Best of RFI - Part 1

Posted in hacks/PHP/ on May 16, 2009 by Marcus.

Even a loser gets lucky sometimes

Like million other hosts in the internet, this box is attacked to exploit vulnerabilities.

I recently saw following piece of code in a Remote File Inclusion (RFI) attack. Although it might be created by a kid, it's still a nice snippet that I want to share with you. Guess what, it actually works.

Disclaimer: I'm unsure about the license.

I personally like the CamelCase approach, the sprintf() usage and the early returns. What do you think?

How not to report a security incident

Posted in hacks/ on May 14, 2009 by Marcus.

Have a look, I got hacked.

Your TYPO3 website has been hacked and you need quick help? Well, then help us too.

A report like following reached the TYPO3 Security Team:

Hi guys,
have a look at http://example.org/path/to/website/defacement/, I got hacked.

I hope you see what's wrong here. There's no additional information. This guy is only reporting the impact of a hack. There's no way to help you with this information; furthermore such report doesn't help the TYPO3 community either as our team is unable to analyze it.

The right way:

In short, collect as much information as possible!

In detail:

• What happened?
  What's the impact of the hack? Defacement; your website suddenly delivers malware; there's a new backend user "blackhat"?
• When has it happened?
  When did you recognize the hack? By analyzing the logfiles, when do you estimate did the attacker succeed with his hack?
• How have you became aware of the hack?
  You clients reported malware on your site? You were getting from google to your website and it looks different (with all those links to vi**ra pills).
• Where has it happened?
  on a dedicated server (rootserver, virtual server), on a virtual hosting shared together with other hosting provider customers; is there any other software installed that might be vulnerable
• Strange data or behaviour?
  different website output when accessing the website directly (through a bookmark) or via referrer (directed to from a search engine); new not TYPO3 related files (webshell.pl)
• What kind of software is installed?
  TYPO3 version, list of installed extensions with version numbers (are they up to date); is your server up to date with all those TYPO3 Security advisories
• Is your local client safe?
  did you check your local client with at least two different malware scanners; did you recently access your website via insecure wireless lan; how do you transfer data to your server (via insecure ftp, sftp, scp)

Data you should and we are interested in:
TYPO3 sys_log table entries, web server access logs, PHP error logs, modsecurity logs, list of unexpected files or files with a strange access/modification time, OS logs (auth, audit, messages, secure), IDS logs, AIDE/tripwire reports

Bonus:
You have already analyzed the complete hack and are now able to report the exact attacker's entry point. Great, your place in the top ten of "best vulnerability reports" is guaranteed. But we're sorry, first rank is already given away! ;-)