Forum Moderators: phranque
My organization's PHP-Fusion based site was hacked. Somehow --we never discovered exactly how-- thousands of html files were uploaded to the site. Each of them contained an inducement to downloading malware, apparently the ZOLB Trojan.
OK, we've upgraded to the latest version of PHP-Fusion. (Keeping current seems to be the most recommended precaution.) We've gone down the checklist of standard security precautions and implemented all of them.
But I can't get over the fact that the thousands of uploads were cleverly placed in out-of-the-way subdirectories. We were VERY fortunate to detect them fairly quickly, within a week or so. One of us simply stumbled on to the problem.
I think we need what I think is called file (or filesystem) integrity and/or intrusion detection system.
That would seem to require s/w that maintains a detailed directory listing of our site 'n' hours ago, a way of generating a current directory, and a mechanism to send emails listing detected differences.
Most of my limited server-side experience is with PHP, so that's my first choice, but I'll consider turnkey alternatives using a different technology.
Low-cost or free is a necessity. We're on a Unix-family host.
We're a public service organization and there is nothing of value on our site that can't be downloaded for free from it, no financial or proprietary data at all.
My questions:
1. Am I just getting spooked by the last incident? Is it likely that the next visit by bad guys will be similar and detectable by intrusion detection software? Or completely different?
2. What simple intrusion detection software is recommended?
3. What am I overlooking? Should I be MORE worried about entirely different kinds of threats?
TIA,
Henry
Low-cost or free is a necessity.
Don't overlook the possibility that this is exactly why you are where you are right now - not out of fault on your part, but because many open source free programs are also available to hackers and they can examine the code, find the holes, and find sites using it to exploit those holes. Combine this with
Most of my limited server-side experience is with PHP
And you have a recipe for an attack via HTTP that has nothing to do with intrusion as you've described it. I see,
OK, we've upgraded to the latest version of PHP-Fusion. (Keeping current seems to be the most recommended precaution.) We've gone down the checklist of standard security precautions and implemented all of them.
If these were not present before, it is entirely possible your problem is fixed. Give it some time, watch your logs. All those hack-files files many not have been "uploaded" to your site but added over HTTP/POST via previous vulnerabilities.
3. What am I overlooking? Should I be MORE worried about entirely different kinds of threats?
I think the above covers it: Cross Site Scripting and/or mysql injection. However do not allow my comments to dissuade you from protecting the FTP access of your site with regular password changes, use strong P@$$w3rDz, and also use a secure FTP program. FTP transfers the password, in clear text, with every file you upload. Scary. Secure FTP programs use encrypted data to connect, which is unintelligible to port scanning.
Another possibility is a vulnerability on some other site if you're on a shared host. If it turns out this is the case, "Get out of Dodge" is the best recourse.
