I am looking for some advice - I hope someone can help
My php site got hacked and I just found this code 'Script Encoded by Devil-Shell':
eval(gzinflate(base64_decode($encoded)))
And all these random letters/numbers...
I have a few questions:
What will happen if I delete this code? Will it have a knock on effect?
Is my site ruined?
Is there anything that can be done?
Thanks for your help.
It pretty much looks like a backdoor - I'd suggest to comment this out.
As long as $encoded is a variable that can be set externally (through HTTP GET or POST for example), anyone can execute any code on your server.
Unzip it to see what it does. Ensure it cannot be executed. Understand the damage it has done
Find your flaw in security
If that is PHP code, that is pretty serious, as they were able to append to a PHP file or to add their PHP malicious file. They basically own the server. Apart from general advices (fix your security, that can be a year of work :)) some real-life tips:
Don't erase logs, application logs or web server or db logs; keep them, it is very unlikely someone injected anything bad (apart from strings) there. Collect and keep all the logs, trust me they will be useful in the future if something bad happens.
They could have compromised the whole server with an attack like that. You need to be careful with your hosting company: they could consider you responsible for data breaches in other people's data, config, etc... It depends on their configuration and the agreement you signed with them.
Do not consider anything safe: the DB could be compromised as well, all keys and passwords and passphrases and sessionIDs you have stored since now are insecure and are in the hands of them now. So replace them ALL, as their aim could be not you but your user, and they are totally in control of their browsers too now (if they want).
You can comment that out, it seems safe enough; but they will add it again, in more subtle forms. Consider that.
Check (if you can) the traffic FROM your website. Usually they build simple webshells like that to be part of a bigger botnet. Usually they are used for Distribuited Denial of Service (DDOS), bitcoin mining or traffic exchange. So you could be considered legally responsible for such attacks/illegal behaviours as they are connected to your account and it is yours the contract for hosting.
In the internet this topic is called 'Intrustion Response' or 'Attack Response'. It is usually tailored only for big enterprises so I doubt you can find anything useful, but at least for theoretical topics it may help to google for it http://www.certiguide.com/secplus/cg_sp_SixStepIncidentResponseProcess.htm
Excuse me if this seems too vague to be posted on Stackoverflow.
My company hired three developers to implement a classified ads system, using PHP and MySQL. They’ve been working for little more than a month, without using a framework (they argued against using one) and basic functionality has been implemented (user registration and authentication, ads listing and filtering, etc). However, a cursory testing shows that the system is vulnerable to common malicious exploits (CSRF, XSS, local file inclusion).
After examining the code, I realized they didn’t implement data validation procedures on the server side (they merely use a regex for validating a mail address and mysqli_real_escape_string() to sanitize strings against SQL injections). They implemented some validation routines but on the client side, with JavaScript. Obviously, that’s part of the UI and doesn’t offer any kind of security against malicious users.
They argue that since three developers are insufficient for developing a full webapp from scratch (I agree), they’re going to implement features first and then securing them properly, in order to meet certain deadlines. I’m not an experienced programmer by any measure, but I believe is going to take longer to implement security a posteriori. Moreover, if they manage to do it somehow, it’s going to be subpar compared to data sanitization routines implemented from the beginning.
So, my questions are: (i) it is reasonable to implement security (ie, implement at least proper sanitization routines) after implementing features? (ii) If the answer for (i) is “no”, what bibliography, security frameworks (but I guess they’re embedded in web frameworks as such), etc. would you recommend for managing projects where security was poorly handled?
No it's not acceptable to implement security after the project is done for multiple reasons. First, as has already been mentioned, whoever is footing this bill is unlikely to continue paying to implement the security features when they already have the product they want. The second reason is because it will take them much longer to go through and try to find the all the security vulnerabilities than it would be to code it correctly the first time and implement any security measures as you're writing that code. Doing it this way would also be easier to do because you can write security libraries which will do things like escape data for you so that it just becomes fluid to write the code by doing a simple call to the escape function/method. The third reason is because there is absolutely no way that they will be able to find all of the vulnerabilities by looking back through the code. It's hard enough (see near impossible) to write the code without security bugs, let alone to go back through it and find all of those security vulnerabilities.
