Help my website is hacked and the bug is in php.ini

[Hanna]

Hello,

 

My website has been hacked, and the attacker left a message saying: "your missing something in your php.ini if you want to prevent future hacks configure it right".

 

I really dont like this, because my website means a lot to me.

I use mysql as database.

 

I have read the php.ini file, but I cant figure it out. Can you guys please help me by reviewing my php.ini?

 

Thanks to everyone who helps me, Hanna

 

My php.ini is attached as txt file. Maybe you need to open it in wordpad to view it right.

 

[attachment deleted by admin]

[mikesta707]

Well that text file is horribly formatted, and almost unreadable, so I'm not going to go through it, but we need WAY more information to help you. What kind of attack did he execute? is there perhaps a vulnerability in one of your pages. Telling us you were hacked and hoping someone can point out an error in your php.ini is like trying to find a needle in a haystack.

 

My guess (and this is a completely blind guess at that) is that you may not be escaping input from the user correctly when using that input in queries. This may be because you have poor security in your script, or you have magic_quotes_gpc enabled, and try to escape an already escaped string.

 

 

Regardless, please post some more information. Perhaps the PHP of the page that was attacked.

[PFMaBiSmAd]

It would actually be more helpful if you posted the output from a phpinfo(); statement so that we could see the actual settings.

 

Based on what you did post (the magic_quotes_gpc setting is off), your code is likely not using mysql_real_escape_string() to prevent sql injection in string data or validating/casting numeric data to prevent sql injection and someone managed to inject some sql to either dump your user table or to log in as you under your scripts.

 

Edit: Also, based on what you did post, allow_url_fopen is on, so under PHP4 (the requested phpinfo() output will also tell us which php version you are using), your code might allow remote php code inclusion, which would allow someone to include and run their php code on your server.

[xeross]

magic_quotes_gpc = Off

This doesn't matter however but mikesta commented on it

 

short_open_tag = On

In general not good practice (As xml in files would break it when parsed)

 

And as far as I know he had to find a leak in your site, it shouldn't be caused by your php.ini, it might prevent the exploit from working but it would still be present.

[Hanna]

Hello, first of all thank you guys very much for all these fast replys.

 

It is not possible to use sql injection and XSS at my website, I have allready tried these two vulnerablilities my self because I know how they work. According to the attacker something in php.ini made it possible for him to gain entry to one of my user accounts and to deface the front page with a picture with his message.

[kenrbnsn]

The top of the PHP.INI file you sent contains:

;;;;;;;;;;;
; WARNING ;
;;;;;;;;;;;
; This is the default settings file for new PHP installations.
; By default, PHP installs itself with a configuration suitable for
; development purposes, and *NOT* for production purposes.
; For several security-oriented considerations that should be taken
; before going online with your site, please consult php.ini-recommended
; and http://php.net/manual/en/security.php.

 

Did you read follow those directions?

 

Ken

[PFMaBiSmAd]

We have already pointed out at least two possible security holes. The posted php.ini information also has display_errors ON, which would allow a hacker to see resulting errors that he triggers by feeding your scripts all kinds of unexpected data (having nothing to do with injecting sql.)

 

No one here mentioned XSS. What was suggested however was remote php code inclusion.

 

And frankly, it is equally likely that you have an upload function on your site and someone was able to upload a .php script and execute it.

[teamatomic]

seeing as you dont set a base_dir or use any type of safe_mode_exec_dir you should have these functions disabled:

disable_functions="dir,readfile,shell_exec,exec,virtual,passthru,proc_close,proc_get_status,proc_open,proc_terminate,system"

[xeross]

seeing as you dont set a base_dir or use any type of safe_mode_exec_dir you should have these functions disabled:

disable_functions="dir,readfile,shell_exec,exec,virtual,passthru,proc_close,proc_get_status,proc_open,proc_terminate,system"

No need for disabling unless there's an exploit in your code.