2

Recently one of the files that did payment processing was modified by a hacker. He added a line of code to get a copy of the card info. Site is safe from XSS/SQL Injection attacks.

  1. The file is under /var/www/html and the folder has 777 permissions
  2. File too has 777 permissions, I suspect this was changed by the hacker as well.
  3. Although the file was modified in April'2014 timestamp said it was modified only in december 2012

So, does this mean someone gained access via ssh/ftp and modified it without affecting file stats? Or is this via something like HTTP PUT? What are the possibilities? Any insights?

AstroCB
  • 12,337
  • 20
  • 57
  • 73
mishka
  • 677
  • 6
  • 20
  • 3
    Unix allows you to set the file modification time if you have write permission to the file. What does `ls -lc filename.php` show? The ctime can't be set by hand. – Barmar Apr 17 '14 at 07:42
  • Do you do any file handling? It's likely that they got in that way. – slugonamission Apr 17 '14 at 08:13
  • You sure, it is safe from SQL Injections? People can put in "fopen fwrite" commands and write into your files that way aswell. – Xatenev Apr 17 '14 at 08:27
  • @slugonamission, you mean fopen or such with a url? Nope, no such activity and also all input vars are filtered using PHP Input Filter. – mishka Apr 18 '14 at 07:47

0 Answers0