Susan Bradley has posted her analysis of how her Windows server was hacked.
This is interesting to me, as Bradley is an expert on server administration and patching; I’m glad she has had the courage to post all these details, thus benefiting the community, rather than pretending the server was down for emergency maintenance or the like.
She thinks it was a security bug in IceWarp Web Mail. This appears to be a PHP application. Although the bug has been fixed, she was running an old version because the new one broke some important features.
The explanation sounds plausible to me. So is it applications rather than operating systems that form the most critical security weaknesses today? Yes, but both are involved. I would be interested to know whether the same bug in a Linux installation of IcwWarp would have been equally easy to escalate to the entire OS.
6 thoughts on “Windows server compromised by PHP application”
I totally agree that software is the main weakness these days. With the explosion of open source and more people learning server-side languages it has been made much easier for exploits to be found. Plus, there are lot of sites that tell you specific vulnerabilities in web apps and some even give out of the box hacks. At the moment there are a huge amount of WordPress blogs being hacked for SEO purposes.
Our server was hacked and code was injected into a small formular field in a php script. The server (Debian OS) has downloaded a trojan called BT/Bastr and after 2 hours we had an “wonderful” p2p Server onboard *grrrr*
it’s crucial to control any user provided data which will be used in a sql query. the easiest way to do so is the addslashes() function in PHP.
this will prevent you from any injection.
if you use the LIKE command in sql be sure to remove all ‘%’ and ‘*’ from the user provided data.
regarding opensource I have to admit that it’s easier for hackers to find out security leaks. but on the other hand there are plenty of experienced developers working on such project. I guess they spend a lot of time on securing their code.
@Chris why not MySQLi with parameterized queries?
@Tim: i guess you mean prepared(compiled) statements. this method is only used when you send a lot of equal queries. and as php is not remaining in memory you have to compile the queries at every single http access.
or did you mean something else?
Yes, prepared statements. I doubt there is much performance hit – have you measured? – but it is a more robust protection against injection attacks than addslashes().
Comments are closed.