As for a suggested framework, I really don't have one as I never used frameworks either, only the libraries I've written in the past to use. This however comes down to just finding good developers and not ones who say they can get it done for a super low price. The PHP developer pool is filled with these half-assed developers, and I'd say a fair number of them prefer pre-made frameworks. The trick is to just find some good ones from the start. The only option you really have for securing an application written poorly like this is to get a WAF (web application firewall) and have it filter any malicious content being sent to the server. This isn't a silver bullet though for poorly written code. I wouldn't even call it a band-aid, more of a hail-mary.
One final thing is that I very much disagree that they are understaffed with 3 people writing this. I wrote something similar 4 years ago by myself (well ok there was an html guy) in under 3 months. Two of those 3 months were completely rewriting sections because the client would change his mind once it was complete plus writing in side features that turned it into more of a social network than a classified site. If I could do most of that myself in that amount of time, they should easily be able to get it done (and secure) in a month and a half with 3 people.
It's really not reasonable to implement security later.
It may not take any longer or be sub par, it might be faster and better. The problem is that it to probably won't be done at all as the project will be late and over budget.
I'm surprised at th decision to not use a framework, that looks like a 1 person-week job using Rails, Symfony or Django and the security would have been baked in.
Security should be taken into account all the time in development phases, if it is over seen/neglected then improvements to the API in development should be constructed on the first availabe instance.
The last thing you want to do is release a script to the public with many security/malicious holes within the code structure its' self.
So I would recommend informing these developers to take a look over their work and make appropriate changes to the already made API to increase security.
The project might be finished late and over budget if the security aspect is overlooked and not modified.. It's best to approach this head on before it's too late (when you've released to the public traffic and face longer down time than expected)
overall point.. Nail it in the butt before it becomes a serious problem.
It's not unreasonable to deal with security matters at the later stage of development, as long as it's merely an issue of implementation and not a fundamental deficiency in design. There is no such thing as "more secured" or "less secured." Either a system is secured or it's not. One has to consider the behavior of an application as a whole. As such, it's not all that profitable to handle security while the codebase is still in flux. While it's fashionable to say that security should be integral to the entire development process, in a world where resources are finite, such an approach is more academic than practical. Having sufficient time for quality assurance prior to delivery will in all likelihood yield better returns.
just to add what everyone else suggested, you must embrace security from day one.
not doing this will only be prone to errors and bugs in the code.
have a look at the Microsoft Secure Development Lifecycle:
http://www.microsoft.com/security/sdl/default.aspx
Also, I would recommend you to review the code / pentest it to identify any potential issues.
Thanks
Fabio
#fcerullo
Disclaimer: Similar questions has been asked a number of times on SO, however this question is much more specific, and has not been adequately addressed so far.
We're developing a new packaged software, which, for business security reasons, must run on our customer's server, in PHP. The software is sold with a per-user end-license; price range is within $20-80 per user, target market is small (and web-savy) consultancies, and IT agencies.
To discourage piracy (eg. removing the user-license enforcement), we'd like to maximize the protection of the PHP code in any means technologically available, which does not inconvenience the user.
Let's break this down:
does not inconvenience the user: no additional server-side installs (no zend decoder, or other binaries). Has to run on a plain-vanilla shared PHP host out-of-the-box.
Maximize the protection: breaking the protection has to outweigh the cost of buying an additional license. That is, it has to take at least 3-5 working days for a professional hacker to remove the user license protection.
Any means technologically available: might call home, might use high-end crypto, might implement a c64 emulator.
To pro-actively address the so far highest-voted non-solutions:
NOT looking for perfect obfuscation, just extremely hard ones (defined as: have to take at least 3-5 working days to decrypt), OR other anti-piracy methods
NOT looking for "black-box" software packages, which I don't know how they work, and can't determine whether it fits our purpose; looking for algorithmic ,and out-of-the-box ideas.
NOT looking for license/law-side protection, we already have that covered.
We DO know, that given enough time, and focus, all obfuscation will be hacked sooner or later; we merely want this not to be the economical solution.
