homepage Welcome to WebmasterWorld Guest from 54.197.171.109
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Please give some advices regarding php security.
I have a website which was lauched one month ago..
Knowledge seeker




msg:4036026
 9:10 am on Dec 3, 2009 (gmt 0)

I have a website which was lauched one month ago, it was completely developed in php and mysql, I have made admin control panel for online updating my website contents regularly.

But couple of days ago when I opened my website their was some kind of music running on my website and little cartoonic character was dancing and there was writing "we have hacked your website....and so on".

when I login to my ftp all of my file was deleted there was onely on index.htm file which was from the hacker.

I immediately contacted my hosting Rep.. give him all information, he told me you should keep more complex password etc... $,@*>,.

I did exactely what I was told and through the server backup I make once again my website online, but after the 20 hours my website again hacked, when I contacted the hosting company they told me there is some kind of security hole in your proramming please check it.

My question is that is there is any way in php from which the hacker can login to my ftp or cpanel account and delete all of my file.

Please expert developer in php give me some advices so that my website cannot be hacked or how can I improve my website security.

Thanks in advace to all respectable member of this forum...

 

NomikOS




msg:4036059
 10:33 am on Dec 3, 2009 (gmt 0)

.- manage your server via SSH && sftp
.- improve your code to prevent SQL injection attacks (very common in PHP)
.- only accept access to admin from one IP (httpd.conf or .htaccess)

rocknbil




msg:4036490
 9:17 pm on Dec 3, 2009 (gmt 0)

Yes, Google for mysql injection but ALSO Google for XSS (or Cross Site Scripting.) This is another form of injection.

The tech support is **probably** correct, but sometimes they just throw an answer out when they don't have one. Ask yourself:

Do you filter input? Do you have register globals off? If I input, say "my name" into one of your forms, is it echoed back somewhere when I submit, like

echo "$_POST['my_name']";

If the answer to the first two is no or the third yes, this may not be how your site was hacked, but it's definately vulnerable.

Since you are going to be a while figuring this out, here is a simple test to see if it's your programming or not.

Get your site back up, view source of the pages, save them as static files. Not PHP. Disable any forms, etc. that would require server side programming. Remove ALL PHP scripts, all of them.

Upload **just** the static files to your site. Immediately change your passwords, and use **only** SFTP to connect to your site.

This serves two purposes: static html pages cannot be hacked from public page input, and you will have content on your site while you figure it out.

So if it gets hacked again when only static pages are on your site, it's something else. Don't overlook an important one: if you are on shared hosting, the hack may come from some other insecure site on the same box. It may not even be you.

A side note that most people don't know: when you connect to a site using "regular ole' FTP," the u and p is sent in clear text, with each file you transfer. Someone sniffing the data on a server can capture these. Most people get by without ever getting hacked this way, but it does happen.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved