PHP Website has been hacked. Please Advise.

DarkLight's picture

He has: 287 posts

Joined: Oct 2007

Hi guys. For a while now I have been focussing on website security. However, someone got through my defense. I booted up my FTP Client a couple of days ago, to find a file cgi.html

I will not post the code here, as it is quite long. Instead, I have attached it.

I have 2 main user inputs on my site. One of which is a search, using SQL SELECT, another is a Playlist Name field using SQL INSERT. Both of which are being sanitized by this function:

<?php
function clean($string) {
$string = mysql_real_escape_string($string);
$string = htmlspecialchars($string);
$string = strip_tags($string);
$string = stripslashes($string);
$string = trim($string, "\r\x0B\n\t\0 ");
$string = ltrim($string, "\r\x0B\n\t\0 ");
$string = rtrim($string, "\r\x0B\n\t\0 ");
$string = preg_replace('/\s\s+/', ' ', $string);
return
$string;
}
?>

In addition, I have this script in my HTAccess file for additional security:

RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
RewriteCond %{QUERY_STRING} ^.*=(ht)|(f)|(sf)+(tp)+(://|s://)+.*(\?\?)+ [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|’|"|;|\?|\*).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(&#x22;|&#x27;|&#x3C;|&#x3E;|&#x5C;|&#x7B;|&#x7C;).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} !redirect_to [NC]
RewriteCond %{QUERY_STRING} !continue [NC]
RewriteCond %{QUERY_STRING} .*=http.*(\:|%3A) [NC,OR]
RewriteCond %{QUERY_STRING} .*=https.*(\:|%3A) [NC,OR]
RewriteCond %{QUERY_STRING} .*=ftp.*(\:|%3A) [NC,OR]
RewriteCond %{QUERY_STRING} .*=sftp.*(\:|%3A) [NC,OR]
RewriteCond %{QUERY_STRING} .*jos_.* [NC,OR]
RewriteCond %{QUERY_STRING} .*users\+where\+gid.* [NC,OR]
RewriteCond %{QUERY_STRING} .*proc/self/environ.* [NC,OR]
RewriteCond %{QUERY_STRING} .*union\+select.* [NC,OR]
RewriteCond %{QUERY_STRING} .*perl\+.* [NC,OR]
RewriteCond %{QUERY_STRING} .*curl\+.* [NC,OR]
RewriteCond %{QUERY_STRING} .*SQL.* [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* http://frost.de/trap.php [R,L]

Could someone advise me on what to do to secure my site against this threat? As far as I am aware, I have had no code modifications, or changes other than this file upload to site root.

I am a little paranoid because if someone is doing this, they could potentially cause more damage.

Thanks in advance.

All the best news here: https://newsbotnet.com

AttachmentSize
cgi.html29.98 KB
Greg K's picture

He has: 2,145 posts

Joined: Nov 2003

It would really depend on what type of site you have hosted, as well as what type of hosting environment.

I do see you are using cPanel, which generally locks down accounts pretty good to prevent the issue of one user being able to write into another user.

If it was my server or one I was maintaining, I would be checking the log files for the time period the the file was added, as well as log files for things such as FTP.

Good practice would be to make sure you change the passwords ASAP to something strong, and never use regular FTP for transferring files, use SFTP instead.

Also now that you have been hacked, go check EVERY FILE on the site. Myself I would look through the code of every file that was modified within a month of when you know that the site was hacked. Many times hackers will hide a hack script somewhere deep into a directory, naming it similar to something already there. With a script like that in place, they can pretty much do what they want with your site just from a browser window.

-Greg

DarkLight's picture

He has: 287 posts

Joined: Oct 2007

Ahh, I see :/ I guess I got a lot of work to do then. I have already looked through the files, and everything is clean and as it should be. I already have almost all known security measures in place.

sFTP? I'm guessing thats SecureFTP? Requires HTTPS/SSL? I don't have that, but I do have strong passwords for FTP Accounts and cPanel.

The team who hacked me are called DefCon, of that means anything, and as far as I can see, they havent done anything malicious, just uploaded a file.

One thing I didnt do, is check the logs. If this happens again, I will be sure to do that. Its maybe too late now.

Thanks for the info, really appreciated! Smiling

All the best news here: https://newsbotnet.com

Greg K's picture

He has: 2,145 posts

Joined: Nov 2003

If you are using the main account login (the one you use for your cpanel login) you should be able to do SFTP. If you are using a secondary FTP account (one that was created once logged into cpanel), then the best you can do is "FTP with TLS/SSL" (there are usually two options, I forget which one worked with my cpanel accounts.

Normal FTP programs sent the password as plain text when logging in, so you definitely do not want to use regular FTP over public Wifi, as it can be sniffed, and at that point, it doesn't matter how strong of a password you use.

Hopefully though you won't have any more issues. I know they can be a pain in the but to track down. Good luck!

-Greg

DarkLight's picture

He has: 287 posts

Joined: Oct 2007

Ahh right .. OK, well, I do use WiFi, but its private and secured.
I do use my main cPanel login for FTP, so next time I use my client, I'm gonna check out the options. I just assumed the client would use the best option for me automatically...

I've been spending all my time trying to secure my PHP Files, it never occured to me that my FTP Client could be causing security holes...

Thanks for the info, seems I'm not as clued up as I liked to think I was...

All the best news here: https://newsbotnet.com

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.