Shell Access Abused

pyrexyn · October 30th, 2004, 4:49 PM

My account was suspended because I abused shell access. The administration was kind to forward a log to me:

================================================== ===
PWD=/var/tmp/.tmp/.m
HOSTNAME=serva.surpasshosting.com
MACHTYPE=i686-redhat-linux-gnu
OLDPWD=/home/xdemi08/public_html/music
SHLVL=2
SHELL=/bin/bash
HOSTTYPE=i686
OSTYPE=linux-gnu
TERM=dumb
PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin
_=./initd This contains the environment for the process.
Maps 00110000-00125000 r-xp 00000000 03:05 12828738 /lib/ld-2.3.2.so
00125000-00126000 rw-p 00015000 03:05 12828738 /lib/ld-2.3.2.so
00126000-00127000 rw-p 00000000 00:00 0
00127000-0012b000 r-xp 00000000 03:05 12828692 /lib/libnss_dns-2.3.2.so
0012b000-0012c000 rw-p 00003000 03:05 12828692 /lib/libnss_dns-2.3.2.so
0012d000-00260000 r-xp 00000000 03:05 13975560 /lib/i686/libc-2.3.2.so
00260000-00263000 rw-p 00133000 03:05 13975560 /lib/i686/libc-2.3.2.so
00263000-00267000 rw-p 00000000 00:00 0
0026e000-00279000 r-xp 00000000 03:05 12828694 /lib/libnss_files-2.3.2.so
00279000-0027a000 rw-p 0000a000 03:05 12828694 /lib/libnss_files-2.3.2.so
0027a000-00289000 r-xp 00000000 03:05 12828704 /lib/libresolv-2.3.2.so
00289000-0028a000 rw-p 0000f000 03:05 12828704 /lib/libresolv-2.3.2.so
0028a000-0028c000 rw-p 00000000 00:00 0
08048000-0806b000 rwxp 00000000 03:05 7898120 /var/tmp/.tmp/.m/initd
0806b000-0806e000 rw-p 00023000 03:05 7898120 /var/tmp/.tmp/.m/initd
0806e000-0807b000 rwxp 00000000 00:00 0
================================================== ====

However, I do not understand anything in this log. I see that it has to do with the "music" section of my website. It was a section that I made as a homepage for my band. I do not see what harm I caused. If it helps to diagnose my problem, here are some details of the music section:

-Used a PHP script I made that allows band members to update/delete "news articles" through a custom control panel

-Uses a Flash .swf document as the mainframe of the site

-Has a section that allows people to download/stream our mp3/m3u files. These are original songs that we recorded at a recording studio and uploaded to my server

And the rest is made in HTML and CSS. I don't see where I violated anything. Can someone please explain so that I may correct whatever it is that I did wrong?

Thankyou very much.

Einstein · October 30th, 2004, 5:04 PM

Ask them back for an explanation.

pyrexyn · November 3rd, 2004, 6:02 PM

It has been at least a week now, I think. There is still no response. My question has been forwarded between the billing/support/admin departments. No one is responding. There is no telephone number. I already emailed three separate times. What am I supposed to do?

**Ghostbone** · November 3rd, 2004, 6:33 PM

Well then keep badgering them with tickets i guess. When i say that i don't mean flood the help desk but send 3 a day (not all at the same time) till it's resolved. Or just wait it out.
GB.

**Kayla** · November 3rd, 2004, 6:35 PM

The only thing wrong is,

Used a PHP script I made that allows band members to update/delete "news articles" through a custom control panel

That is probably the problem, you would need to find a new script. This script is probably a security risk.

pyrexyn · November 3rd, 2004, 11:04 PM

I see. Well, let me define that more clearly: when I made this script, I did not have a MySQL database (on my previous host). I used the file functions such as fwrite() to write *.txt files that stored information. When a band member writes an article and hits "update," the information, along with the date and time, are stored in a *.txt file to be retrieved by the home page. The file is created and the chmod() function is used to change its permission access so that the public cannot write to it. That is all that happens. I assume the use file() functions and chmod() is very common among PHP programmers. I am reluctant to believe that the use of those functions became a security threat.

1) Create harmless *.txt file storing less than a kilobyte of information
2) Change *.txt file's permissions so public cannot alter

It's not like I can even change permissions on any files other than the ones I creat as directed by the server... or anything outside of my own root! And if the script goes haywire (which there is no chance of it doing), it might create an overload of textfiles. but by the time it could fill up my quota, it will time out.

