Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
djmaze
Subject Matter Expert


Joined: May 15, 2004
Posts: 719
Location: http://tinyurl.com/5z8dmv

PostPosted: Sat Feb 04, 2006 4:17 pm Reply with quote

Good i did draw your attention Laughing

This topic will explain to you why you did get hacked and how you can prevent this from happening again.

Database

So you've created a database thru cPanel, Plesk or whateffa and then modified your config.php to access the database with you login details...
bad mistake
If someone ever gains access to your config.php he receives access to your account and can change everything... YES EVERYTHING!!!!
Why? well that's easy. Due to your lack of knowledge it never popped into your mind that you should have added a database user with a new password.
not the same user and password as your account
Then modify config.php to use that new login account for your database.
Because the default login account is used for FTP, cPanel, email and who knows what else

I could go in further detail, but you should be smart enough to understand what i just wrote. If not then stop reading from now on cos you won't able to manage your website anyway.

I just said stop reading. If you didn't read that go out and have a beer now, else continue.

Write access

Most people are on shared hosting. PHP is setup in one of the two ways on Apache: MODULE or SUEXEC.
When PHP is setup as module it is fast but also vulnerable since it runs as the UID for webservices (mostly 'nobody' on linux). This UID has no write access to anything that is not owned by this UID and has no write permission for anyone (CHMOD 0744)
But when a directory or file has 0777/0666 access then the UID can write to it anyway it wants.
This hole allows virusses, trojans or a bad customer to gain access on your account and modify to their liking.

When run as SUEXEC php/apache runs as the UID of yourself (like 'raven' or whateffa your login name is). It is slower then as module since it needs to load PHP into memory on every webpage request.
Aside of the slower execution it does add more security since no-one can access anything unless it is you, this because you don't need 0777 or 0666 to have write access for your scripts, they have access to 0700 and 0600 anyway.

If you understand all of this then i don't need to explain more about security since you are already smarter then most hosting providers anyway.

For more information you could contact me but an consult costs $35 an hour just as for anyone else (including providers)

I'm not in anyway related with php-nuke so this doesn't explain anything about nuke issues. Afterall if i did mention nuke's security issues then you would have created a complete new portal and that is not my intention anyway.

_________________
$ mount /dev/spoon /eat/fun auto,overclock 0 1
ERROR: there is no spoon Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Sat Feb 04, 2006 5:42 pm Reply with quote

no...no....no...i knew you were joking maze... killing me
But you know how it goes...from the 10 that fall for this story 1 or 2 actualy read this,from those 2 maybe....i say maybe 1 follows the advice...
 
View user's profile Send private message
djmaze
PostPosted: Sat Feb 04, 2006 5:45 pm Reply with quote

if only one reads this you should lock forums about security cos they get hacked anyway ROTFL
 
hitwalker
PostPosted: Sat Feb 04, 2006 5:51 pm Reply with quote

got a point there...
i just got mail from my 404 saying some idiot was trying to link into a mod i dont even have..
like...../pnadodb/cmd.txt....etc...etc...
linked to my site...
the site that was hacked says......community building with open software..
big laugh...
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Sat Feb 04, 2006 6:15 pm Reply with quote

I just redirect everything to your site hit Wink
 
View user's profile Send private message Send e-mail
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Sat Feb 04, 2006 6:15 pm Reply with quote

:::Puts head back into the sands:::

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
hitwalker
PostPosted: Sat Feb 04, 2006 6:16 pm Reply with quote

oh thats ok guardian...i have a big shoebox.....there's enough space for more ip's......lol
 
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Sun Feb 05, 2006 10:20 am Reply with quote

Thanks, as always for your many contributions, djmaze. I would be interested in your thoughts on how config.php might be compromised.

Offtopic: Six! You're back! Have you seen any of the latest posts on CNB YA?

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
djmaze
PostPosted: Sun Feb 05, 2006 1:07 pm Reply with quote

kguske wrote:
Thanks, as always for your many contributions, djmaze. I would be interested in your thoughts on how config.php might be compromised.


1. Create account on server
2. echo get_file_content('/home/TARGET_USER/public_html/config.php');
3. good luck

Tougher:
1. Hack into php-nuke and echo login details

Much Tougher (needs website that allows uploading):

1. upload php file
2. execute uploaded php file
 
hitwalker
PostPosted: Sun Feb 05, 2006 1:11 pm Reply with quote

now thats why i dont have a config.php anymore,atleast not where it should be... killing me
 
kguske
PostPosted: Sun Feb 05, 2006 1:16 pm Reply with quote

Thanks for quick followup, djmaze!

Just to clarify, the first (easy? tough?) approach assumes you can get an account on the same server and that you know that root path of the target, right?

That's another good reason not to post your unedited PHP error messages that include the base path here or on other supports sites!
 
djmaze
PostPosted: Sun Feb 05, 2006 3:39 pm Reply with quote

hitwalker wrote:
now thats why i dont have a config.php anymore,atleast not where it should be... killing me

Useless since i use echo get_file_content() so if you move the file i can get it anyway.

chmod to 0400 works on suexec Very Happy
 
hitwalker
PostPosted: Sun Feb 05, 2006 3:44 pm Reply with quote

well im confident the servers im on are safe,and my config is way out of reach...
if that all was possible,raven ...you....burzi ,everybody would be hacked by now..
 
djmaze
PostPosted: Sun Feb 05, 2006 5:53 pm Reply with quote

incorrect hitwalker, i'm on dedicated hosting and that's a big difference here.
 
hitwalker
PostPosted: Sun Feb 05, 2006 6:02 pm Reply with quote

well im not a bit concerned with my stuff.
 
VinDSL
Life Cycles Becoming CPU Cycles


Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com

PostPosted: Sun Feb 05, 2006 7:03 pm Reply with quote

djmaze wrote:
1. Create account on server
2. echo get_file_content('/home/TARGET_USER/public_html/config.php');
3. good luck

Where are you putting that, cowboy?

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. 
View user's profile Send private message Visit poster's website ICQ Number
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Sun Feb 05, 2006 8:54 pm Reply with quote

Well if they can get an account on your server, they don't need your config.php file Wink

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©