I have a security issue on one of my websites and I am quite unsure how to prevent this, as I never had a similar problem. I have a php driven webpage, and over night someone somehow managed to paste
<iframe src="http://<webaddress>.com/" width="1" height="1" frameborder="0"></iframe>
right after the body tag into the php (!) file.
What would make something like that possible? And how do I prevent this?
Thanks for any help!
Maenny
Many times this is the result of your FTP credentials being stolen. Change them, remove the malicious code, and try to always connect to your server over a secure connection. This is a common attack in joomla, wordpress and other popular CMSs; and it's usual to have many files (all your index.php files for example) attacked.
We've been seeing many plugins, extensions, etc. being used as the point of entry to a website.
Hackers are constantly trying to hide their "wares" so they may not infect all of your index files, just a few to try and "fly under the radar".
As far as removing that line, it's probably not going to look like what you see in the "view source" of your browser. It's going to be obfuscated (coded).
Without knowing your website or what you're running on there, ie., WordPress, Joomla, etc. it's difficult to tell you where to look for the obfuscated code, however, you might look in header.php files or whatever file is generating the code for your body tag. You might see script tags right after the body tag and you may have to scroll all the way to the end of the line with the body tag in order to see the malscript. Hackers like to do add lots of extra spaces to try and hide their malscript.
Then you'll have to see what files have been added to your site. Or, if you have a good backup, you might want to delete all the files on your site and restore them from backup. That might be the only way to find any backdoors. Backdoors are files hackers use to upload some of their other infected files. They can be PHP or Perl.
Last, you'll have to determine how it happened. Do you have access to your access logs? If so, scan them. Look for strings that don't look right. Sometimes you might search the logs for the string, "base64_decode" as hackers like to use that at times to upload their malicious code.
Keep all software: WordPress, Joomla, Drupal, Zen Cart, osCommerce, etc. updated at all times. Also keep any add-ons, etc. updated as well.
Related
I previously had someone build a website for me. It was 90% finished but then ill health got in the way.
I have all the files and I am now asking people to "put the website back together for me". The general consensus is that it's very messy and not clear what was done and some of the protocols are now out of date etc. And it would just be better to start from scratch. I have heard this from multiple people.
So now when I am asking a new guy to build it from scratch, he is asking me for the HTML files. I couldn't see any, so I contacted the previous developer and he said:
There are no HTML files, it all runs through the index.php file and
extracts pages, data etc. from the database.
I told this to the new developer, but he is saying:
But website is not possible without HTML. Ask him provide index HTML.
Pure HTML without php code.
I'm confused, because I saw the website up and running, so it seems it is possible without HTML?
I'm trying to figure out where the misunderstanding is happening.
Thanks.
What your previous developer is saying is that your site was dynamic and all requests were flowing through your index.php file, which in turn does some backend logic to produce HTML data for the browser to interpret. If you ask your previous developer to zip up the root of your old site, your new developer should be able to take it from there.
Can a website exist without HTML?
Without a .html file? Yes. Using only .php, .css and .js is possible.
Without using Hyper Text Mark-up Language? No. There ar no other mark-up language for browsers, afaik. So we're stuck with this.
Old dev used PHP for efficiency. Contents are in your database and fetched using php to show up in browser.
New dev probably only knows HTML and has no clue about php. Or, probably doesn't want to bother reading through the php codes to reverse engineer how your site works.
Suggestion: Get a different dev. A smarter one. You probably have to pay more, but it's more expensive to hire a less smarter dev.
Sadly my site is a little slow, especially its initialization calls (its another question). On a server, that (or something else) causes a little "blanking" effect, and the browser shows a blank white screen for too long. OK, its just a blink of an eye, but still disturbing.
How can I avoid avoid this?
Maybe you are calling too many (or too big) files in the head. Try calling javascript files (if any) right before closing the body tag. In fact, the browser can't render anything until it finishes dealing with the header, so it may be causing your problem. If you have a lot of css files, mergint into only one file could help too.
This tool could help you a lot with performance issues:
https://github.com/farhadi/SmartOptimizer - I really recommend you to learn it and give it a try.
Try going to this page and putting in your site's URL to see if it can identify any big issues that might be causing the slow-down.
Also, take a look at the techniques mentioned here and make sure your site is using as many of them as possible.
