Skip to main content


Showing posts with the label php

RAT Bastard

Earlier this week, several servers I maintain were targeted by automated attempts to upload a remote access trojan (RAT). The RAT is a simple rot-13 embedded PHP script. The script provides a means for establishing file transfer and permissions management via HTTP queries on the remote side and the dreaded eval() function on the local side - interestingly, these functions are somewhat protected; in order to work, it is necessary to provide a hash along with the HTTP query, and the length of the query string has to match the size of its associated file. Can't have someone else taking advantage of your hard work, I suppose. The script includes a standard six-byte GIF header before the "<?php" establishing the opening of the PHP code, and the payload itself had a .gif file extension. It is pretty obvious either to a naked eye or a program that more than a very basic check that this .GIF is not an image. It is slightly more sophisticated than other attempts I have seen w

How to Authenticate WHMCS Admin Users with PHP

Over the past few days I've been working on a project that involved building an authentication mechanism for a new website which checks user logins against a WHMCS admin database. There are a variety of options for authenticating normal, non-admin WHMCS users: on the easy side of things, you can simply use the WHMCS API's validatelogin() call, or for a more advanced project its possible to implement OAuth within your WHMCS instance . For my project, neither LDAP nor Active Directory were options. I was surprised to find that the WHMCS API did not contain a mechanism for authenticating admin users. I'm somewhat sympathetic given the security implications: WHMCS is a billing application and it should not be used to provide a sortof infrastructure authentication backbone, particularly given the many much more mature options available for this sort of thing. With that said, this project wasn't about looking to turn WHMCS into LDAP ... it was about allowing WHMCS admin t

Can the WHMCS API retrieve Product Bundle information?

    Recent versions of WHMCS introduce a feature called " Product Bundles ". The idea is simple - a single link combines a number of products, possibly with a specific set of Configurable Options . These combinations can then be assigned discounts unique to that Bundle.     This comes in handy for a variety of different scenarios, for example in WHMCS instances where multiple brands are in play and you want to run a sale on a single brand that is still sold on other sites.     I recently encountered a situation that involved integrating a pre-existing pricing form within a CMS platform (think Joomla/Wordpress/Drupal/etc) with an order form and series of products with WHMCS. Not only did the signup buttons on the CMS page for each product need to connect to the corresponding WHMCS order form page, but pricing and product details on the CMS page needed to be generated dynamically from information stored in WHMCS, because updating two platforms to make simple price changes suck

PHP logging timestamp oddities

I noticed something odd yesterday while reviewing log data on one of the RHEL 7 web servers I look after. Peering through the PHP error log, I noticed that all of the timestamps were formatted using the Coordinated Universal Time (UTC ... because acronyms that make sense are for losers). [29-Jul-2015 14:26:04 UTC] PHP [redacted] on line 511 [29-Jul-2015 14:26:04 UTC] PHP [redacted] on line 530 [29-Jul-2015 14:26:04 UTC] PHP [redacted] on line 574 [29-Jul-2015 14:26:04 UTC] PHP [redacted] on line 607 [29-Jul-2015 14:26:04 UTC] PHP [redacted] on line 629 There is nothing wrong with UTC. UTC avoids the calamities inherent in the highly politicized, frequently changed, deeply flawed and inevitably pointless Daylight Savings rules. And unlike epoch-based timestamps, UTC is human readable. It's good stuff. Your hwclock should use it. With that said, with this particular server a decision was made for logging to consistently be Eastern Time. So I jumped through a number of hoops to

Uploading HTML forms to Amazon S3 using PHP

Dynamically uploading information to S3 can be a bit challenging to do initially, particularly in PHP where a lot of the documentation is either really new or really old. Amazon has a PHP SDK , which is available as either a .phar file or can be installed using Composer . That's cool for building a new project, but what if you have a pre-existing project or form and just want to be able to dump the text output to S3? I've put together some code at Github that will take care of that issue. The only requirement is PHP and an Amazon S3 account. Download or clone the files here: Your Amazon access keys and other configuration are stored in a single configuration file. Just fill out your login info into the configuration file and include the php form where you need it as outlined in the file and you should be all set!

FastCGI and Application Pool CPU Limiting in IIS7

Or, How To Fix the "Unable to place a FastCGI process in a JobObject" / 0x80070005 Error When Applying a CPU Limit to an IIS7 Application Pool Here is our example - you have a website that uses several different programming languages running on an IIS7 server. Perhaps your main site is running .NET, and you are using PHP for the website's blog, or Python for a mailing script. You have installed the FastCGI module to speed things up and have it configured successfully. Unfortunately, CPU utilization is overall fairly high for this site. You want to make sure that it doesn't get *too* high and crash the server, or overwhelm other applications and services you have running on the same server. This article assumes that you already have configured a dedicated application pool for your site, and per the best practices you are running the application pool under a unique application pool identity user, and not the Network Service. It also assumes that you only have one

Disable Display_Errors in Production

Its a simple message, but worth repeating. Yesterday I came across the website of a major internet security firm making a few first-day-on-the-job mistakes. While I am not going to "out" them before contacting them directly, what they did is silly enough that it warrants a bit of discussion in the abstract. Display_errors was enabled in their web server's php.ini. As a result, a few helpful messages were displayed briefly at the top of several of pages on the site 1. The name of the database 2. The name of the table in use by that page 3. A list of every column in that table 4. An error indicating that the table is exceeding its maximum allowable size of 4GB The site collects information about its users - IP address, browser info, referrer, etc, and stores that information to a table in a MySQL database - we know from the error itself that database is running on a server using a 32 bit operating system. With the structure of the database, we have everything we