Injection hack detection method - PHP Code

A good working Injection hack detection method provided by Ez via StopBadWare Forum

The script is brutally simple because we needed a quick fix. If the hacks recur I will make it smarter. Its only purpose is to tell me if a critical file (such as index.php) has changed size. I assume that injection hacks change the file size, as they did on our site.

A smarter script would compare file mod times with a database record. This would require a more complex script because it would have to store legitimate mod timestamps and depend on a human (unless more complex still, including the IP or http login etc.).

Operating scenario --

1.) Hacker injects code, increasing the file size.

2.) Next request to serve the home page (or other page of your choice) triggers the detector, which compares current file size with that for archived original.

3.) Detector sends email with file mod timestamp to webmaster.

4.) Script replaces hacked file with copy of an archived original, exits.

The webmaster needs to keep track of the most recent authorized file modifications (presumably by the webmaster). The email includes the timestamp of the over-size file's mod time. The system admin (or tech
support) uses this timestamp to trace the hack through the server log and identify the mode of entry.

To get fancier, you could scan all files in a directory for the mod time (example, using the PHP filemtime() function), comparing with a database record of legitimate mod timestamps.

Anyhow, here's the index file size script. I keep utility functions in a separate file named "func.inc" so it needs to load first. But this isn't necessary. Then the function compares the size of the file that usually gets hacked (such as index.php) and compares it with a reference copy (x_index.php) in a secure directory ("refz"). Of course, you can also loop through a list of filenames that are popular hack targets. The function can return the file write result, but I don't use it.

/* top of index.php, after DOCTYPE declaration */

function hackDet () {
$tst = "";
$gzt = "index.php";
$stat = stat($gzt);
$gzt2 = "refz/x_" . $gzt;
$rstat = stat($gzt2);
$ref = $rstat[size];
$rtim = $_SERVER['REQUEST_TIME'];
$rtim2 = date("F d Y H:i:s.", $rtim) . " Eastern";
$mtim = filemtime($gzt);
$mtim2 = date("F d Y H:i:s.", $mtim) . " Eastern";

if ($stat[size] <> $ref)
{
$fw = "index.php";
$hak = file_get_contents($fw);

$msg = "$gzt has $stat[size] bytes and not $ref as it should.\n\n";
$msg .= "FILE MOD TIME $mtim: $mtim2\n";
$msg .= "REQUEST_TIME $rtim: $rtim2\n\n";
$msg .= "=================\n\n";
$msg .= $hak;

$msg = wordwrap($msg, 70);
mail('yourn...@yourdomain.com', 'HACK ALERT', $msg);

$fr = "refz/x_index.php";
$str = file_get_contents($fr);
$tst = file_put_contents($fw, $str);
}
return $tst;

}

$tst = hackDet(); // calls the hack detection function
?>

China as an Internet Threat - The facts!

I really do find some of the current wave of rhetoric about the threat to the internet from China really worrying, if not downright dangerous for international relations. I suppose it a good topic for poor technical journalism, to gain publication in US & European journals / web. Old adage; "Why let the facts spoil a good story"?

Ref: China leads Asia in malicious online activity - CNet News

Let me make my position clear, I am not Chinese and I do not live in China, however I do know a thing or two about internet security threats. Here are some facts for the readers who possibly might read the above article and take it as factual:



(a) As of Sept 20 07 the US is the clear leader in known Spam issues, by 5:1 over China (ref Spamhaus.org).



(b) The internet is global and any quantitative analysis must base itself on comparative users. Reasonable estimates now show about 2:1 of Chinese internet user access over US users and anywhere from 5 to 20:1 over other Asian countries. Based on this on any Spam or malware distributor estimation this would place China about tenth on any list on countries, and well down the list in Asia.



(c) In China there are severe legal penalties for such acts, recently Yahoo could distribute malware to 15 million of its users and hardly gets a technical press mention, and no legal sanction.



(d) Why you may ask am I so concerned? On a recent exploit tracking exercise, despite apparent Chinese language sites being the cause. These sites were actually based and funded out of Toronto with bullet proof servers out of San Francisco!



Remember it is just as easy to get a free mail.cn / low cost Chinese based hosting, or mail.ru for that matter, being based in the US. As it is to get a Hotmail or Yahoo hosting account.

iFrame Injection Source?