If you have any specific question on how to implement the suggestions from the above links, try searching google, and if you can't find a good answer or still have some questions, ask another question here. :D
It's somewhat extreme for your use case, but you could conceivably have a "loader" page which would be a shell with the header/footer which would only be a few kb; and then in that page use ajax to load the slow page into a div with placeholder text like "The page will be loaded in a moment. Please hold."
yesterday i noticed that sometimes on my webpage shows up javascript errors.
when i went to source code, i found that one of .js files was totaly replaced with a ton of porn links.
i checked the ftp for this file, but there was just old javascript file without any changes.
yet i go back to check source code via browser and indeed there was again original .js
today i visited my webpage again and the problem repeated.
first visit showed me ton of porn pages
cached .js file was hacked
but after clearing browser cache js go back to oryginal
i checked all files on my ftp against my offilne version, but all files are without any change.
in last few years i was attacked by xss few times but in every case it was easy to diagnose and fix. but now i spend 12h and didnt find infection.
do you have any idea how to find it?
Most likely they've found an exploit inserting XSS data in your DB and / or CMS files, which then is displayed when you go to a specific page.
You seem to be using Quick CMS and it might contain some flaw somewhere, however if you've developed any custom functions yourself this might be where the problem is.
When you insert data into a DB always use the mysql escape function, and when you output the data from the DB on to the page use the php htmlentities() function, this will protect you from XSS attacks.
XSS attack does not need to change files at server side, it uses specially formatted query link which your code then renders to the webpage due to not checking inputs correctly.
You just need to escape or check your inputs. Search for "how to prevent xss".
Preventing Cross Site Scripting Attacks
my site is automatically getting download from other site when ever i try to open my site after opening my site it trys to download any thing from this address....
google-sk.pch.com.tagged-com.superore.ru
please help me what's going on....
Sounds like your site has been hacked. The site the address is pointing at is blocked in FIrefox as containing malicious code.
If this is it, you should take the site down, analyze what happened and change all your access passwords.
Maybe this helps a bit: Google Webmaster Central: My Site's been hacked: Now what?
Your site may have been compromised. Check .htaccess files, and crucial template or index files. For any unexpected code. You may also find a solution in restoring an archived version of your site.
You should immediately change passwords, and usernames. Use difficult usernames and passwords, consisting of many letters (varying case) and numbers.
My first guess is that you are the victim of a Cross-Site Scripting hack. Someone has added content to your site that contains HTML or Javascript tags, and when the content is displayed in a browser, it activates the browser to load more content from that site in Russia.
You should use htmlentities() when you echo any content that may have been contributed by users. This translates any characters that might be dangerous to output verbatim, such as < or >, into their HTML entity equivalents (e.g. < and >) so that they can't affect browsers and are safely output as literal characters.
I would also search the database for any content that may have been contributed, that contains HTML or Javascript tags, and delete it.
Don't forget to check your database too!
It sounds like your site has been hacked.
First change the password on your ftp access and review the security of your site, including database access.
Then go in and download what's on the site to a different area of your hard drive.
Compare this code against what you think should be there and remove any code you didn't create.
Also - as BlueRaja points out - check your database for corruption. If it has been compromised you'll probably have to restore it from backups.
Upload the corrected version (or just upload your backup).
Is there any way to disable or encrypt "View Source" for my site so that I can secure my code?
Fero,
Your question doesn't make much sense. The "View Source" is showing the HTML source—if you encrypt that, the user (and the browser) won't be able to read your content anymore.
If you want to protect your PHP source, then there are tools like Zend Guard. It would encrypt your source code and make it hard to reverse engineer.
If you want to protect your JavaScript, you can minify it with, for example, YUI Compressor. It won't prevent the user from using your code since, like the user, the browser needs to be able to read the code somehow, but at least it would make the task more difficult.
If you are more worried about user privacy, you should use SSL to make sure the sensitive information is encrypted when on the wire.
Finally, it is technically possible to encrypt the content of a page and use JavaScript to decrypt it, but since this relies on JavaScript, an experienced user could defeat this in a couple of minutes. Plus all these problems would appear:
Search engines won't be able to index your pages...
Users with JavaScript disabled would see the encrypted page
It could perform really poorly depending the amount of content you have
So I don't advise you to use this solution.
You can't really disable that because eventually the browser will still need to read and parse the source in order to output.
If there is something SO important in your source code, I recommend you hide it on server side.
Even if you encrypt or obfuscate your HTML source, eventually we still can eval and view it. Using Firebug for instance, we can see source code no matter what.
