close ad
 
Important WebAssist Announcement
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Malware - Mobile version - we have been hacked twice

Thread began 7/19/2014 1:28 pm by rgolab68503 | Last modified 7/30/2014 8:48 am by Jason Byrnes | 2757 views | 16 replies |

rgolab68503

Malware - Mobile version - we have been hacked twice

Hi Jason,
Hoping you can shed a little light on if I have set up the site open to malware. They have managed to get into the site twice now and plant an htaccess file into the root of the site. I could give you this file if it would help. This is just a site in development but it's getting frustrating. FYI the passwords are complex, with upper and lower case and numbers. we have changed them. We have now moved the site to a new folder etc. but we could not determine how they got in. My service provider is questioning some of the read write permissions settings that webassist is using. Do you have any experience and dealing with this? And if so what are a few steps we could take to make sure it doesn't happen.

Sign in to reply to this post

Jason ByrnesWebAssist

I would need more information on how the site is set up, what web assist processes are being used on the site.

The first place I would look is for using the HTML Editor File manager and not using a security assist login to protect it.

When you add HTML editor to a page, and enable the file manager, make sure you are also using a security assist access rule to protect the file manager. if not, it can be accessed directly.

It is also possible that they are accessing the FTP directly and not using a security hole in the site.

Change the sites FTP access credentials.

Sign in to reply to this post

rgolab68503

Hi Jason,

Thanks for getting back to me so quickly.

I do use HTML editor however it is only available at an administrative level. Within the admin level I am also using file upload to upload pictures. Now there are 3 levels of admin access. 2 are in use at this time. The customer had me also add in a 2nd party iframe into the site. I'm not sure if it's possible to access the site through it or not. My fear is that it could be a wordpress or drupal site. I am having him check. I know this is a long shot. Link to that page is listed in the private message.

Also, on the site is an ecart application and I have created several admin pages with data assist. The search function is also used on several product pages.

One issue i had contacted you in the past was one of two locations where pictures are being uploaded. For some reason we ended up with two folders where the product pictures are uploaded needing to be set to permissions 777, or the pictures would not be uploaded. however in a section where the page information pictures are being uploaded the permissions are 755. The 777 make me nervous. However these folders are at a 2nd level. and are behind security assist. The files they are hacking into is the index.php file and loading a .htaccess file in the route of the site.

Just so you know the first time we were hacked we changed the username and password for the FTP as well as the MySQL password. Both complicated. This time the service provider also changed the place where the site resides on the server to see if they are in fact coming in some back door however this one test site is the only one they have attacked on the server.

Not sure if this means anything however they were able to change some of the ownership to be Apache driven. I can ask for more info on what they found there.

Overall it's just a frustrating experience, especially since we were hoping to go live in a week or so after proofing the content. But now should we wait a few weeks to see if they come back?

Not sure if I covered everything here or not. Let me know if you need more information or files. Thanks in advance for your help.

Sign in to reply to this post

Jason ByrnesWebAssist

Please provide a Skype username or a US phone number and a good time to contact you when you will be in front of your computer and we will have an engineer contact you to resolve this issue over the phone.

We are available Monday - Friday from 9am - 4pm EST (except major U.S. holidays).

Sign in to reply to this post

rgolab68503

Hi Jason Skype info in PM

Sign in to reply to this post

Jason ByrnesWebAssist

We talked about a few possibilities over the phone, most promising is the iframe content being the source of the vulnerability, I also suggested contacting the host to have them run a Cross site scripting check

Sign in to reply to this post

rgolab68503

Thanks again for the quick response to this Jason. If I get some solid information from the service provider I'll be sure to pass it along.

Sign in to reply to this post

rgolab68503

Cross site scripting results

Hi Jason,

From the cross site scripting we encountered one high risk script in a product search page. This page is not behind security assist. The line in question is:

<select class="formMenufield_Medium" name="ProductCategories" id="ProductCategories" rel=""><script>alert(1);</script>"undefined title="Please enter a value.">

With a highlight on <script>alert(1);</script>

Further to that the warning given is:

Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.
When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.

There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.
Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.
Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.

Script Scan was done by OWSAP ZAP

Could you let me know if this script is originated by Webassist or if it was altered by the initial hack?

There are some other "medium" warnings.

Any direction or opinions on these results would be appreciated.

Sign in to reply to this post

Jason ByrnesWebAssist

some of the form elements are using get variables for the values, for example:


value="<?php echo((isset($_GET["ProductSKU"])?$_GET["ProductSKU"]:"")); ?>"

change that to:
value="<?php echo((isset($_GET["ProductSKU"])?htmlentities($_GET["ProductSKU"]):"")); ?>"


you will need to make that change for each form element that uses a get variable.

I Have logged a bug in our system that the search form elements are using unscrubbed get variables, this will be corrected in the next update.

Sign in to reply to this post

rgolab68503

Thanks Jason,

I'm on it. There are quite a few. I had the brilliant idea to add a search option to several pages.

Just to be clear even statements like:
<?php echo(isset($_GET["pageNum_WADAphon
es"])?"&pageNum_WADAphones=".intval($_GET["pageNum_WADAphones"]):""); ?>
Would be changed to ...
<?php echo(isset($_GET["pageNum_WADAphon
es"])?htmlentities("&pageNum_WADAphones=".intval($_GET["pageNum_WADAphones"])):""); ?>

And validation statements like:
<?php echo((isset($_GET["invalid"])?ValidatedField("contactus","Address_1"):"")); ?>
Would end up as ...
<?php echo((isset($_GET["invalid"])?htmlentities(ValidatedField("contactus","Address_1")):"")); ?>

AND these changes should be made for pages outside of "and" inside of security assist? I have a little work ahead of me.

On another note Jason for anyone who may also use a cross site scripting program careful with how you have your email links set.ZAP just sent out over 10000 emails to my client. Somehow it looped the links to the "contact us" page. If you have any tips on avoiding that happening I would appreciate it. ince the emails came from the "contact us" page any idea how it got past the security code?

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...