Serious SQL Injection Scripts

Solarpitch

Whats up,

I posted a topic there a week or two ago about files on my server being compromised with links to js scripts. The same link and problem as described on http://www.dynamoo.com/blog/

Someone said that they could be inserting it via a page that accepts variables through the URL. But this seems to be a bigger problem that what I thought. Out of the 40 or so directories I have, almost 30 of them have been compromised. Meaning all these pages in this directories have these links in them :eek:

I cant understand how some files are getting compromised when they dont even take in parameters. I had a file in one of the directories called blank.html with noting in it at all... except for the js links that were inserted into it.

Any help with this would be class, because I'm loosing my patience with these guys in China or South Korea where I think the URL's are originating from. I seriously need to do something to stop these.

AARRRGH

Obvious questions, but have you checked the permissions on the directories (i.e. not world writeable), have you changed your password, and have you scanned your system for trojans?

Solarpitch

Permissions is always something that confuses me. Some of the permissions on the folders like images are world writable 777 in order to be able to take file uploads.

Some of the other directories are TinyMCE editor and PHPBB which have also been compromised. I havent made any changes to the file permissions on any of the folders in these directories, yet the files in them contain the links.

I have changed my password but if they had my password I think they would probably do more malicious things than uploading js file links.

I have scanned my system and found noting. I didnt think the files were being infected from my system anyway, because they were still getting infected even if I hadnt made any FTP connection is a while.

AARRRGH

Are the world writeable folders above or below the document root? In other words, could I upload a PHP file to http://www.dynamoo.com/images/, execute it as http://www.dynamoo.com/images/nasty.php and then delete it?

Solarpitch

There all below the document root. www/directories/folders/images.

Would I be right in assuming that this could be caused by files permissions due to the fact that there are files with links in them that do not do any form processing and are just a basic html page.

I cant see of any other way where these files could be compromised if it excepts no parameters or does no processing.

All the scripts are insert in the same place right at the bottom of the page

<script>http://thescript1/fgg.js</script><script>http://thescript2/fgg.js</script&gt; ... etc
</body>
<html>

Eoin

Solarpitch wrote: »

Some of the other directories are TinyMCE editor and PHPBB which have also been compromised.

I never considered that you may be using a 3rd party WYSIWYG editor. That could be something to look at, considering the amount of JavaScript that they normally have. I presume there's some sort of file manager module? Perhaps that's a something to look into.

Solarpitch

I was thinking the same alright but even if I had TinyMCE inside one of my 40 directories, I cant understand how they can affect other files in orther directories. It's hard to get my head around this.

I just checked...I have another site hosted on my account under a different domain and I noticed some scripts on that website also. The hosting company said that its noting to do with their server and that the problem is with the files.

TinyMCE is not used in the other domain by the way.

Eoin

Solarpitch wrote: »

I was thinking the same alright but even if I had TinyMCE inside one of my 40 directories, I cant understand how they can affect other files in orther directories. It's hard to get my head around this.

If there was an exploit in a module that had access to the filesystem, then I would think it would be possible to traverse the filesystem - but I could be way off here.

It's not an area I'm too familiar with though, so don't know if I can think of any other possible sources.

Solarpitch

Yeah I know exactly what you mean, and is definitely a possibility. I suppose I just need to figure out whether its either SQL Injection or caused due to the file permissions and thats gonna be the hard part.

I'm afraid to modify any of the permissions incase I break any of the file upload scripts I have on the site :rolleyes:

Eoin

If the affected pages are not all dynamically generated from the database, then it sounds like a filesystem vulnerability one way or the other.

Solarpitch

I agree. I'll work on that idea and see if I can get anywhere. In the meantime if anyone else has any ideas on how to go about securing this, id like to hear.

Thank eoin