Arbitrary Code Execution Attack – Fixation and Prevention
In this age of the internet, many organizations have developed web-based applications to allow easy access and round the clock services to the user. But, poorly written code for web applications can be exploited to gain unauthorized access to user data and the web server. To begin with, arbitrary code execution (ACE) describes a security flaw that allows the attacker to execute arbitrary commands (codes) on the target system.
It means that any bad guy can command the target system to execute any code. The executed code might be an already existing code or a code inserted by the attacker using the vulnerability. In either case, arbitrary code execution attack lets the attacker to execute stuff on your system.
Related article – WordPress Sites at Risk From PHP Code Execution
Contents of This Guide
- 1 How is arbitrary code execution attack performed?
- 2 Arbitrary Code Execution (ACE) Attack – Fixation
- 3 Arbitrary Code Execution (ACE) Attack – Prevention
- 4 Conclusion
How is arbitrary code execution attack performed?
To execute arbitrary codes, the attacker needs access to the website like a gateway. This gateway is achieved by injecting a malicious file.
Websites are controlled and managed through CMS and related extensions. These softwares are made up of files and folders. Certain folders are writable and allow uploading of files. Hackers by varied means upload a PHP file in such folders. Although these files don’t allow full control over the website, they act as a gateway. Files inclusion are of two types – Remote File Inclusion or Locally Local File Inclusion
The vulnerability promoting Remote File Inclusion (RFI) is largely found on websites running on PHP. PHP has a provision to ‘include’ or ‘require’ additional files within a script giving rise to File inclusion vulnerability. Validating the input before passing them within these scripts can considerably reduce the risks of such exploitation.
In the case of Local File Inclusion (LFI) the attacker uses files on the current server to execute a malicious script. A remotely included file could be used to include locally available files to perform malicious actions.
Related article – Magento Remote Code Execution : Insights & Solution
Example: How Arbitrary Code is Executed
With this example, let us see how exactly an arbitrary code execution attack is executed-
swp_debug allows an attacker to perform remote code execution by passing the payload URL via
Example Attack Vector:
payload.txt content: “
It’ll return the content of
The end result was that the arbitrary code was able to extort an unexpected status from the server. This return from the server lets the hacker know which codes can get past the security bypass of the server. Having known the vulnerabilities, the hacker can now execute any malicious codes in the server.
Arbitrary Code Execution (ACE) Attack – Fixation
A code backup is very important because it allows you to analyze the infection at a later stage. You are advised to regularly backup code. It simplifies the process of hack removal. Even if you do not have a backup strategy in place, you can save your time by simply copying the unaffected, good parts of the code instead of beginning from scratch.
Many users recommend restoring a previous backup in case of an attack. This would surely remove the infection and your site will work as before. But, it leaves the security flaw unchecked.
Check core file integrity
Most core files should never be modified. The quickest way you can check the core files for infection is by comparing the current files with the original using the diff command in terminal. If no differences are visible, your core files are clean.
Check Recently modified files
If you have SSH access to your server, check the list of files that have been modified in the last few days since you noticed the hack. By using
mtime command you can list the files that were modified in the last few days. It is used as follows:
Find .mtime -15 –ls
The above command lists all the files that were changed in the last fifteen days.
Clean Hacked Files and database
Remove all the malicious code. Delete files that the attackers might have included. After each file removal, it is important to ensure that none of the site functionalities and features are affected.
Pro Tip: The easiest way to identify hacked files is by comparing the present version of the site with a healthy backup.
To remove a malware infection from your website database is trickier. There are several third-party DB management tools like Adminer. Seek expert’s advice here.
Secure User Accounts
If you notice any unfamiliar and unusual users, remove them. It is recommended that there be only one admin user. Set other roles to the least amount of privileges needed. Delete all anonymous FTP accounts.
Change passwords of your FTP account, SSH login, database, etc.
Update permissions for files and folders, limiting access to only what is necessary. Set
444 (read-only) permissions for files like
Remove Malware Warnings
If you were blacklisted by Google, you can request a review after fixing the infection. The review will not take long. Your website will regain its SEO status within 24 hours of review completion.
There are services available which help you look through other blacklists. Although there are so many such services, you can use MX Toolbox. It checks your website against multiple lists and gives you an organized output. It should be noted that different blacklists have different review processes.
Arbitrary Code Execution (ACE) Attack – Prevention
Schedule regular vulnerability and malware scans. This will allow you to address potential security issues in a nascent stage. Practice Dorking– Use Google search for hints of potential vulnerability, and remove their traces from web applications
Web Application Firewalls
A Web Application Firewall can blacklist referenced URLs to block zero-day vulnerability exploits of applications. A web application firewall can protect your site in multiple ways:
- It detects attacks using application layer knowledge and a pre-configured database of attack vector signatures.
- I can identify access patterns of automated tools
- It can blacklist the hosts that are suspected hackers to quickly identify and block attackers in the future.
Blacklisting IPs obtained from observing previous attacks could help prevent any future attacks originating from the same malicious source, thus tackling an attack before it even begins.
Disabling PHP execution
Disabling PHP execution in certain folders (writable folders like Upload in WordPress core) will go a long way in securing your website. Astra Security Service offers features that allow disabling PHP Execution.
Don’t allow non-validated user inputs to enter file and include function parameters. Set Red Alert and Charge Phasers to maximum for any variable that uses ‘include’ or ‘filesystem‘ functions for input. Exercise due caution to validate the variable. Be careful while downloading third-party libraries. They allow non-PHP files to be passed to the PHP interpreter. This can be exploited by attackers.
Disabling Directory Indexing
it is essential to Disable Directory Browsing. Hackers can exploit directory browsing to reveal files with known vulnerabilities, and in turn exploit it to gain unauthorized access. One can easily hide a certain folder from being accessible to the public by modifying the
.htaccess file a bit.
Check out: Disabling directory indexing in WordPress
It’s better to be safe than sorry. Hence, to stiffen your website’s security against such hacking attempts, it is recommended to invest in a premium security solution. Although there are many security companies around, Astra Web Security is a trusted name. Having Astra Firewall on your website adds immensely to your website’s security. Besides shielding your website from SQLi, XSS, CSRF, bad bots & 100+ coming threats. Astra Firewall also provides continuous and comprehensive monitoring of your website. To get a hands-on experience of this product click here.