Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I have a question about exploiting a php server.
If I restrict all write access to the file system which the web server is running on. What kind of possible exploits can be run to gain access to the server?
And of course the server is running as a standard user.
Can this be regarded as a secure server then?
If an exploit exists that can give the hacker root access, then no amount of permission settings will stop him writing to the file system.
I don't know of any root exploits in PHP or Apache at the moment, but that's not to say they don't exist.
In addition, if the PHP program calls any external programs (via exec(), system(), etc), then those programs also pose the same theoretical risk. And if the PHP program uses eval() in an insecure way, then the attacker could theoretically call any program on the system, again with the same level of risk.
However, his kind of attack is relatively rare; most hacks against PHP software tend to be database attacks, because that's often the weak point in the program code, and also often offers better rewards to the attacker than a file system hack.
Of course, if the entire file system is write protected, then the DB won't be able to make updates either, which would prevent some kinds of DB attack (but would also likely be a problem for your normal DB usage). But a database attack could be in many forms, from simply reading the user passwords to inserting malicious data into the DB, and not all of them require write access. So write protection only goes so far to help you here.
Depending on what you mean by "restrict all write access", you may also have problems with software that expects to be able to write to the file system, including Apache, which writes a log file of activity. Not being able to write to this may be okay for Apache, but it will seriously impare your ability to work out what happened when an attack does occur.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
Anti-spam conditions disappear from mailer PHP files while contact form is being simultaneously attacked by spammers.
This is the second time in a week this has happened. Lines of spam-preventing code just get removed from my PHP file (nothing gets added).
I have contacted the server people but they said it's not their problem and something is wrong with PHP itself.
What are the best steps to take to make sure this doesn't happen? Are there any htaccess or ftp security settings I could make use of?
It could be possible that you're simply overwriting your files with versions that don't have the tags in them. Double-check that your plugins and upload scripts don't have permission to overwrite these files without your permission.
If you are worried about your security though, the most common forms of injection of files is through image uploads and forums. Ensure that if you are using any database connections, that you use either MySQLi or PDO, and remember to use parameterised queries!
While you could make a few FTP or .htaccess rules, they aren't really going to stop any potential hackers. The best thing you can do is to make sure you don't have any security vulnerabilities that can be exploited.
If you're running WordPress, run your site through WPScans to make sure there are no vulnerable plugins that you're using (there's literally thousands of vulnerable plugins).
For further reading on security vulnerabilities and how to address them, I recommend checking out the OWASP Top 10 cheat sheet.
Hope this helps! :)
Files don't just have lines randomly disappear.
Someone has access to your server files, either through some form of attack on your webserver (a vulnerability in your code), FTP/STFP/SSH access, or you have something in your code manually editing these files.
It may even be something as simple as you forgetting to save the files correctly, or an old version of the files getting replenished if you have some version management system.
Either way, I suggest changing passwords, increasing security, checking file permission, etc.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I have the following problem:
The website I made for a friend has been infected with malware. When I tried to clean it, by replacing files that I found to be different to the ones I uploaded, with my original files, after a short time, the files were different again. The file permissions are all 644, and the folders 755. It is as if the one who infected the files has access to change them whenever I change them back. Can anyone help me since I am very new to this kind of problems?
First things first: report this to your webhost immediately! Secondly change all of your relevant passwords!
That being done, there are a few possible causes:
Your parent webhost has been compromised, in which case there is nothing you can do except move to a better host.
Your website contains a vulnerability that is being picked-up by kiddies with their vuln-scanners. Be sure to audit your code to ensure that no user action can result in your website's filesystem being touched inappropriately; also check for SQL injection avenues.
Your website uses a widely-distributed application, such as WordPress, that has not been patched - this is a major problem.
Your own PC has been compromised and ne'erdowells have used a keylogger or other software to discover your FTP or SSH account details, and are abusing your website. Run a local scan and audit everything to ensure your bank account is being raided either.
This isn't a code-related problem. This isn't the place for your question.
But: It's likely that a program is running on your server and re-infecting the files. I'd recommend either taking it to a professional malware removal service, or (my preference) burning the server in a fire and allowing a new server to rise from the ashes. Then install an AV suite on the new server.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I am developing an ERP application.
Next month I will recruit 2 employees, developers.
The application consists of two parts:
The core of the system
modules.
