I've got a fully custom PHP site with a lot of database calls. I just got injection hacked. This little chunk of code below showed up in dozens of my PHP pages.
<?php /**/ eval(base64_decode(big string of code....
I've been pretty careful about my SQL calls and such; they're all in this format:
$query = sprintf("UPDATE Sales SET `Shipped`='1', `Tracking_Number`='%s' WHERE ID='%s' LIMIT 1 ;",
mysql_real_escape_string($trackNo),
mysql_real_escape_string($id));
$result = mysql_query($query);
mysql_close();
For the record, I rarely use mysql_close()
at the end though. That just happened to be the code I grabbed. I can't think of any places where I don't use mysql_real_escape_string()
, (although I'm sure there's probably a couple. I'll be grepping soon to find out). There's also no places where users can put in custom HTML or anything. In fact, most of the user-accessible pages, if they use SQL calls at all, are almost inevitably SELECT * FROM
pages that use a GET or POST, depending.
Obviously I need to beef up my security, but I've never had an attack like this and I'm not positive what I should do. I've decided to put limits on all my inputs and go through looking to see if I missed a mysql_real_escape_string
somewhere. Anybody else have any suggestions?
Also, what does this type of code do? Why is it there?
Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host.
Developers can prevent SQL Injection vulnerabilities in web applications by utilizing parameterized database queries with bound, typed parameters and careful use of parameterized stored procedures in the database. This can be accomplished in a variety of programming languages including Java, . NET, PHP, and more.
SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists or private customer details.
SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQL statements. These statements control a database server behind a web application. Attackers can use SQL Injection vulnerabilities to bypass application security measures.
As a matter of fact, SQL injection is not the only type of attack your server may suffer.
And this one doesn't looks like SQL injection.
Most of time it's just a trojan horse at your PC, stealing FTP password.
to see the actual code, replace eval with echo. But I doubt it has anything interesting
That could have been caused by any common attack that have compromised the server.
Normally it is caused by an LFI (Local File Inclusion) but it can be caused by anything.
You can read more about LFI from:
http://labs.neohapsis.com/2008/07/21/local-file-inclusion-%E2%80%93-tricks-of-the-trade/
Hope it helps (a little)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With