Given the above constraints, what methods, or ideas would you use to maximize anti-piracy measures?
Bounty-hunt: point goes for the hardest algorithmic method to reverse-engineer the code, given the constraints above.
Update / Bounty-hunt: I've accepted Ira Baxter's answer, mostly because the rest failed to answer the core question, and attempted to question the underlying assumptions (business, closed source, yadda yadda). Thanks all!
I think what you want to do is to transform the code algorithmically, to obfuscate not only what is executed, but also to obfuscate the data structures. We assume we start with a clean version of the program, produced by the developer. He always works wih the clean version. Obfuscation produces the to-ship version. Good obfuscation will produce a to-ship version with exactly the same functionality as the original, so no further testing is (arguably) needed.
For control flow scrambling, the idea is to take the nicely written code you have at the start, and push it through transformations that make static (and human) analysis of the decisions that control the flow difficult by multiplying the set of assumptions that have to analyzed. For instance, if you have two pointers, and store a value through one, can it affect the value seen by the other? Depending on whether the pointers are aliased on not, you can get two different answers. Now take N pointers, each of which may be aliased; you get 2^N possible aliasing relations. If the reader doesn't know the exact combination, he won't be able to determine if a decision might be true, false or conditional. Of course, the tool that generates this produces conditionals whose outcome it knows, because it designs (generates) the pointer rat's nest to produce a specific outcome.
See Code Obfuscation Literature Survey (not my paper), which discusses a variety of control flow and data flow obfuscation. This is likely not the most recent summary of what is possible, but its pretty instructive. You should note doing this kind of obfuscation has some impact on execution time.
What the papers on this topic make clear is that control and data flow obfuscated programs are extremely hard for static analyzers to "understand"; the papers provide/reference demonstrations of the algorithmic complexity of processing such obfuscated programs.
Now, you might argue that people aren't static analyzers and therefore don't suffer the same limitations. You might be right; Roger Penrose famously argues that people do not have the same constraints as Turing machines; the argument isn't settled by a long shot. But the entire foundation of encryption/hashing technology is built on essentially the same kind of computational complexity arguments. And to date, nobody has proven smart enough to crack these technologies in ways
that can be used in daily life by theives (good thing, or your bank accounts would be empty).
To do this to a PHP program, you need tools that can parse the PHP code, and carry out such transformations. Our DMS Software Reengineering Toolkit has robust PHP parsers, and can apply very complex transformations to code. To do this really well, you want to apply the transformations globally across all your code, not just on a file-by-file basis. We don't have this kind of obfuscation transformation implemented on PHP, but if you really wanted to do it, this would be the way. We have applied complex transformations to PHP programs for other commercial products that we sell.
When you are all done, ideally you'd compile this result to machine code, say using the HipHop compiler. (Just compiling would defeat some folks, but not the serious software engineers).
EDIT: Obfuscation != AntiPiracy is a theme in other answers. So how does obfuscation help?
First you need to deal with the anti-piracy issue. The obvious things to do are:
Add copyright comments to each file. These serve as warnings to theives. Not good ones.
Add copyright strings in various places and print them out occasionally;
these will end up in memory and play a roleif a pirate steals the code; he stole this string, too.
Add a string to your application saying, "licensed to ". This makes
your customer unenthusiastic about letting it be stolen.
Add a check to your application that it is running on the intended customer's machine.
(Since your app is intended to be very cheap, you'll probably need to automate
a registration process)
Have the application phone home with its machine ID occasionally.
Now, these steps prevent someone (legally and technically) from stealing your code.
If this is all you have, an unfazed pirate will simply remove the technical checks and its stolen.
It is very hard to prevent somebody from copying the bit stream that makes up
your product; computers are far too good at copying.
So your goal is to arrange for it to be hard for him to derive
value if he does, and that's where obfuscation comes in.
If the code is sufficiently obfuscated, he will have a difficult time locating the license check
and phone home mechansisms to disable them. (I suggest several checks, none of them always called, to make it hard for the theif to tell when he is successful.).