Anyway, my main concern is not arguing who is right or wrong. If I am accused of whatever, then I accept, and I will gladly change. Surpass is the best hosting plan I have ever found. I don't want to leave. But the concern right now is that I have been out of contact for a week; my site has been down for a week. No one is replying despite the sign at http://www.xdemi.com ... so I was hoping some staff member would see this post and do something about it.

Kris · November 3rd, 2004, 11:25 PM

Hi :
The problem is the below files, and the code in them. They are vunerable. They were exploited via a Cross-Site-Scripting technique, a very popular exploit. A good thing to do would be to have an array of accepted pages in your include, I'd suggest checking : http://www.timestretch.com/site/writ...cure_php_apps/

main.php: <?php include $s.".php"; ?>
main.php: include $s.'-'.$p.'.php';
main2.php: <?php include $s.".php"; ?>
main2.php: include $s.'-'.$p.'.php';

pyrexyn · November 4th, 2004, 1:14 AM

Thank you very much Kris! I read the article and placed SecurePHP in my bookmarks to read up on. I have actually hacked (with approved purposes of education, at my school) using similar methods of exploiting the $_GET variables. For some reason, it never hit me that I could be a target of this in my own site. Thankyou for reviving my site. You have deleted main.php which contained the errors. However, I confess that I may have used this method in other sections of the site. I will go through every section and delete the files. I might as well redesign the music section; it was getting old anyway. Once again, thanks for the quick response.

October 30th, 2004, 4:49 PM	#1 (permalink)
pyrexyn Registered User Fresh Surpasser Joined in Jul 2004 6 posts Gave thanks: 0 Thanked 0 times	Shell Access Abused My account was suspended because I abused shell access. The administration was kind to forward a log to me: ================================================== === PWD=/var/tmp/.tmp/.m HOSTNAME=serva.surpasshosting.com MACHTYPE=i686-redhat-linux-gnu OLDPWD=/home/xdemi08/public_html/music SHLVL=2 SHELL=/bin/bash HOSTTYPE=i686 OSTYPE=linux-gnu TERM=dumb PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin _=./initd This contains the environment for the process. Maps 00110000-00125000 r-xp 00000000 03:05 12828738 /lib/ld-2.3.2.so 00125000-00126000 rw-p 00015000 03:05 12828738 /lib/ld-2.3.2.so 00126000-00127000 rw-p 00000000 00:00 0 00127000-0012b000 r-xp 00000000 03:05 12828692 /lib/libnss_dns-2.3.2.so 0012b000-0012c000 rw-p 00003000 03:05 12828692 /lib/libnss_dns-2.3.2.so 0012d000-00260000 r-xp 00000000 03:05 13975560 /lib/i686/libc-2.3.2.so 00260000-00263000 rw-p 00133000 03:05 13975560 /lib/i686/libc-2.3.2.so 00263000-00267000 rw-p 00000000 00:00 0 0026e000-00279000 r-xp 00000000 03:05 12828694 /lib/libnss_files-2.3.2.so 00279000-0027a000 rw-p 0000a000 03:05 12828694 /lib/libnss_files-2.3.2.so 0027a000-00289000 r-xp 00000000 03:05 12828704 /lib/libresolv-2.3.2.so 00289000-0028a000 rw-p 0000f000 03:05 12828704 /lib/libresolv-2.3.2.so 0028a000-0028c000 rw-p 00000000 00:00 0 08048000-0806b000 rwxp 00000000 03:05 7898120 /var/tmp/.tmp/.m/initd 0806b000-0806e000 rw-p 00023000 03:05 7898120 /var/tmp/.tmp/.m/initd 0806e000-0807b000 rwxp 00000000 00:00 0 ================================================== ==== However, I do not understand anything in this log. I see that it has to do with the "music" section of my website. It was a section that I made as a homepage for my band. I do not see what harm I caused. If it helps to diagnose my problem, here are some details of the music section: -Used a PHP script I made that allows band members to update/delete "news articles" through a custom control panel -Uses a Flash .swf document as the mainframe of the site -Has a section that allows people to download/stream our mp3/m3u files. These are original songs that we recorded at a recording studio and uploaded to my server And the rest is made in HTML and CSS. I don't see where I violated anything. Can someone please explain so that I may correct whatever it is that I did wrong? Thankyou very much.

