1

I am having some serious security breaches in my website. After securing the webserver, i will now secure my php files.

Thus, i want to know all the methods might be used to upload or edit php files due to an exploit in my php scripts.

TDSii
  • 1,675
  • 4
  • 20
  • 29
  • Instead of searching for individual function names, look for your image upload feature first. The actual problem is taking unvetted client submitted values. – mario Mar 13 '11 at 13:54
  • @mario True, but you all programmers should be aware of all dangerous functions, and some are not as obvious. – rook Mar 13 '11 at 20:27

5 Answers5

2

sigh, hundreds and hundreds. Apply proper safety checks in code, and for heaven's sake, don't make anything writable/executable for the web-user which shouldn't be (no lazy blanket 0777 as people seem to indulge in).

Wrikken
  • 69,272
  • 8
  • 97
  • 136
  • 1
    Separate users for 'owner' & web-server, making the files owned by owner, group as webservers group. chmod files `0640`, dirs `0750`. Store uploads outside document root & serve them by `readfile`, or if you need them inside the document root [disable php in that dir](http://stackoverflow.com/questions/1271899/disable-php-in-directory-including-all-sub-directories-with-htaccess). Never use unsecure methods like FTP to upload but secure ones like SFTP / SCP. Scan for loggers / viruses / malware on your own computer often. Sanitize & validate all user input. – Wrikken Mar 13 '11 at 17:52
2

If your webserver was compromised, there is no way around reinstalling the whole webserver! As mentioned above there might be rootkits already installed. I guess by "securing the webserver" you also reinstalled it?

It all depends what your webserver is hosting. If you use a CMS of any type (joomla, ...), or a forum, then check for updates for these.

I agree with the things mentioned above:

  • Check where your users can upload images or other files
  • Check your includes in the php files: if you use dynamic including (ie: include($_GET['sitename'] . '.php');) then please whitelist check those items. meaning only sites that are known should be included
  • Look at your PHP Logs (you can find the path to your php logs in your php.ini). Those logs (especially notices and warnings) give loads of hints of flaws in your program. You might find out how the attacker could compromise your server there (if you know when the server was attacked)
  • While you're at it: check for SQl Injections. (http://php.net/manual/de/security.database.sql-injection.php)
  • Search for usages of "eval" and system execution functions like "exec" (http://at2.php.net/manual/en/book.exec.php)
Gika
  • 143
  • 3
1

One of the most common issues is code like include($_REQUEST['site'].'.php') which allows the attacker to include code from remote servers if allow_url_include is not disabled in php.ini

ThiefMaster
  • 310,957
  • 84
  • 592
  • 636
1

You should check out the file io section of Exploitable PHP Functions.

Community
  • 1
  • 1
rook
  • 66,304
  • 38
  • 162
  • 239
0

Look for a web shell script, basically a PHP file which allows anyone to do anything when accessed.

Hackers generally try and make it look non malicious, for example, disguising it as a Google Webmaster Tools authentication file google-34facsdb7fdfd33c.php.

alex
  • 479,566
  • 201
  • 878
  • 984