The obfuscation, well done, should protect the printing of the original
owner's name, which means the original owner will have some interest in prevent it from being
stolen as you'll name him along with pirate in any lawsuit.
If they defeat the licenses, copyright printing, and phone-home mechanisms,
and simply want to run it in the back room without telling you, you might be stuck.
(For $80.00, I can't imagine why they'd go to all this trouble just for this effect).
But many thieves want to modify the software to "improve" it, especially if they want your market. Serious obfuscation will prevent them for doing this; it will even
make it hard for them to add thier own license controls.
That limits the value pretty severely.
They may simply steal it and release it to world for free; your hope here is
the applicaton is hard to crack. If they succeed, your only good defense
is a continuing stream of upgrades that licensed owners get.
Obfuscation is a key to successful piracy defense, IMHO.
Obfuscation != Anti-piracy For instance you could have a heavily obfuscated class, but I can use reflection to see all methods that this class implements. I can then extend this class and override any methods that I don't like. Are you storing a secret? Because any secret value can be pulled from memory using a debugger.
3-5 days? Even with Zend-Guard it takes 3-5 seconds to break using some open source tool. Most obfuscation tools are very primitive and easy to break.
I'm sorry but I don't think there is a good solution for this.
The best anti piracy method is no method.
If you don't want to use tools such as zend, then you are better off doing absolutely nothing.
Take it from me you can waste more time and lose sales trying to stop pirates. you will only hurt yourself. Hey they don't care and its good fun, the harder you make it the more satisfaction they get in doing it. and once its done it will be available for all via a torrent. so no-one needs to repeat the effort.
Make a good application. make it work well. give Fantastic service and the customers you want will gladly pay. those customers you don't want will NEVER pay so don't waste time on them. And guess what, they actually become good advertising. people see your software on more sites they come looking for it.
So in effect you are getting free advertising.
So don't stress, don't waste your time and don't blame pirates if your software fails. blame yourself because you got too distracted trying to do the impossible
I wanted to add a little bit of my personal experience.
Back in the 90's I spent many months creating encryption techniques to reduce/prevent pirating of a heavily pirated piece of software, in the end I 'mostly' succeeded.
I used custom encryption, junk insertion, random number generators, cross module CRC checking, blah blah blah.
I used to hang out in the news group devoted to hacking my software and others like it and even struck up conversations. one polite fellow said "why are you wasting your time we do this for fun". but I was hooked. it was a competition.
If I had spent the time and effort on improving the software instead, I would have earned 10x the amount I thought I had lost to piracy.
It was a fools victory.
I thought about this a lot, and what you are asking is essentially impossible. You can obfuscate to no end and people will still steal your software. There is little you can do about it. If you write in code to call home, someone will strip it out and just put true in instead. Your best bet is to write quality software so people want to buy it. It's either that or use a commercial solution like ionCube or Zend.
Only a few things can really work. The most basic logic I can think of that would be effective (since this market sounds like it's fairly controlled, and finite) would be to use something similar to a licensing server, but with a two-way communication channel (that you can encrypt etc.. etc..).
Now, of course you can have someone disable that communication channel, but between the coding you will add to disable the software, and the fact that your company will be able to follow up with the client since you will know exactly who it is that is "down" that will help.
The third part of the logic, is for each license that is given out to play a role in generating the "checks" that will occur between the software and your licensing server. This means you generate, on-premise, unique hash codes that are used as part of the answer your software send back to the server. That pretty much rules out the hacking, because the hacker would have to know what algorith you are using to generate the licensing (since it is pre-generated, there is no logic to use to decipher it) and the hacker would have to feed you a licensing key.
The fourth step, optionally, would be to push updates to clients to refresh the security mechanisms you have in place and run "tamper" checks on your code, possibly periodically feed some sort of hash to be used in the logic your software uses to connect to the licensing server.
This still isn't perfect, someone "will" be able to clone a production machine, circumvent/redirect the licensing (and you won't know since it will be a copy) and try to work away at the check that you have in your code which require a license (as someone above mentioned, set all the logic to "True")... but you could definitly spend the time putting checks and encryption on your licensing system and make it a time-consuming and "risky" process. Unlesss.. as a final touch... you can have some deliverable from your product generated by your server (none of the code is in what the client has) and pushed to the software that has this licensing mechanism in place.. but i don't know how possible that is.