If you are selling PHP software, you can consider Software as a Service (SaaS).
So you want to encrypt your HTML source. You can encrypt it using some javascript tool, but beware that if the user is smart enough, he will always be able to decrypt it doing the same thing that the browser should do: run the javascript and see the generated HTML.
EDIT: See this HTML scrambler as an example on how to encrypt it:
http://www.voormedia.com/en/tools/html-obfuscate-scrambler.php
EDIT2: And .. see this one for how to decrypt it :)
http://www.gooby.ca/decrypt/
Short answer is not, html is an open text format what ever you do if the page renders people will be able to see your source code. You can use javascript to disable the right click which will work on some browsers but any one wanting to use your code will know how to avoid this. You can also have javascrpit emit the html after storing this encoded, this will have bad impacts on development, accessibility, and speed of load. After all that any one with firebug installed will still be able to see you html code.
There is also very really a lot of value in your html, your real ip is in your server code which stays safe and sound on your server.
This is fundamentally impossible. As (almost) everybody has said, the web browser of your user needs to be able to read your html and Javascript, and browsers exist to serve their users -- not you.
What this means is that no matter what you do there is eventually going to be something on a user's machine that looks like:
<html>
<body>
<div id="my secret page layout trick"> ...
</div>
</body>
</html>
because otherwise there is nothing to show the user. If that exists on the client-side, then you have lost control of it. Even if you managed to convince every browser-maker on the planet to not make that available through a "view source" option -- which is, you know, unlikely -- the text will still exist on that user's machine, and somebody will figure out how to get to it. And that will never happen, browsers will always exist to serve their users before all others. (Hopefully)
The same thing is true for all of your Javascript. Let me say it again: nothing that you send to a user is secure or secret from that user. The encryption via Javascript hack is stupid and cannot work in any meaningful sense.
(Well, actually, Flash and Silverlight ship binaries, but I don't think that they're encrypted. So they are at the least irritating to get data out of.)
As others have said, the only way to keep something secret from your users is to not give it to them: put the logic in your server and make sure that it is never sent. For example, all of the code that you write in PHP (or Python/Ruby/Perl/Java/C...) should never be seen by your users. This is e.g. why Google still has a business. What they give you is fundamentally uninteresting compared to what they never send to you. And, because they realize this, they try to make most things that they send you as open as useful as possible. Because it's the infrastructure -- the Terrabyte-huge maps database and pathfinding software, as opposed to the snazzy map that you can click and drag -- that you are trading your privacy for.
Another example: I'm not sure if you remember how many tricks people employed in the early days of the web to try and keep people from saving images to disk. When was the last time you ran across one of those? Know why? Because once data is on your user's machine, she controls it. Not you.
So, in short: if you want to keep something secret from your user, don't give it to her.
You cant. The browser needs the source to render the page. If the user user wishes the user may have the browser show the source. Firefox can also show you the DOM of the page. You can obfuscate the source but not encrypt or lock the user out.
Also why would you want this, it seem like a lame ass thing to do :P
I don't think there is a way to do this. Because if you encrypt how the browser will understand the HTML?
No. The browsers offer no ability for the HTML/javascript to disable that feature (thankfully). Plus even if you could the HTML is still transmitted in plain text ready for a HTTP sniffer to read.
Best you could do would be to somehow obscure the HTML/javascript to make it hard to read. But then debuggers like Firebug and IE 8's debugger will reconstruct it from the DOM making it easy to read,
You can, in fact, disable the right click function. It is useless to do so, however, as most browsers now have built in inspector tools which show the source anyway. Not to mention that other workarounds (such as saving the page, then opening the source, or simply using hotkeys) exist for viewing the html source. Tutorials for disabling the right click function abound across the web, so a quick google search will point you in the right direction if you fell an overwhelming urge to waste your time.
There is no full proof way.
But You can fool many people using simple Hack using below methods:
"window.history.pushState()" and
adding oncontextmenu="return false" in body tag as attribute
Detail here - http://freelancer.usercv.com/blog/28/hide-website-source-code-in-view-source-using-stupid-one-line-chinese-hack-code
You can also use “javascript obfuscation” to further complicate things, but it won’t hide it completely.
“Inspect Element” can reveal everything beyond view-source.
Yes, you can have your whole website being rendered dynamically via javascript which would be encrypted/packed/obfuscated like there is no tomorrow.