Re: [nyphp-talk] I've been hit with an eval(base64_decode("....")) injection attack

Mon, 02 Apr 2012 08:44:56 -0700 

Hi Rob,

 

There can be several solutions to stop this injection:

-          In file upload form field, on submit should be checked is
uploaded file extension is .jpg,.gif,.bmp or .png with JavaScript

-          When file is uploaded it should be checked with GD graphics
library is it image

 

                                $path_info =
pathinfo($item->getValue("photo_filename"));

                                $extension = $path_info["extension"];

                                $fileName = $path_info["basename"];

 

http://php.net/manual/en/function.imagecreatefrompng.php

 

$tempImage = imagecreatefrompng("/./upload.png");

  /* See if it failed */

  If ($tempImage)

  {

 

-          File also can be checked with tool for extract meta data from
file

http://getid3.sourceforge.net/

 

-          Add .htaccess file with rules to not be able to execute files,
only read/write

Protecting Images using PHP and htaccess

http://michael.theirwinfamily.net/articles/csshtml/protecting-images-using-p
hp-and-htaccess

 

Best regards,

Sasa

 

From: talk-boun...@lists.nyphp.org [mailto:talk-boun...@lists.nyphp.org] On
Behalf Of Rob Marscher
Sent: Friday, February 24, 2012 8:09 PM
To: NYPHP Talk
Subject: Re: [nyphp-talk] I've been hit with an eval(base64_decode("...."))
injection attack

 

On Feb 24, 2012, at 1:07 PM, David Mintz wrote:

Unfortunately I do not know how this happened; don't know if there is a huge
vulnerability in one of the apps up there that was exploited, or if it was
an inside job, or what.

 

Our company wordpress blog was compromised a few months ago due to a
vulnerability in the "timthumb.php" image resizing script in one of the
themes.
http://www.terranetwork.net/blog/2011/08/new-vulnerability-in-many-wordpress
-themes/

 

The hackers uploaded a couple files that trick the server by starting with a
gif signature but then have php code in them.  Those files than open a
backdoor that allows for additional scripts to be uploaded that essentially
give shell access to the compromised machine.  In our case, the rest of the
machine was locked down enough that no harm was done.

 

Anyway, that might be something to look for.  Good luck.

-Rob


_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

http://www.nyphp.org/show-participation

Reply via email to