Backup of David's Google+ Posts

Home

Navigation Tips

Swipe left and right
or use navigation keys


David Blume to My Circles
Nov 15, 2011
My sites on a shared server got hacked again yesterday. The vulnerability is still there, now probably a back-door or two in addition to the original hole. Arbitrary commands are being executed via PHP script, inserting new "require_once" scripts and "eval" calls (usually in the form eval(gzinflate(base64_decode()))) into other PHP scripts. (Sometimes into non-functional places, so that's why I don't think a human is doing the work via a compromised login password.)

Grr. It's a busy week, and I don't have time to find all the holes. I've caught malicious code in Gallery, Wordpress and Habari so far. (And one static page! An existing index.html that got renamed to index.php and had a require_once inserted at the top.)

I've written a new tool that should help out. Will have to sit and wait for the new commands to be sent by the attacker. Or wait until db-class and the holidays are over, and I can go over the sites personally.

The frustrating effect of all this? I feel violated, almost like a case of identity theft on a meticulously groomed identity. It makes me grumpy, and I'm not sharing with everybody exactly why I'm so grouchy. (Because it's not their problem, and they can't help, and some wouldn't care or understand.) But I have to let it go, and not be grouchy, or I'd have to explain why I am.

Note to self: Let it go.

Comments

Elliott Noel on Nov 15, 2011
This is part of the reason I have so little desire to host/admin anything myself.

David Blume on Nov 15, 2011
I am a hobbyist family man pitting myself against kids in Russia with free time and a profit/cred motive. Not good for me.

Elliott Noel on Nov 15, 2011
Exactly. :(

Ken Roland on Nov 16, 2011
I've been hacked so many times it's not funny. I think part of me enjoys it now that I'm a hobbyist as well. I've always been intrigued with how they get in. It's exciting to find those holes and then marvel that someone managed to find that as well. My stuff has been pretty good lately, mostly because there's no open source though, it's all mine and it's been tweaked over time to fill in the holes susceptible to those bot style attacks.

David Blume on Nov 16, 2011
If you use open source software, doing occasional sweeps of your sites with the following two commands is helpful:

find . -name \*.php -print0 | xargs -0 grep -nI "\([^_gilnt]\|^\)eval[^_'[:alnum:]\"\}<\.:-]"

find . -name \*.php -print0 | xargs -0 grep -nI "require_once('"

That latter one could be amended to include your home path to the require_once, because most of these attacking scripts spell out the full path to their new scripts. That first one should have a "-" also excluded before the eval, but if I put that in this comment, then GooglePlus would interpret that as formatting.

[Edit] That's not to say that all "eval" calls are bad. This is just a quick way to have all of them brought to your attention.

© 2019 David Blume