Filtering incoming data?

A

Angelxalfa2015-01-14 14:20:19

PHP

Angelxalfa, 2015-01-14 14:20:19

Hello! Recently my Wordpress site was hacked and infected with viruses. Cleaned the site, improved its performance... On the recommendation of protecting the site, on one of the Internet resources, I added this script for filtering incoming data:

$patt = "~\<\?~i";

if (is_array($_FILES)) {
foreach($_FILES as $anystring=>$file_data) {
if (preg_match($patt,file_get_contents($file_data['tmp_name']))) die("denied by antivirus-alarm 3");
}
}

$patt = "~\/\.\.\/\.\.\/\.\.\/|{0-9a-zA-Z}[80]|eval[^\(]*\(|include[^\(]*\(|base64_decode[^\(]*\(|stripslashes[^\(]*\(|strip_tags[^\(]*\(|fopen[^\(]*\(|chmod[^\(]*\(|chown[^\(]*\(|chgrp[^\(]*\(|unlink[^\(]*\(|unset[^\(]*\(|fgetc[^\(]*\(|fgets[^\(]*\(|file_get_contents[^\(]*\(|file_put_contents[^\(]*\(|fwrite[^\(]*\(|move_uploaded_file[^\(]*\(|is_uploaded_file[^\(]*\(|rmdir[^\(]*\(|fromCharCode[^\(]*\(|tmpfile[^\(]*\(|tempnam[^\(]*\(|phpinfo[^\(]*\(|basename[^\(]*\(|curl_init[^\(]*\(|socket_create[^\(]*\(|popen[^\(]*\(|exec[^\(]*\(|system[^\(]*\(|passthru[^\(]*\(|proc_open[^\(]*\(|gzuncompress[^\(]*\(|shell_exec[^\(]*\(|delete from|insert into~i";


foreach ($_REQUEST as $v1x1) prfilter_x1($v1x1,$patt);

function prfilter_x1($v1x1,$patt) {

ob_start();

if (is_array($v1x1)) {
foreach ($v1x1 as $vx) prfilter_x1($vx,$patt);
}
else {	

if ( preg_match($patt, $v1x1) || preg_match($patt, stripslashes($v1x1) ) ) die("denied by antivirus-alarm 1");
if ( preg_match($patt, base64_decode($v1x1) ) || preg_match($patt, stripslashes(base64_decode($v1x1) ) ) ) die("denied by antivirus-alarm 2");

}

ob_end_clean();

}

And I wrote the command to execute it in .htaccess
php_value auto_prepend_file / path to the file / prfilter.php
It works fine, but it restricts too much (for example, it doesn’t even allow images to be uploaded to the server, through the wordpress admin panel). Can you please tell me how to make it cut off the download of all files except images (for example)?
And if you give any more practical advice on protection against future hacking, I will be very grateful.
Thanks in advance!

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

A

Alexander Evgenievich, 2015-01-14
@Angelxalfa

All in one WP security . Install this plugin, it monitors file changes on your site and sends notifications by email. So you can track if shell scripts have been uploaded, or malicious code has been written into any files on your site.
Also, you can shove this command into the cron:
, will look for typical eval() lines in new files and dump their names into the shells_find_log.txt file.

M

Matvey Mamonov, 2015-01-14
@eucalipt

There are tips. Write such things yourself, you will not find exactly the same thing that is necessary for you. You can find something similar, but exactly the same as in your head, you can only write it yourself.
And now closer to the point.
First, to pass data to the database, use MySQLi prepared queries.
In addition, process all data with the following functions.

trim($enteredData); // Удалит все пробелы в начале и в конце стоки
htmlspecialchars($enteredData); // Сделает невозможный SQL инъекцию.

SQL injection is when a user enters some command from MySQL into a line (for example, delete all lines), and this line (if there is no protection against these injections) simply enters the database and is executed, that is, it cleans the database in our example.
trim will not remove all spaces at all, don't worry, it will only remove those unnecessary characters (such as spaces, alt+255 and other "invisible" characters) that are at the beginning and end of the string.
Naturally, these variables first need to be written what the user enters:

$enteredData = $_POST['field'];
// или
$enteredData = $_GET['field'];

Depending on the method you are using.
These functions are only the most basic ones, you can add more that you need in a particular case, but usually this is enough.

P

Pavel Gryaznov, 2015-11-08
@GRbit

I just have no words, I found this thing on the client's website. He also complained that the pictures did not load.
Hands should be torn off for such checks BLZHAD!!11!#"!%:#*:;
Such a regular expression "~\<\?~i" will work positively on 90% of the pictures, checking from for such a stupidity, forgive me. Man in addition, I set the caseless flag, i.e. the same sensitivity to large and small letters, despite the fact that there are no letters at all in the regular expression. Only an absolutely brainless person can check downloaded files this way.
It is worth disabling short_open_tag on the server and fixing the check at least for this
" ~\<\?php[ a-zA-Z0-9]{5}~" and then I think false positives will be