Security Issue, Unguarded Forms Options

[damiancds]

Okay, so after a while of not changing anything on my site (code wise) I went to change it the other day and found this at the top of nearly every page for my site.

CODE

...
<?php @register_shutdown_function("__sfd1256198085__");function __sfd1256198085__() { global $__sdv1256198085__; if (!empty($__sdv1256198085__)) return; $__sdv1256198085__=1; echo <<<DOC__DOC
<!-- [0357296b56fd5c65b7e82ac1abb04107 --><!-- 5808916521 --><div id="block7" style="display:none"><ul><li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=1481">chloroquine usa and canada</a></li><li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=2936">order chloroquine overnight without prescription</a></li><li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=1044">anti malarial tablets aralen</a></li><li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=188">cheap chloroquine no rx</a></li><li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=3507">order cialis soft without prescription</a></li><li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=1755">how to get cialis soft</a></li><li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=948">buy cialis soft online</a></li><li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=936">cialis soft usa and canada</a></li><li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=1903">cialis soft tab discount generic</a></li><li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=443">cialis soft tab</a></li><li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=3650">buying cialis soft online without prescription</a></li><li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=693">buy cialis soft overnight shipping</a></li><li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=949">cialis soft drug generic</a></li> ... <li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=2886">online glucophage order</a></li><li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=3540">order glipizide sr cash on delivery</a></li><li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=3983">glucotrol for sale online</a></li><li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=3584">where can i buy glucotrol without a prescription</a></li><li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=2617">order glipizide sr without prescription</a></li><li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=1886">purchase glucotrol without prescription</a></li><li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=1447">order glucotrol overnight without prescription</a></li><li><a href="http://astronomy2009.ie/faq.php?shop_cat=1&tablet=1920">glucotrol xl without a prescription</a></li></ul><a url="java script:document.getElementById('block7').style.display='block';">show</a></div><!-- 0357296b56fd5c65b7e82ac1abb04107] -->
DOC__DOC;
} ?>
<?php @register_shutdown_function("__sfd1255552743__");function __sfd1255552743__() { global $__sdv1255552743__; if (!empty($__sdv1255552743__)) return; $__sdv1255552743__=1; echo <<<DOC__DOC
<!-- [5f450d6036674811393fc8f4819a24fe --><!-- 3472555521 --><a url="java script:document.getElementById('block86').style.display='block';" title="more"> </a>
<!-- 5f450d6036674811393fc8f4819a24fe] -->
DOC__DOC;
} ?>
<?php @register_shutdown_function("__sfd1254818713__");function __sfd1254818713__() { global $__sdv1254818713__; if (!empty($__sdv1254818713__)) return; $__sdv1254818713__=1; echo <<<DOC__DOC
<!-- [c93f87702ce98115cff818490aecc712 --><!-- 3178184521 --><div style="overflow:auto; visibility:hidden; height: 1px; "><ul><li><a href="http://rtbi30h3h34h34.cc/1">.</a></li></ul></div><!-- c93f87702ce98115cff818490aecc712] -->
DOC__DOC;
} ?>
<?php require("/home/ledger6/public_html/Resources/Includes/header.php"); ?>
...

where the only thing that was there originally was my require function for the header.php

Not knowing where it came from, I posted this in the html forums and Ingolme replied stating that it was probably an unguarded php form.

now, i have a few throughout my site (all email/contact forms) and I was hoping someone could help in how to guard it.

I initially got the code for the form in the w3 tutorial and followed it through and also went with the more secure one discussed later on (for spam I believe).

I'm fairly new to php and I'm not really sure how to guard it let alone how the code is being exploited.

My form code:

CODE

<?php
function spamcheck($field)
{
//filter_var() sanitizes the e-mail
//address using FILTER_SANITIZE_EMAIL
$field=filter_var($field, FILTER_SANITIZE_EMAIL);

//filter_var() validates the e-mail
//address using FILTER_VALIDATE_EMAIL
if(filter_var($field, FILTER_VALIDATE_EMAIL))
{
return TRUE;
}
else
{
return FALSE;
}
}

if (isset($_REQUEST['email']))
{//if "email" is filled out, proceed

//check if the email address is invalid
$mailcheck = spamcheck($_REQUEST['email']);
if ($mailcheck==FALSE)
{
echo "Invalid input";
}
else
{//send email
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail("an_email@domain.com", "$subject",
$message, "From: $email" );
echo "Thank you for your submission";
}
}
else
{//if "email" is not filled out, display the form
echo "<form method='post' action='/Contact/support.php'>
Email: <input name='email' type='text' /><br />
Subject:
<select name='subject'>
<option value='FAQ Submission'>FAQ Submission</option>
<option value='Recipe Submission'>Recipe Submission</option>
</select>
<br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' value='Send Message'/>
</form>

If you come up with anything please let me know.

thanks,

also, the original post should probably be deleted.

[justsomeguy]

It's probably not the form that's the problem. Someone got access to your server somehow. One possibility is that they figured out the password to log on. Another is that they know about a vulnerability in another piece of software you're using, like Wordpress or any other third-party software. One of those packages might have a vulnerability that would let an attacker write to the server. There might also be a PHP script somewhere that lets people run shell commands or something like that, they could exploit that also if it's not protected. Any script that writes content to a PHP file would also be suspect.

[damiancds]

Well, I've changed my password (I don't even know, it's written down somewhere) and I'm working on going through and deleting the code. Also, for what's installed, I've got zen cart and oscommerce aside from the cpanel.

I'll start monitoring it closer now as well, hopefully, the weekly password change will help

[damiancds]

I forgot to mention earlier, that the code looks like ads (advertising links and whatnot) and when I go to the website, nothing shows up. Could this be because the code was inserted before my php require header.php (where the header.php has the doc type and opening html tags) and after my require footer.php (which has the closing html tags and whatnot)

thanks,

also, does anyone have/know any fairly easy "stickypots/honeypots", ie traps, so i can tell how the code is getting in and whatnot?

Or, any failsafe practices to keeping this stuff secure in the firstplace without shelling out thousands of dollars?

much appreciated,

[justsomeguy]

when I go to the website, nothing shows up

There's plenty of code there, it just doesn't display anything.

Could this be because the code was inserted before my php

The injected PHP code uses register_shutdown_function to make sure the content they have shows up at the end of your own content, it runs when PHP is finishing.