try again.[/CENTER]";
	exit();
}
else if($userData)
{
	ob_clean(); ob_end_flush();
	echo "Error:
I need an [B]Identity[/B].
[B]Push back.[/B]";
	exit();
}

ob_end_flush();
?>

There are 2 ways to contact me:

  1. Trust me with your email address and send me an email:
      [EMAIL=<?=$email?>]<?=$email?>[/EMAIL]

  2. For those of you who have had your trust abused:
      Use the form below.

[CENTER]

Your Identity*

[/CENTER]

<?
include($public_html."/end.php");
?>
```


----------



## aewarnick (Sep 3, 2002)

I was looking in my logs and I think I found his address:
87.118.110.210
It's kind of unusual how the ip address changed when data was posted isn't it?


```
87.118.110.210 - - [16/Jul/2007:01:46:30 -0500] "GET /contact.php HTTP/1.1" 200 2431 "-" "-"
67.101.84.208 - - [16/Jul/2007:01:46:34 -0500] "POST /contact.php HTTP/1.0" 200 114 "http://foryouandi.com/contact.php" "Opera/9.0 (Windows NT 5.1; U; en)"
```


----------



## aewarnick (Sep 3, 2002)

Did more digging, they are hosted here:
ns.km23547.keymachine.de

I think they're the ones who have been spamming me like mad too with porn links.


----------



## aewarnick (Sep 3, 2002)

I found something else in my code this morning.

There was a place where the user could send a get variable that wasn't parsed to the php script and my code would append it to another string that was a directory and that directory they specified would be created.

Could they do anything like they did just by exploiting the code of creating a directory?


----------



## aewarnick (Sep 3, 2002)

*cpscdave,*

Was this:
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=743
what happened when you went to that malitious link?


----------



## lotuseclat79 (Sep 12, 2003)

Hi aewarnick,

For Windows systems, you might find the tools available here useful.

For Linux, try here.

-- Tom


----------



## aewarnick (Sep 3, 2002)

I use linux and I'm sure my distro comes with plenty of security tools. But none are any value in this matter because my site is hosted remotely and I have no control over the server.


----------



## jrouse (Jul 23, 2007)

One of my clients had the exact same problem on 3 of his sites (identical code to what you saw, inserted into the same files). 

He thinks it may have been a former developer who was Russian who had passwords. Is there anyone who would have had your login information?


----------



## aewarnick (Sep 3, 2002)

No. If they had the password, why only hack index files? To me, that doesn't make sense. I think they exploited the fact that I wasn't filtering some of the input data.

There was also a section where I was using GET variables that weren't filtered at all. That may have been a better place to exploit my site because I did create files in that section. They might have written their own custom php file with my GET variables and run it. In that regard, their power was limitless, they didn't need my password.

Who knows if that is what really happened though. I should have kept all of my old files to research things more, but I was so scared that I didn't think to.

I knew I wasn't the only one when I had read on The Register about the same kind of thing being used to steal Windows users personal data including financially. I'm glad I use Linux.

The thing about these hackers is that they don't need to hack big sites to serve their purpose well. I never thought my site would be a target because it is almost useless to most people. I hadn't worked on it in a long time and that's the kind of thing they're looking for...

so those of you who have, what you think are totally useless sites; buff up your security because you're the perfect target. You don't want Websense to block your site like they did mine, labeling it as malicious.


----------

