The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help finding reason for hacked site

Discussion in 'General Discussion' started by 4u123, Mar 31, 2008.

  1. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    Customer's site got hacked and the only code in his web page is as follows...


    Code:
    <?php $page = $_REQUEST['page']; 
    if ($page == '') $page = "home.htm"; // One-liner if statement needs no brackets! 
    if (file_exists($_SERVER['DOCUMENT_ROOT'] . '/' . $page)) { 
    include($_SERVER['DOCUMENT_ROOT'] . '/' . $page); 
    } else if (file_exists($_SERVER['DOCUMENT_ROOT'] . '/domain.org/' . $page)) { 
    include($_SERVER['DOCUMENT_ROOT'] . '/domain.org/' . $page); 
    } else { 
    echo "<br /><br />Page Not Found!"; 
    } 
    ?> 
    
    Doesnt appear to be anything there that could be exploited, but I'm no PHP expert. Could someone possibly confirm please ?
     
  2. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    The code looks very insecure. One thing that is glaring is a lack of processing done to ensure the variable passed as page does not contain ".." or anything to prevent it from accessing anything outside the userspace. The include() allows execution of PHP code, and the list can go on.

    Securing PHP application code is beyond the realm of our support here at cPanel. Perhaps you may wish to instruct the user to secure their code, or hire an experienced PHP programmer to do that for them.

    From the server side of things, were you running SuPHP/SuExec?
     
  3. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    Hi David,

    Thanks for your reply. As I said, I wouldnt know what is secure code and what isnt. I still find it quite shocking that just a few simple lines like that can allow someone to copy files into the users web space and run a phishing scam.

    We use suphp and mod security and we restrict certain functions but it remains incredibly simple for a third party to compromise a web site because a few lines of code contain a "lack of processing". Its a shame we cant make PHP more secure without restricting it completely. I suppose one day the balance will be better.

    I understand fully that securing php code is beyond the realm of cpanel support - thats why I posted this in a general discussion forum. Its not something I would raise a support ticket for.
     
  4. idealso

    idealso Active Member

    Joined:
    Mar 1, 2007
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    It should be possible to find out exactly what was done. If files were copied into the user's web space, then I would look at the timestamp on the files, and then check the domain's apache logs for that time. This should show the request used to exploit the site.

    This assumes that it is a web exploit, and not a weak password exploit. If the user has a weak password, then they could have simply uploaded files through FTP. If that's the case, it would show up in the FTP logs (check /var/log/xferlog)
     
  5. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    4u, I hear you. But it doesn't matter what language you use, it's the construct of the code. This could have been Perl, Ruby, ASP or whatever. When you have a piece of code that takes something a visitor enters in and use it within an operation, without sanitizing it first, it will get compromised. This piece of code assumes that what is passed through the query string or post as "page" is completely fine and doesn't need to be checked. That's the glaring hole David spoke about. The lesson is you absolutely need to sanitize EVERYTHING that is passed from the user or else you leave yourself wide open to exploit...
     
Loading...

Share This Page