Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I'm sorry if this is not really an appropriate question to ask on here, but this has happened to me a number of times and I don't understand what's going on because I do not have an upload form on my website. Somehow someone is uploading lots of PHP files to my FTP server. These files were even picking up traffic thru Google Analytics. I have a contact form, and it does need to be beefed up security wise, but can a hacker UPLOAD files and alter my .htaccess file through it?
What type of hack is that? I would love to do more research on it to take preventative measures.
It is very possible for a hacker to upload files through a PHP site. I've seen it many times.
PHP has the potential to be very insecure. Getting in through PHP isn't very hard if your configuration is weak. Check your access logs and look for anything that seems wrong, particularly a whole bunch of requests from a single IP address. If they are in that deep, your access log may itself be compromised, and beyond even that.
Contact forms and database driven pages are easy to create with vulnerabilities, and no amount of PHP configuration tweaking will fix that. Look for cross-site scripting vulnerabilities, If you're using a database, SQL Injection attacks, and make sure that there is nowhere in your website that uses a GET parameter in a file path, like reading a file, or writing a file. Don't count on stripping a GET parameter, don't count on regexing it clean, just don't do it.
With regard to FTP, if you can, just turn it off and only upload files through SFTP or SCP. If possible, don't use password authentication, use public key instead.
Ultimately if they are changing files on your file system, you may end up saving yourself time by fixing any vulnerabilities you can find, re-installing the OS from scratch, and reconfiguring PHP and FTP to be secure.
There are some toolkits out there than will do basic tests against your site that are worth a look too. Check out https://www.owasp.org/index.php/Main_Page
Does the form have an upload function? Do you check file types etc? Could easily upload a PHP shell(c99, c100) and alter whats on your account.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
Anti-spam conditions disappear from mailer PHP files while contact form is being simultaneously attacked by spammers.
This is the second time in a week this has happened. Lines of spam-preventing code just get removed from my PHP file (nothing gets added).
I have contacted the server people but they said it's not their problem and something is wrong with PHP itself.
What are the best steps to take to make sure this doesn't happen? Are there any htaccess or ftp security settings I could make use of?
It could be possible that you're simply overwriting your files with versions that don't have the tags in them. Double-check that your plugins and upload scripts don't have permission to overwrite these files without your permission.
If you are worried about your security though, the most common forms of injection of files is through image uploads and forums. Ensure that if you are using any database connections, that you use either MySQLi or PDO, and remember to use parameterised queries!
While you could make a few FTP or .htaccess rules, they aren't really going to stop any potential hackers. The best thing you can do is to make sure you don't have any security vulnerabilities that can be exploited.
If you're running WordPress, run your site through WPScans to make sure there are no vulnerable plugins that you're using (there's literally thousands of vulnerable plugins).
For further reading on security vulnerabilities and how to address them, I recommend checking out the OWASP Top 10 cheat sheet.
Hope this helps! :)
Files don't just have lines randomly disappear.
Someone has access to your server files, either through some form of attack on your webserver (a vulnerability in your code), FTP/STFP/SSH access, or you have something in your code manually editing these files.
It may even be something as simple as you forgetting to save the files correctly, or an old version of the files getting replenished if you have some version management system.
Either way, I suggest changing passwords, increasing security, checking file permission, etc.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
Yesterday i got a bug in my wordpress site, where hacker injected a script which can be seen by googlebot only.
That script is not read or identified on normal browsers.
This is not causing issues site availability or performance but on google search it gives advertisements instead of my site content. which is not good.
while searching on google i got this
https://aw-snap.info/articles/spam-hack-wordpress.php
I tried almost all the options given there.
Can anybody help me to identify the spam?
Thanks
Kiran Peshkar
Google offers a "view as Google" option in webmaster tools. This will help you to see what they see.
I tend to do two things if recovering one of my sites is not obvious what has caused the problem.
Upload a fresh copy of WordPress to my server. This will overwrite all the core files so if any have been hacked the malicious code will be overwritten.
It is likely that a malicious script is hidden somewhere so if it is a simple site I will delete everything and reinstall and re upload plugins. Of course anything in wp-content will need to be saved and restored. But note, a malicious script could be hidden in here.
It might just be easier to do a full restore at this point. Find a recent backup, upload the files and check with Google's tool to see if the malicious code is still active. It is always worth contacting your webhost for help, depending on how good they are they might even sort this out for you.