Is there a way to "protect" the core of the system for a possible theft from new employees? I do not want to see my codes with competitors in a few months (risk exists).
I thought to limit access via FTP, SVN work, etc.. but thinking about it, I found that the developer has always a way to know the core of the system files (a simple display php directory) or execute a script that will rename the. php. txt to be able to download it...
Encoding the core with Ioncube will be suffisant ?
Other solution ?
This is really a legal and not a programming matter. You should have them sign non-disclosure and non-competition agreements and call it a day - coming up with unneccessarily complex solutions is really unneccessary.
I thought to limit access via FTP, SVN work, etc.. but thinking about it, I found that the developer has always a way to know the core of the system files or execute a script that will rename the. php. txt to be able to download it...
Obviously. Realise that any security invented by a human can be circumvented by another. You still should impose such restrictions - if they do gain access to the application core, you may need to prove that this could only be possible by intentionally circumventing security measures.
To be blunt, always give employees the access they need to do their job, but never more than that.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I'm sorry if this is not really an appropriate question to ask on here, but this has happened to me a number of times and I don't understand what's going on because I do not have an upload form on my website. Somehow someone is uploading lots of PHP files to my FTP server. These files were even picking up traffic thru Google Analytics. I have a contact form, and it does need to be beefed up security wise, but can a hacker UPLOAD files and alter my .htaccess file through it?
What type of hack is that? I would love to do more research on it to take preventative measures.
It is very possible for a hacker to upload files through a PHP site. I've seen it many times.
PHP has the potential to be very insecure. Getting in through PHP isn't very hard if your configuration is weak. Check your access logs and look for anything that seems wrong, particularly a whole bunch of requests from a single IP address. If they are in that deep, your access log may itself be compromised, and beyond even that.
Contact forms and database driven pages are easy to create with vulnerabilities, and no amount of PHP configuration tweaking will fix that. Look for cross-site scripting vulnerabilities, If you're using a database, SQL Injection attacks, and make sure that there is nowhere in your website that uses a GET parameter in a file path, like reading a file, or writing a file. Don't count on stripping a GET parameter, don't count on regexing it clean, just don't do it.
With regard to FTP, if you can, just turn it off and only upload files through SFTP or SCP. If possible, don't use password authentication, use public key instead.
Ultimately if they are changing files on your file system, you may end up saving yourself time by fixing any vulnerabilities you can find, re-installing the OS from scratch, and reconfiguring PHP and FTP to be secure.
There are some toolkits out there than will do basic tests against your site that are worth a look too. Check out https://www.owasp.org/index.php/Main_Page
Does the form have an upload function? Do you check file types etc? Could easily upload a PHP shell(c99, c100) and alter whats on your account.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
Are you concerned at all with your web host having access to all of your files and being able to essentially download your entire web app? What steps can you take to protect yourself? More specifically, I am interested in knowing how to protect the custom developments I've made to a WordPress powered site?
Are you concerned at all with your web host having access to all of your files and being able to essentially download your entire web app?
No.
What steps can you take to protect yourself?
None.
If you can't trust your web host, you're doomed and need to change providers immediately. It's impossible to protect a web site from the administrator(s) who maintain the server it runs on.
It's like if you are a business hiring a bookkeeper or sysadmin - they can't do their job if they don't have access to the company's financial records, or computer systems, respectively. You have to be able to trust that those people don't steal your company secrets.
I am interested in knowing how to protect the custom developments I've made to a WordPress powered site?
Not to put down the value of your work and all, but chances are nobody cares about them. There's a lot more to a custom development than having the code - you also need somebody who understands it and can work with it. I don't think code theft from commercial hosting platforms is much of an issue.
You can encrypt your applications using various encryption engines such as Zend for PHP. Or you could always obfuscate your code before uploading it onto your web host.
If you don't trust your webhost, don't use them.
It is impossible to secure code against an enemy who owns the hardware and has administrative permissions on the server.
There is nothing you can do to stop your web host from being able to see your files. It's their server after all, and they have root access to it.
Generally, nobody cares about your shared-hosting site enough to go poking around in the code. Sorry, but it's true. If you get large enough that it matters, you'll be running your own servers which only you have access to.
The best defense against hosts that might do something sketchy is to look for reviews of the hosting, and solicit recommendations from friends and other trusted colleages.