October 30th, 2004, 5:04 PM	#2 (permalink)
Einstein Registered User Comfy Contributor Joined in May 2004 Lives in Finland Hosted on Centi 281 posts Gave thanks: 0 Thanked 0 times	Ask them back for an explanation. __________________ The secret to creativity is knowing how to hide your sources. - Alber Einstein Centi: ykkosrasti.net My sites on Pass38, reseller: kimslotte.net\|mtb-o.net\|perhekuvat.net\|nettikuvat.net\|tiedostotila.net About me

November 3rd, 2004, 6:33 PM	#4 (permalink)
Ghostbone I <3 Surpass! On a golden path... Joined in May 2004 Lives in Netherlands Hosted on Pass 12, Supras 417 posts Gave thanks: 0 Thanked 0 times	Well then keep badgering them with tickets i guess. When i say that i don't mean flood the help desk but send 3 a day (not all at the same time) till it's resolved. Or just wait it out. GB. __________________ MI6Labs.co.uk - Pass 12 KGBLabs.com - supras

November 3rd, 2004, 11:25 PM	#7 (permalink)
Kris Registered User Seasoned Poster Joined in Aug 2003 58 posts Gave thanks: 0 Thanked 0 times	Hi : The problem is the below files, and the code in them. They are vunerable. They were exploited via a Cross-Site-Scripting technique, a very popular exploit. A good thing to do would be to have an array of accepted pages in your include, I'd suggest checking : http://www.timestretch.com/site/writ...cure_php_apps/ main.php: <?php include $s.".php"; ?> main.php: include $s.'-'.$p.'.php'; main2.php: <?php include $s.".php"; ?> main2.php: include $s.'-'.$p.'.php'; __________________ 'Keep the faith in me, I will not let you down' - Tupac

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

November 3rd, 2004, 6:02 PM	#3 (permalink)
pyrexyn Registered User Fresh Surpasser Joined in Jul 2004 6 posts Gave thanks: 0 Thanked 0 times	It has been at least a week now, I think. There is still no response. My question has been forwarded between the billing/support/admin departments. No one is responding. There is no telephone number. I already emailed three separate times. What am I supposed to do?

November 3rd, 2004, 6:35 PM	#5 (permalink)
Kayla Marketing Maven Surpass Staff Joined in May 2003 Lives in Orlando 24,749 posts Gave thanks: 946 Thanked 806 times	The only thing wrong is, Used a PHP script I made that allows band members to update/delete "news articles" through a custom control panel That is probably the problem, you would need to find a new script. This script is probably a security risk.

November 3rd, 2004, 11:04 PM	#6 (permalink)
pyrexyn Registered User Fresh Surpasser Joined in Jul 2004 6 posts Gave thanks: 0 Thanked 0 times	I see. Well, let me define that more clearly: when I made this script, I did not have a MySQL database (on my previous host). I used the file functions such as fwrite() to write .txt files that stored information. When a band member writes an article and hits "update," the information, along with the date and time, are stored in a .txt file to be retrieved by the home page. The file is created and the chmod() function is used to change its permission access so that the public cannot write to it. That is all that happens. I assume the use file() functions and chmod() is very common among PHP programmers. I am reluctant to believe that the use of those functions became a security threat. 1) Create harmless .txt file storing less than a kilobyte of information 2) Change .txt file's permissions so public cannot alter It's not like I can even change permissions on any files other than the ones I creat as directed by the server... or anything outside of my own root! And if the script goes haywire (which there is no chance of it doing), it might create an overload of textfiles. but by the time it could fill up my quota, it will time out. Anyway, my main concern is not arguing who is right or wrong. If I am accused of whatever, then I accept, and I will gladly change. Surpass is the best hosting plan I have ever found. I don't want to leave. But the concern right now is that I have been out of contact for a week; my site has been down for a week. No one is replying despite the sign at http://www.xdemi.com ... so I was hoping some staff member would see this post and do something about it.

November 4th, 2004, 1:14 AM	#8 (permalink)
pyrexyn Registered User Fresh Surpasser Joined in Jul 2004 6 posts Gave thanks: 0 Thanked 0 times	Thank you very much Kris! I read the article and placed SecurePHP in my bookmarks to read up on. I have actually hacked (with approved purposes of education, at my school) using similar methods of exploiting the $_GET variables. For some reason, it never hit me that I could be a target of this in my own site. Thankyou for reviving my site. You have deleted main.php which contained the errors. However, I confess that I may have used this method in other sections of the site. I will go through every section and delete the files. I might as well redesign the music section; it was getting old anyway. Once again, thanks for the quick response.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)