It looks to me as if this car has left the road and come to a sudden halt against the building, with the result that both have been somewhat damaged. But why did it happen? Was there a mechanical failure such as brakes or tyres? Did the driver fall asleep at the wheel or something distract him? Was he drunk? Or did he swerve to avoid a child on a cycle? Perhaps there's a more unlikely reason - perhaps there was no driver in the car, but it was left stopped on a slope and ran away, or it fell off the back of a lorry.

When presented with a web site that's been compromised - with new files created, databases and their records changed, or data injected into existing files, it can be rather hard to work out what has happened - rather like trying to find what caused a motor accident. And one photograph is going to give clues, but no more - the picture above is from a page of public domain images, and I know no more than that. So "educated guess" is my best hope.

If I'm going to be looking at a system that's been compromised, I'm going to look not only at the content of the file(s) and database(s) that are infected, but also for certain other tell-tale files that might have been added to the system - especially at around the same time. And I'm also going to take a very careful look at who is allowed to do what to which resources. In other words, file permissions, and user and group ownerships.

Here's an answer, just written, concerning infected files...

If you have infected files, have a look at the write permissions on the infected files .... who can write to them? If they're writeable by the web server user, then is that just yourself, or is this a shared hosting machine? If the scripts are PHP and it's a shared server, then the start of the hole may not be in your area, but the write permissions being wrong in your area have let the sh*t land on you.

What causes such scripts to allow files to be written? Typically scripts written with the best intent, but in which the file name can be taken from the user / seeded by a form. John can create a file called "John.html", perhaps. And Harry a file called Harry.html ... all perfectly good names in a directory called "users". Then along comes someone called ../index.html ... and he overrides the home page at the top of the site. Be aware, too, off the cross-site scripting possibilities of Mr "http://www.sheepbingo.co.uk/" who might find one of your scripts that he can pull his code into and have it run on your system. And these concerns apply not only to the scripts you have written yourself, but also those which you have sourced from elsewhere.

With Perl, the script may be run as the user (via setuid) or as the web server, and you should take a look at which of the two your setup uses in order to help you with the analysis.

(written 2009-02-24)

 G997 - Well House Consultants - Newsletter Lead Articles
  [1000] One Thousand Posts and still going strong - (2006-12-18)
  [1065] Graham Ellis - an Introduction - (2007-02-05)
  [1136] Buffering output - why it is done and issues raised in Tcl, Perl, Python and PHP - (2007-04-06)
  [1224] Object Relation Mapping (ORM) - (2007-06-09)
  [1318] Well House Manor - feature comparison against the old place! - (2007-08-24)
  [1386] New software product for warmblooded programmers - (2007-10-10)
  [1488] New trainee laptop fleet for our Open Source courses - (2007-12-30)
  [1545] Letting new visitors know we provide training courses - (2008-02-19)
  [1600] Cambidge - Tcl, Expect and Perl courses - (2008-04-04)
  [1663] Python in an afternoon - a lecture for experienced programmers - (2008-06-01)
  [1754] Upgrade from PHP 4 to PHP 5 - the TRY issue - (2008-08-15)
  [1819] Calling base class constructors - (2008-10-03)
  [1912] Book now for 2009 - (2008-11-29)
  [2119] Make your business a DESTINATION business - (2009-04-05)
  [2253] Walks in and around Melksham, Wiltshire - (2009-06-21)
  [2370] C++, Python, and other training - do we use an IDE - (2009-08-21)
  [2425] Weekend and Christmas Promotion - Well House Manor Hotel, Melksham - (2009-09-26)
  [2538] Open Source Training Centre and Courses for 2010 - (2009-12-16)
  [2743] Public Open Source Training Courses running this summer and autumn in Melksham - (2010-04-27)
  [3202] Telling you something about us in just one line - (2011-03-15)

A163 - Web Application Deployment - Network Configuration and Security
  [11] A bolt of lightning on Multicasting - (2004-08-11)
  [37] Security and Safety - (2004-09-03)
  [267] Searching security holes - (2005-04-04)
  [332] Looking up IP addresses - (2005-06-01)
  [506] What are DHCP and DNS? - (2005-11-27)
  [511] Domain Forwarding - 2 ways of doing it - (2005-11-29)
  [1073] Heartbeat script in Perl - (2007-02-09)
  [1408] Wireless hotel tips - FTP and Skype connections failing - (2007-10-26)
  [1666] Slow boot and terminal start on Linux boxes - (2008-06-05)
  [1712] As different as night and tyres - (2008-07-18)
  [1904] Ruby, Perl, Linux, MySQL - some training notes - (2008-11-23)
  [2489] Parallel Pinging, using Python Threads or Expect spawn lists - (2009-11-02)
  [3448] Checking all the systems on a subnet, using Expect and Tk - (2011-09-18)
  [4134] Setting up your MacBook Air as a mobile broadband router - (2013-07-07)

Back to A Presentation about our company - web and PHP

Previous and next or Horse's mouth home

Forward to What a difference a MySQL Index made

Web Site Loading - experiences and some solutions shared
Effect on server when memory runs out and swapping starts
Tuning httpd / the supermarket checkout comparison
What a difference a MySQL Index made
How was my web site compromised?
A Presentation about our company - web and PHP
Why the Pony Tail?
Why Choose Well House Consultants for your course?
Learning to program in PHP, Python, Java or Lua ...
Small Web Server in Perl