Artificial code bloat
By using post processors to automatically bloat the code and insert logic multipliers you make the code hard to modify
I use tags in the original source to indicate the type of code in each method and which code multiplier to use. Randomisers can help too, as each release looks very different
The code bloat is achieved by a variety of processes. e.g. repeating and random fiddling of variables before and after they are officially in scope. Lots of extra logic steps that will never get followed. Breaking single statements into many random small steps. Interlace these with as many other statements as possible as long as the final step is in the correct order. etc etc
The final and most important part of this process is to interlace key generation and call home processes through this mess, and to be part of this mess (remember the "random fiddling of variables before and after they are officially in scope") so that the time taken to remove the key generation and call home become unwieldy
The call home server has to act like a rolling code remote control so while the attacker might discover the call home functions, taking them out will result in incorrect initialisation values for general variables in general methods, and in as many cases as you can work with
Over time you can build the general purpose code re-parser, and a library of functions to mess the code up. Keep adding the code mess library to improve the obfuscation level
You need to have a well covering unit and integration test library to validate the code after being messed up
I have not done this with PHP, but with other languages with similar constraints as PHP
Note: This technique works fine for complex scientific software where there is large amounts of cryptic logic and maths anyway. It may not work so well for typical web sites like CMS's unless your code multipliers are very convincing
If I get this right, why not invest in a server to be delivered within the cost of the application, a server which can be placed at the customer, with only one port opened for http access, I mean with a $1000 you can get a machine that can work as a safe for your software. If anyone attempts to hack into it you will know.
Another solution might be:
Currently I am working for a huge company that has aprox 350 selling points(shops) all over the country. As we can not rely on internet connection 100% we have a server at each shop. This server handles the business required for actual selling and it is linked to a local database. The rest of the stuff sits at the head-office server. Now, the clerks have computers in front of them, and all these computers work with the application hosted on the local server, the catch on the local server is that a registry which knows if a certain service is placed locally (on the same machine) or remote (at the head office) and executes the call as required (over http from remote location or direct call from local service). Services can be placed anywhere (local or remote) and all one needs to do is to configure their location in the registry by simply entering one of the keywords : local,remote,application (application keyword means that the service is first called from remote and if it fails it is called locally). This way you can make an acceptable compromise. Highly necessary stuff can sit locally and the rest of the business logic can reside on your server where nobody can touch it.
The short answer is no, there is no way to obfuscate code in such a complex manner that it takes days to crack. The simple explanation: obfuscation is a two way process. It can be done and undone. If a computer can do it, a determined person can do it too.
Instead of wasting so much time on protecting your code, why not take the hint from the popular TV show 24 (side note: Should have never been canceled!). To ensure scripts weren't stolen or revealed to the public, they watermarked each with a number specific to cast member, director, producer, etc. You can do something similar with you scripts by "watermarking" each PHP file. This can be something as simple as changing the name of the variable to reflect a client ID or something as complex as spreading identifying characters over multiple variable and function values/names. Try working this identifier and/or parts of it into as many inconspicuous places in your scripts as possible. Only you can know the exact combination that creates the identifying information. This way if code is leaked you can sue the responsible party.
Just a suggestion, you might just want to add needed lines of code that don't really do anything, except it looks like it.
How would one go about getting his or her code 'validated' to ensure it is comfortably secure enough to make public?
In other words if I have written a PHP app and I have made efforts to sanitize all inputs - is there a commonly used/accepted way or service where one or more experts can check that it really is secure enough to go public?
Well, I'll be blunt here. No. There is no known method that you can put code through that will tell you if it's "secure enough"... That's a very difficult problem (After all, even the big software companies get things massively wrong from time to time).
There are a number of automated testing tools available. I don't really have anything positive to say about any of them. Some are better than others I'm sure. But the bunch (about 5) that I've tried personally were horribly inaccurate (one found over 20,000 vulnerabilities. Each and every one was a false positive). And the problem is that you need to know what you're doing to accurately determine if it's a false positive, or how to fix it if it is not.