Sources for iFrame injection?


Try this one as a site and a "major" source, which is so blatant it is mind boggling, and truly worth "outing". Those webmasters who have been flagged and have battled against iFrame injection, here is one of the major sources, try blaming these guys as opposed to Google / StopBadWare. Luckily a few of us have just recently been able to get McAfee's Site Advisor to blacklist them (Red X).


iFrameDollars (dot) com - http://www.siteadvisor.com/sites/iframedollars.com - Just so you knwo they pay webmasters / smaller hosts to inject iFrame exploits on other websites!!!!


To cover this here is a email sent to their US based host - still unanswered! - Please help by contacting them.

To "Layered Technologies" Abuse Team - you can contact them on Phone: 1-866-584-6784, General Information: info@layeredtech.com, Sales Information: sales@layeredtech.com


-------------------------------------------------------
Hi,

Checking your acceptable use policy, how come you allow iFramedollars com to have dedicated serving or any hosting at all?

Do you have any idea what they actually do? Check out their web site or even better check out their business model as they still call it iFrame Cash as their earlier form iFrameDollars biz; try:

ISC Sans = iframeDOLLARS; Cyber Extortion,

Spamhaus = http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7615

http://sunbeltblog.blogspot.com/2006/06/those-nice-dear-boys-at-iframecash.html

and many many more......

Please note the registrant info etc., exactly the same on 72.36.199.58 as within the Rokso lasso, even more obvious is the web site still states iFrame Cash & iFrame biz, and the same iFrame exploit "affiliate" model.

As someone who helps out on website clean ups, they currently claim 300 webmasters who essentially are injecting and spreading iFrame exploits for cash.

I am certain StopBadWare, Spamhaus, ISC Sans, FBI, etc., etc. will only be too surprised to now learn the RBN's (Russian Business Network) so called "bullet-proof hosting" is actually based within the US at layeredtech (dot) com.

I look forward to your reply.
-----------------------------------------------------



As mentioned, no reply to 5 emails, maybe we all should enquire of layeredtech.com we could make the difference?


Here are a few questions and points:

(1) Can StopBadWare / Google do anything about this flagrant abuse of the webmaster community?


(2) Here is the clearest example of the need for a public blacklist list of "professional" Badware distributors (thanks to Site Advisor, but how about here)?


(3) We sometimes rightly debate about Twinky, Zango, etc., how about deliberately distributing iFrame exploits for $$$ as an affiliate, any one prepared to defend this?


(4) Who would also like to know who the 300+ host / webmaster affiliates (BadWare distributors) are of "iframe Cash"?


(5) Just so you know, after you have been flagged by Google, lost business, and spent sleepless nights trying to fix your web site, and keep it clean; the FrameCash affiliates get about $1.50 for your site , as long as they produce a minimum of 50 sites per month!!!


I told you mind boggling!

Searching for Evil - InfoSec

I have to say this was one of the best presentations I have seen related to the wider issues of InfoSec.


ABSTRACT

Computer security has recently imported a lot of ideas from economics, psychology and ... all » sociology, leading to fresh insights and new tools. I will describe one thread of research that draws together techniques from fields as diverse as signals intelligence and sociology to search for artificial communities.

Evildoers online divide roughly into two categories - those who don't want their websites to be found, such as phishermen, and those who do. The latter category runs from fake escrow sites through dodgy stores to postmodern Ponzi schemes. A few of them buy ads, but many set up fake communities in the hope of having victims driven to their sites for free. How can these reputation thieves be detected?

Some of our work in security economics and social networking may give an insight into the practical effects of network topology. These tie up in various ways with traffic analysis, long used by the signals intelligence agencies which trawl the airwaves and networks looking for interesting targets. I'll describe a number of dubious business enterprises we've unearthed. Recent advances in algorithms, such as Newman's modularity matrix, have increased the robustness of covert community detection. But much scope remains for wrongdoers to hide themselves better as they become topologically aware; we can expect attack and defence to go through several rounds of coevolution. I'll therefore end up by talking about some strategic issues, such as the extent to which search engines and other service providers could, or should, share information in the interests of wickedness detection.

Speaker: Ross Anderson Ross Anderson is one of the top security researchers in the world.