Jump to content

Website Hacked...Continued..

kool_samule

By kool_samule
in PHP Coding Help

 Share

Recommended Posts

kool_samule Regular Member

kool_samule

Posted
Posted

Hi Chaps,

 

After my clients' site was hacked just over a week ago, I took down the site and made some changes to the PHP scripts.

 

- Backed-up the database, then removed it from the webhost

- Removed all web files

- Changed the FTP and SQL login credentials

- Encrypted all user passwords

- Secured the login/signup scripts with a Captcha tool.

- Secured all account & checkout pages with cookie checks (forces login).

- I validated all the user inputs for XSS.

- Secured the SQL scripts with mysql_real_escape_string()/strip_tags()/str_replace().

- Used HTTP_REFERER on account/checkout pages

 

I'm hoping this will sure up the front-end site.

 

Whilst I was backing up the images folder (500Mb+) to my PC, I was warned of trojans and viruses.

It turned out the hackers had placed php files (cid.php/sniper.php/etc) and a couple of files without extensions, into the main Images folder.

 

Without knowing how they actually did this (whether they had access to the FTP site, gained access through the website, or through a virus on the laptop used to update the site/upload images), I would like to know what I can do to make sure that they can't do this again. There is no option for front-end users to upload files, but the administration site does allow image uploads.

 

At the moment, the images folder permissions are set to 0775, I think this is correct.

 

Is there something I can do to the Image folder permissions as a whole, or should I just run a regular check on the directories, checking for all non-image files, or any file/directory that doesn't have the 0775 permission?

 

Are there any resources on protecting FTP folders with PHP, uploading files/directories to protected folders, good practices to continually check for unwanted files?

 

Is there anything else I should be looking into, I did read something about the dangers of include()/require_once()

 

The site is hosted on a shared server, and don't have access to the .htaccess files. Is there anything I can ask the hosting company to check that there firewall is working correctly?

 

Sorry for the range of questions in this, but any help or guidance would be most appreciated.

 

Many thanks

 

Link to comment
Share on other sites
kickstart Member

kickstart

Posted
Posted

Hi

 

Without trawling through all your web site it is difficult to say anything about how they managed to upload the stuff.

 

However one thing you can do is put the image directory outside the web accessable area and instead just pass the image name to a script which reads in and spits out the image. This way even if they do manage to get an php script uploaded to the image directory then it will do them no good at all as it can't be executed.

 

All the best

 

Keith

Link to comment
Share on other sites
kool_samule Regular Member

kool_samule

Posted
  • Author
Posted

Thanks for the replies,

 

..put the image directory outside the web accessable area and instead just pass the image name to a script which reads in and spits out the image.

 

How do you do this on a shared server, and if the images are outside the web accessable area, how can the images be read?

Link to comment
Share on other sites
kickstart Member

kickstart

Posted
Posted

Hi

 

Assuming on your shared server you have a public_html directory in which your web site lives, put the image directory at the same place as public_html. That way it cannot be directly accessed from the web.

 

The in the web directory you have a php script that takes an image name and reads it from the images directory (although the directory is not directly accessable from the web there is nothing to stop a script from reading it) and writes it out

 

All the best

 

Keith

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Is your administration login check actually secure? Assuming you are using a header() redirect if someone is not logged in, do you have an exit; statement after the header() statement to prevent access to the remainder of the code on the 'protected' pages?

 

Also, are you using URLs like -  ?page=some_page and then including a file named some_page.php and allow_url_fopen and allow_url_include are ON so that someone is including remote raw php code and executing it on your server OR you are not validating what some_page is and someone on a normal visitor page can specify that an administration page be included so that the administration content runs at the level of a normal visitor?

Link to comment
Share on other sites
kool_samule Regular Member

kool_samule

Posted
  • Author
Posted

Hi,

 

Administration login/pages are secured, so that you shouldn't be able to access them if not logged in.

 

I will double-check the exit;

 

I am using ? Parameters, but not in the way you mention (.php?prod_id=something, rather than .php?page=contact) or will this cause the same issues?

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.