What I must do when I have image attack

I use FreeBSD 7 and I install apache with phpbb and gallery2 and I do not use Firewall.
I search my system and I find many pictures with include perl code , I use steghide for detect bad code in images , but steghide can not support GIF file , what I can do with kind of attack ,
what I must do this code can not damage my system , and can not make problem for FreeBSD ?
 
SirDice said:
How do those images end up on your machine?!?
He or She upload infected image by CMS and gallery2 , she or he do no know that image has security risk
 
mfaridi said:
He or She upload infected image by CMS and gallery2 , she or he do no know that image has security risk

You can't embed code in pictures so s/he knows what s/he is doing.

This would probably mean your CMS or gallery is vulnerable to some injection attack.

What CMS are you using? And which version?
 
To clear things up.
You can hide anything in an image, but it's completely harmless unless someone then deliberately extracts it again and runs it - not the most likely scenario.

Of course, someone could be using images to transmit something illegal, but that's completely impossible to scan for - and not a software risk, anyway.

There has been one or two cases where windows has been vulnerable to specially crafted JPEG images, but that should be patched a long time ago - and it's still not a risk to your server.
 
Djn said:
To clear things up.
You can hide anything in an image, but it's completely harmless unless someone then deliberately extracts it again and runs it - not the most likely scenario.

Of course, someone could be using images to transmit something illegal, but that's completely impossible to scan for - and not a software risk, anyway.

There has been one or two cases where windows has been vulnerable to specially crafted JPEG images, but that should be patched a long time ago - and it's still not a risk to your server.
Thanks
but I see one of this file , when I open GIF file with MC , I see perl code is hide .
and this code want see /etc/passwd and do many thing and can delete many thing.
 
A file ending in .gif or .jpg is just that, a file ending in .gif or .jpg. Those three letter extensions have nothing to do with what the file actually is.

So that "gif" was uploaded to your gallery in the hopes of exploiting some weakness in the software. Definitely not uploaded "by accident".
 
Your system needs a serious security hole for someone to be able to remotely execute the scripts in these files. Unless there is some kind of stack or buffer overflow exploit for your software, it won't do anything. What you can do is to use some image processing library and deny everything that this library cannot handle.
 
mfaridi said:
Thanks
but I see one of this file , when I open GIF file with MC , I see perl code is hide .
and this code want see /etc/passwd and do many thing and can delete many thing.

Ok, so what you are saying is that somebody uploaded a file that is named like an image (file.gif) but instead contains perl (or other) script code?
 
tingo said:
Ok, so what you are saying is that somebody uploaded a file that is named like an image (file.gif) but instead contains perl (or other) script code?

Yes
 
after user open GIF file , perl code start and go to /etc/passwd and see there and make change
 
You need to have a serious look at the way people are uploading "pictures" on your server.
 
SirDice said:
You need to have a serious look at the way people are uploading "pictures" on your server.

Yes I must do this
but what I must do , if someone upload BAD gif and run that , my FreeBSD do not HACK
what I must do for FreeBSD
 
First off all, I hope your webserver isn't running as root. It shouldn't. If it's not running on root, you could trigger scripts remotely but the script won't be allowed to edit /etc/passwd.

Can you post an example of such a "picture"?
 
I don't see is how it's possible to execute the files. This is an application problem, you cannot do anything on the OS side of things.
 
@mfaridi:
As other have written in this thread - you need to look really, really hard at how your webserver and appication is set up.
First of all: you should take your webserver off the internet if you suspect that it is insecure. Keep it off until you have fixed all problem, and tested that it is not possible to abuse your server.

Regarding the file upoad problem, here are some things you can do
(how easy and / or practical they are depends on your application and how it s used)
-disable users ability to upload files at all
- make all uploaded files go into a queue for manual verification before they are published on the site
- perform automatic verification of file types, if a file isn't in allowed format, discard it.
 
tingo said:
- perform automatic verification of file types, if a file isn't in allowed format, discard it.
Absolutely. Do NOT trust 'file extensions' or even mime types.
Don't trust anything that gets uploaded to your server, period.
 
Well simply ignore those files or delete them just so some user do not attempt to download it and execute. That is very likely not aimed at your server but at users downloading things from your server. Some server software usually cheks for extensions in order to filter wich is wrong insted of verifying the content wich would be the ideal, but then to change that could not be that trivial.
 
My guess is that the webserver's script (php?) does not validate uploaded files properly. Simply looking if a file extension reads .gif or .jpg is not sufficient (check mime-type instead).
 
Back
Top