Help finding reason for hacked site

[4u123]

Customer's site got hacked and the only code in his web page is as follows...

<?php $page = $_REQUEST['page']; 
if ($page == '') $page = "home.htm"; // One-liner if statement needs no brackets! 
if (file_exists($_SERVER['DOCUMENT_ROOT'] . '/' . $page)) { 
include($_SERVER['DOCUMENT_ROOT'] . '/' . $page); 
} else if (file_exists($_SERVER['DOCUMENT_ROOT'] . '/domain.org/' . $page)) { 
include($_SERVER['DOCUMENT_ROOT'] . '/domain.org/' . $page); 
} else { 
echo "<br /><br />Page Not Found!"; 
} 
?>

Doesnt appear to be anything there that could be exploited, but I'm no PHP expert. Could someone possibly confirm please ?

 

[cPanelDavidG]

Customer's site got hacked and the only code in his web page is as follows...

<?php $page = $_REQUEST['page']; 
if ($page == '') $page = "home.htm"; // One-liner if statement needs no brackets! 
if (file_exists($_SERVER['DOCUMENT_ROOT'] . '/' . $page)) { 
include($_SERVER['DOCUMENT_ROOT'] . '/' . $page); 
} else if (file_exists($_SERVER['DOCUMENT_ROOT'] . '/domain.org/' . $page)) { 
include($_SERVER['DOCUMENT_ROOT'] . '/domain.org/' . $page); 
} else { 
echo "<br /><br />Page Not Found!"; 
} 
?>

Doesnt appear to be anything there that could be exploited, but I'm no PHP expert. Could someone possibly confirm please ?

The code looks very insecure. One thing that is glaring is a lack of processing done to ensure the variable passed as page does not contain ".." or anything to prevent it from accessing anything outside the userspace. The include() allows execution of PHP code, and the list can go on.

Securing PHP application code is beyond the realm of our support here at cPanel. Perhaps you may wish to instruct the user to secure their code, or hire an experienced PHP programmer to do that for them.

From the server side of things, were you running SuPHP/SuExec?

 

[4u123]

Hi David,

Thanks for your reply. As I said, I wouldnt know what is secure code and what isnt. I still find it quite shocking that just a few simple lines like that can allow someone to copy files into the users web space and run a phishing scam.

We use suphp and mod security and we restrict certain functions but it remains incredibly simple for a third party to compromise a web site because a few lines of code contain a "lack of processing". Its a shame we cant make PHP more secure without restricting it completely. I suppose one day the balance will be better.

I understand fully that securing php code is beyond the realm of cpanel support - thats why I posted this in a general discussion forum. Its not something I would raise a support ticket for.

 

[idealso]

It should be possible to find out exactly what was done. If files were copied into the user's web space, then I would look at the timestamp on the files, and then check the domain's apache logs for that time. This should show the request used to exploit the site.

This assumes that it is a web exploit, and not a weak password exploit. If the user has a weak password, then they could have simply uploaded files through FTP. If that's the case, it would show up in the FTP logs (check /var/log/xferlog)

 

[mctDarren]

4u, I hear you. But it doesn't matter what language you use, it's the construct of the code. This could have been Perl, Ruby, ASP or whatever. When you have a piece of code that takes something a visitor enters in and use it within an operation, without sanitizing it first, it will get compromised. This piece of code assumes that what is passed through the query string or post as "page" is completely fine and doesn't need to be checked. That's the glaring hole David spoke about. The lesson is you absolutely need to sanitize EVERYTHING that is passed from the user or else you leave yourself wide open to exploit...