NYCPHP Meetup

NYPHP.org

[nycphp-talk] I've been hit with an eval(base64_decode("....")) injection attack

Sasa Rakic - Gmail rakics at gmail.com
Mon Apr 2 11:44:45 EDT 2012 

Hi Rob,

 

There can be several solutions to stop this injection:

-          In file upload form field, on submit should be checked is
uploaded file extension is .jpg,.gif,.bmp or .png with JavaScript

-          When file is uploaded it should be checked with GD graphics
library is it image

 

                                $path_info =
pathinfo($item->getValue("photo_filename"));

                                $extension = $path_info["extension"];

                                $fileName = $path_info["basename"];

 

http://php.net/manual/en/function.imagecreatefrompng.php

 

$tempImage = imagecreatefrompng("/./upload.png");

  /* See if it failed */

  If ($tempImage)

  {

 

-          File also can be checked with tool for extract meta data from
file

http://getid3.sourceforge.net/

 

-          Add .htaccess file with rules to not be able to execute files,
only read/write

Protecting Images using PHP and htaccess

http://michael.theirwinfamily.net/articles/csshtml/protecting-images-using-p
hp-and-htaccess

 

Best regards,

Sasa

 

From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Rob Marscher
Sent: Friday, February 24, 2012 8:09 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] I've been hit with an eval(base64_decode("...."))
injection attack

 

On Feb 24, 2012, at 1:07 PM, David Mintz wrote:

Unfortunately I do not know how this happened; don't know if there is a huge
vulnerability in one of the apps up there that was exploited, or if it was
an inside job, or what.

 

Our company wordpress blog was compromised a few months ago due to a
vulnerability in the "timthumb.php" image resizing script in one of the
themes.
http://www.terranetwork.net/blog/2011/08/new-vulnerability-in-many-wordpress
-themes/

 

The hackers uploaded a couple files that trick the server by starting with a
gif signature but then have php code in them.  Those files than open a
backdoor that allows for additional scripts to be uploaded that essentially
give shell access to the compromised machine.  In our case, the rest of the
machine was locked down enough that no harm was done.

 

Anyway, that might be something to look for.  Good luck.

-Rob

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20120402/098b585d/attachment.html>

More information about the talk mailing list