[nycphp-talk] I've been hit with an eval(base64_decode("....")) injection attack
David Mintz
david at davidmintz.org
Tue Mar 27 10:47:16 EDT 2012
On Sun, Mar 25, 2012 at 4:07 PM, Daniel Convissor <
danielc at analysisandsolutions.com> wrote:
> 'd love to hear the thoughts of
> the people here on it from a code level and user interface level.
>
> http://wordpress.org/extend/plugins/login-security-solution/
>
>
Dan, I haven't tried it yet but from reading about the features, OMG! It's
great. I will install it.
>
> > egrep -lr '<\?php.+eval\(base64_decode\("[^"]+"\)\);\?>' *| xargs
>
> I'd have just grep'ed for "eval", since that should never be in any code
> I want to use. Your regex would miss code that doesn't have double
> quotes, doesn't use base64_decode, has spacing in it, etc.
>
Yeah, I assembled the regex based specifically on the malicious code that I
was looking at in all my files. I suppose the trick is to fashion a regex
that catches an actual eval call inside php tags -- there's always a
chance that the string "eval" is is somehow legitimately contained inside
some php tags.
> Oh, and lock down your file permissions. The web server shouldn't be
> allowed to write to any files or directories.
>
>
Except when it really needs to, like for writing data to a file-based
cache, or accepting file uploads. How do you recommend handling those cases?
I have been wondering, why not chmod ALL your php files to 400? Indeed I
did this with one site after my infection, but not the several others. Then
I got hit again, but the site whose php files were 400 was not affected --
probably not a coincidence. It's perhaps a bit of an inconvenience when you
need to update/overwrite, but I see no reason we can't relax permissions
temporarily for code deployments and reset them back when we're done.
--
David Mintz
http://davidmintz.org/
It ain't over:
http://www.healthcare-now.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20120327/5e39595d/attachment.html>
More information about the talk
mailing list