The best method if you can afford it is to hire a professional PHP security expert to review the code base. Note, I'm talking about an actual expert, not just some company that claims to do the service (since -again in my experience- more often than not they are just trying to capitalize on the market).
With that said, if you really want someone to take a look, hire any reputable security company. It's better than nothing if you feel that strongly that you need the help...
Try reading up on some security resources so that you can try to check for yourself (or at least start writing more secure code)... In no particular order:
PHP Security at PHPFreaks.com
The security section of PHP.net's documentation
The PHP Security Consortium
Chris Shiflett's book on PHP Security
OWASP
There are tons more, just look...
Maybe this isn't really feasible. But basically, I've been developing a snippet-sharing website and I would like it to have a 'live demo area'.
For example, you're browsing some snippets and click the Demo button. A new window pops up which executes the web code.
I understand there are a gazillion security risks involved in doing this - XSS, tags, nasty malware/drive by downloads, pr0n, etc. etc. etc.
The community would be able to flag submissions that are blatantly naughty but obviously some would go undetected (and, in many cases, someone would have to fall victim to discover whatever nasty thing was submitted).
So I need to know:
What should I do - security wise - to make sure that users can submit code, but that nothing malicious can be run - or executed offsite, etc?
For your information my site is powered by PHP using CodeIgniter.
Jack
As Frank pointed out, if you want to maintain a high level of security use a whitelist technique. This of course comes with a price (might be too restrictive, hard to implement).
The alternative route is to develop a blacklist technique. i.e. only allow code that hasn't triggered any bells. This is easier, because you have to specify less things, but it will not catch new exploits.
There is plenty information available on the web on both techniques.
Relying on CodeIgniters security functions (XSS filtering etc.) will not get you very far as most of the snippets will not be allowed through.
Whatever you do you have to remember this:
Do not think malicious code will aim to just harm your website's visitors. It may as well aim to compromise your server via your parser/code inspector. For example, lets say Alice uploads snippet foo. Alice intentionally crafts the snippet so that your parser will flag it as malicious due to an XSS exploit. Lets say your parser also updates a database with the malicious snippet for further investigation. Alice knows this. Along with the XSS exploit Alice has injected some SQL code in the snippet, so that when you INSERT the snippet to the database it will do all sorts of bad stuff.
If you are really paranoid, you could have an isolated server which its solely responsibility would be to inspect code snippets. So in the WCS only that low-risk server would be compromised, and you would have (hopefully) enough time to fix/audit the situation.
Hope this helps.
You cannot whitelist or blacklist PHP, it just doesn't work. If you write up a list of commands that I can use, or stop me from using malicious functions, what is to stop me from writing:
$a = 'mai';
{$a .'l'}('somebody#important.com', 'You suck', 'A dodgy message sent from your server');
You cannot whitelist or blacklist PHP.
For your information my site is powered by PHP using CodeIgniter
Sorry Jack, if you think that is in the least bit relevant you're a very long way from understanding any valid answer to the question - let alone being able to distinguish the invalid ones.
Any sandbox you create which will prevent someone from attacking your machine or your customers will be so restrictive that your clients will not be able to do much more than 'print'.
You'd need to run a CLI version of suhosin on a custom chroot jail - and maintianing seperate environments for every script would be totally impractical.
C.
Assuming you are only allowing javascript code, then you should do the following -
Purchase a throw-away domain name that is not identifiable with your domain
Serve the user-entered code in an iframe that is hosted from the throw-away domain
This is essentially what iGoogle does. It prevents XSS because you are using a different domain. The only loophole I am aware of is that evil code can change the location of the webpage.
If you intend to share snippets of server side code, then it is a different ballgame. For java/jsp snippets, you could use JVMs internal Security classes to run the code in a sandbox. You should find a lot of information on this if you google. I would like to think this is what google uses in App Engine (I am not sure though).
Anything other than Java, I am not sure how to protect. Dot Net perhaps has a similar concept, but I doubt you could sandbox PHP code snippets in a similar manner.