Remember, any attempt to restore or overwrite files could potentially impact your site or result in data loss so make sure you backup everything you need. Although it is unlikely the malicious code is in the WordPress database you should definitely back this up too.
Unfortunately there is no easy way to remove these types of hack, you never quite know what malicious code has been used. You should consider changing all passwords and reviewing your security so that the hacker doesn't do the same thing again as soon as you get the site up! Make sure all apps on the server are up to date.
Even the most secure WordPress sites get hit from time to time, this is why security is important and why daily backups are essential.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I have a question about exploiting a php server.
If I restrict all write access to the file system which the web server is running on. What kind of possible exploits can be run to gain access to the server?
And of course the server is running as a standard user.
Can this be regarded as a secure server then?
If an exploit exists that can give the hacker root access, then no amount of permission settings will stop him writing to the file system.
I don't know of any root exploits in PHP or Apache at the moment, but that's not to say they don't exist.
In addition, if the PHP program calls any external programs (via exec(), system(), etc), then those programs also pose the same theoretical risk. And if the PHP program uses eval() in an insecure way, then the attacker could theoretically call any program on the system, again with the same level of risk.
However, his kind of attack is relatively rare; most hacks against PHP software tend to be database attacks, because that's often the weak point in the program code, and also often offers better rewards to the attacker than a file system hack.
Of course, if the entire file system is write protected, then the DB won't be able to make updates either, which would prevent some kinds of DB attack (but would also likely be a problem for your normal DB usage). But a database attack could be in many forms, from simply reading the user passwords to inserting malicious data into the DB, and not all of them require write access. So write protection only goes so far to help you here.
Depending on what you mean by "restrict all write access", you may also have problems with software that expects to be able to write to the file system, including Apache, which writes a log file of activity. Not being able to write to this may be okay for Apache, but it will seriously impare your ability to work out what happened when an attack does occur.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I have the following problem:
The website I made for a friend has been infected with malware. When I tried to clean it, by replacing files that I found to be different to the ones I uploaded, with my original files, after a short time, the files were different again. The file permissions are all 644, and the folders 755. It is as if the one who infected the files has access to change them whenever I change them back. Can anyone help me since I am very new to this kind of problems?
First things first: report this to your webhost immediately! Secondly change all of your relevant passwords!
That being done, there are a few possible causes:
Your parent webhost has been compromised, in which case there is nothing you can do except move to a better host.
Your website contains a vulnerability that is being picked-up by kiddies with their vuln-scanners. Be sure to audit your code to ensure that no user action can result in your website's filesystem being touched inappropriately; also check for SQL injection avenues.
Your website uses a widely-distributed application, such as WordPress, that has not been patched - this is a major problem.
Your own PC has been compromised and ne'erdowells have used a keylogger or other software to discover your FTP or SSH account details, and are abusing your website. Run a local scan and audit everything to ensure your bank account is being raided either.
This isn't a code-related problem. This isn't the place for your question.
But: It's likely that a program is running on your server and re-infecting the files. I'd recommend either taking it to a professional malware removal service, or (my preference) burning the server in a fire and allowing a new server to rise from the ashes. Then install an AV suite on the new server.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I am developing an ERP application.
Next month I will recruit 2 employees, developers.
The application consists of two parts:
The core of the system
modules.
Is there a way to "protect" the core of the system for a possible theft from new employees? I do not want to see my codes with competitors in a few months (risk exists).
I thought to limit access via FTP, SVN work, etc.. but thinking about it, I found that the developer has always a way to know the core of the system files (a simple display php directory) or execute a script that will rename the. php. txt to be able to download it...
Encoding the core with Ioncube will be suffisant ?
Other solution ?
This is really a legal and not a programming matter. You should have them sign non-disclosure and non-competition agreements and call it a day - coming up with unneccessarily complex solutions is really unneccessary.
I thought to limit access via FTP, SVN work, etc.. but thinking about it, I found that the developer has always a way to know the core of the system files or execute a script that will rename the. php. txt to be able to download it...
Obviously. Realise that any security invented by a human can be circumvented by another. You still should impose such restrictions - if they do gain access to the application core, you may need to prove that this could only be possible by intentionally circumventing security measures.
To be blunt, always give employees the access they need to do their job, but never more than that.