Hello all. I am looking for some advice on an issue I am having with my Host. What does this have to do with PHP Code? Read on...
My host (for the time being unnamed), has allowed a malicious customer of theirs to break in to other peoples domains and rewrite some of their files. I am one of the other customers that was affected by this malicious customer.
One of the files rewritten on my domain was the index page of a popular subdomain that I host. The hack was a single line of code (an iFrame) appended to the end of my closing PHP tag (?>). While my host says there is no longer a threat of this type for me to worry about, I want to be able to protect my customers by keeping my code clean. Which leads me to my quetion...
What, in your opinion, is the best way for me to monitor my code and, if there is something different in the code than what I intended to be in there, how would you suggest I clean it?
The floor is open (so to speak), so I will begin with what I was thinking of doing. I thought of writing a function that would redirect the user to another PHP page (a code validation page, if you will) that checked the entire file that sent the user to the code validator. The validator would then open the file, check the length of the file, check to find the closing PHP tag and make sure there was nothing after it. If there was something after it, rewrite whatever is after it to kill what was there. After this validation was done, send the user back to the page that the user originally wanted, setting some cookies along the way to make sure this is only done once per page per user per visit. What do you think?
ADVICE REQUESTED - Checking for alterations
Moderator: General Moderators
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
If your webhost has cron jobs, md5 hash the scripts and then compare those with a "good file" stored somewhere safe. Keep exact copies of the script somewhere else and simply replace the old one if it is affected. Check them once in a while, or maybe check on go.
A few notes: cron jobs may be the better way to go, because if the user is truly malicious and is trying to do bad, bad things, he can always edit the code for monitoring code.
Furthermore, this is a serious security breach: this opens the door for him to steal cookies, and compromise your data. If you have these concerns, you should move to another webhost that is more security minded.
A few notes: cron jobs may be the better way to go, because if the user is truly malicious and is trying to do bad, bad things, he can always edit the code for monitoring code.
Furthermore, this is a serious security breach: this opens the door for him to steal cookies, and compromise your data. If you have these concerns, you should move to another webhost that is more security minded.