Linux, MySQL, PhP, Perl…

Tagged: security RSS

• 

  admin 6:08 pm on May 23, 2010 Permalink
  Tags: Mysql (4), security   

  Advanced MySQL Priveleges 

  MySQL privileges assignment is a complex process which allows you to set different privileges for an user for different tables/databases. However, this process is very often neglected and users are granted with all privileges for a whole database.

  If improper privileges are applied this can lead to a website being hacked via MySQL. This means that the attacker executes a MySQL query which either illegally retrieves, updates or inserts information.

  Thus when you manually assign privileges make sure not to grant only the needed privileges to the corresponding tables. This is not always possible though since many popular web applications use just one user for everything.
  So here is the usual MySQL privileges granting:

  GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER,INDEX ON database.* TO user@localhost IDENTIFIED BY ‘password’;

  This will grant all privileges to user@localhost. However, imagine that you can divide your script into parts with different functionality. For example, user_logs would be used to read just the logs from the ‘logs’ table. Then his privileges should be:

  GRANT SELECT ON database.logs TO user_logs@localhost IDENTIFIED BY ‘password’;

  This will make sure that even compromised user_logs will not be able to mess with the entire database.
  MySQL privileges assignment is a complex process which allows you to set different privileges for an user for different tables/databases. However, this process is very often neglected and users are granted with all privileges for a whole database.

  If improper privileges are applied this can lead to a website being hacked via MySQL. This means that the attacker executes a MySQL query which either illegally retrieves, updates or inserts information.

  Thus when you manually assign privileges make sure not to grant only the needed privileges to the corresponding tables. This is not always possible though since many popular web applications use just one user for everything.

  So here is the usual MySQL privileges granting:

  GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER,INDEX ON database.* TO user@localhost IDENTIFIED BY ‘password’;

  This will grant all privileges to user@localhost. However, imagine that you can divide your script into parts with different functionality. For example, user_logs would be used to read just the logs from the ‘logs’ table. Then his privileges should be:

  GRANT SELECT ON database.logs TO user_logs@localhost IDENTIFIED BY ‘password’;

  This will make sure that even compromised user_logs will not be able to mess with the entire database.

   
• 

  admin 1:23 pm on April 12, 2008 Permalink
  Tags: hacking, Linux (4), security, viruses, worms   

  Deleting malicious code from many files 

  When a hacker / cracker compromises a website there is usually some malicious code inserted in html, php and other files. Usually cleaning it is a 5 minutes job

  In our case, we will assume the attacker has inserted the following string “<script> bla$%333%blablalalala </script>” at random lines inline in PHP files. Here is an example:

  <?php

  echo ‘Supa site blabla’; <script> bla$%333%blablalalala </script>

  include(‘hackme.php’);

  ?>

  No problem to clean this with sed and a simple regular expression:

  find -name “*.php” |xargs sed -i ‘s/<script>.*blabla.*<\/script>//g’

  First we find every php file and pass it to sed with xargs. Then sed looks for anything that begins with <script> has anything inside(.*), has blabla somewhere in the middle, again has anything and ends with </script>. The “/” has been escaped with “\” while .* means anything.

  The above will work as long as you customize it for your case. You just have to change script’s opening and closing tags to anything else the attacker has used to begin and end his stuff.

  In my experience I have come upon one problem with such cases. The attacker’s script left a blank line between or after his malicious code. When the malicious code is inserted at the end of a php file, this means that php files will have an empty line in the end after cleaning up the malicious code. Then you will get warnings such as “Headers already sent”. In this case we will have to delete the last empty lines from all php files using this sed string:

  find -name “*.php” |xargs sed -i ‘${/^$/d}’

  However, sometimes hackers / crackers play it hard and insert the malicious code over several lines. In this case sed would not help, because it processes the file line by line. The easiest solution is using this perl script:

  $cat multiline-replace.pl

  #!/usr/bin/perl
  open(INPUT,”<$ARGV[0]“) or die;
  @input_array=<INPUT>;
  close(INPUT);
  $input_scalar=join(“”,@input_array);
  # Do your substitution here.
  $input_scalar =~ s#\<\?php.*maliciouspattern.*\n.*\n.*?>\n##ig;
  open(OUTPUT,”>$ARGV[0]“) or die;
  print(OUTPUT $input_scalar);
  close(OUTPUT);

  First, the above has been copied almost literary from linuxquesions.org. There are two important things about it:

  \<\?php.*maliciouspattern.*\n.*\n.*?>\n is the regular expression which matches (with the escapes):

  <?php maliciouspattern ))
  //I am a smart hacker, am not I ;P
  ?>

  I have added an additional \n to the regex because otherwise it leaves a blank line

  The next thing is that the script looks for the first argument from the standard input. So if you’d like to run the above on all *.php scripts recursively, you should do it like this:

  for i in `find -name “*.php”`; do ./multiline-replace.pl $i; done

  The above runs the script file by file. It might take a bit longer but it will not exceed the maximum length for a bash variable no matter how many files you have, nor it will cause too high load on the server.

  If you make the mistake to leave an empty line in one of sed’s mutations, here is how to delete it:

  sed -i ‘/./,/^$/!d’

  Hopefully this helps you fight those bad people and make the world better Don’t forget to make backups because all kinds of crazy stuff happens