Hi Chaps,
After my clients' site was hacked just over a week ago, I took down the site and made some changes to the PHP scripts.
- Backed-up the database, then removed it from the webhost
- Removed all web files
- Changed the FTP and SQL login credentials
- Encrypted all user passwords
- Secured the login/signup scripts with a Captcha tool.
- Secured all account & checkout pages with cookie checks (forces login).
- I validated all the user inputs for XSS.
- Secured the SQL scripts with mysql_real_escape_string()/strip_tags()/str_replace().
- Used HTTP_REFERER on account/checkout pages
I'm hoping this will sure up the front-end site.
Whilst I was backing up the images folder (500Mb+) to my PC, I was warned of trojans and viruses.
It turned out the hackers had placed php files (cid.php/sniper.php/etc) and a couple of files without extensions, into the main Images folder.
Without knowing how they actually did this (whether they had access to the FTP site, gained access through the website, or through a virus on the laptop used to update the site/upload images), I would like to know what I can do to make sure that they can't do this again. There is no option for front-end users to upload files, but the administration site does allow image uploads.
At the moment, the images folder permissions are set to 0775, I think this is correct.
Is there something I can do to the Image folder permissions as a whole, or should I just run a regular check on the directories, checking for all non-image files, or any file/directory that doesn't have the 0775 permission?
Are there any resources on protecting FTP folders with PHP, uploading files/directories to protected folders, good practices to continually check for unwanted files?
Is there anything else I should be looking into, I did read something about the dangers of include()/require_once()
The site is hosted on a shared server, and don't have access to the .htaccess files. Is there anything I can ask the hosting company to check that there firewall is working correctly?
Sorry for the range of questions in this, but any help or guidance would be most appreciated.
Many thanks
Website Hacked...Continued..
Moderator: General Moderators
-
koolsamule
- Forum Contributor
- Posts: 130
- Joined: Fri Sep 25, 2009 10:03 am
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: Website Hacked...Continued..
It's also a good point (if you haven't done it yet) to make sure the administrators of the site that got cracked is aware of security in general. Do they have up to date anti-virus software? I have a client where a ex-employee had login details and they proceeded to upload modified files to they server. Login details / passwords should only be kept on a need-to-know basis and not left lying around where prying eyes can get them.koolsamule wrote:There is no option for front-end users to upload files, but the administration site does allow image uploads.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: Website Hacked...Continued..
First, check your image upload code. Are you sure you allow images only?
Second, disable executing of PHP in the images folder. You can do this either via server settings / .htaccess or best of all, deny web access to the folder at all and use a script to stream the file (something like image.php?file=images/test.jpg)
Second, disable executing of PHP in the images folder. You can do this either via server settings / .htaccess or best of all, deny web access to the folder at all and use a script to stream the file (something like image.php?file=images/test.jpg)