问题描述:

I know securing any website is a very tough and broad topic to be discussed upon but i want to relate this question to my specific website which i've been working on. It was coded in php by some other programmer around 2004 and i am responsible for it's management. My problem is it's being hacked time and again. I have noticed following things when it's been hacked.

  1. .htaccess file has been modified
  2. index.php and config.php files were modified
  3. Admin password has been changed
  4. Uploading files in server
  5. changing file permission of files and folders

I have worked on the code, it has been properly escaped and i think there is no probability of sql injection. Since most of the problem is related to files and permission i have a doubt about the server security but due to the reason that it was coded around 2004 surely it will lack some security, so what other things do i need work upon in my code to prevent my site being hacked for above mentioned problems?

Thanks in advance.

网友答案:

Since files have been modified, this is unlikely due to SQL injection bugs.

Possibilities to get to the files:

  • Guess/steal your FTP password
  • Hack the server (you can't really do anything about that)
  • Insufficient isolation on the server, meaning other customers can change your files (you can't really do anything about that either)
  • Remote code execution bugs

Now since you say the website is from 2004, it could be that it uses eval for templating or include for things like site.php?section=foo and then include foo.php in the code somewhere which were both done frequently back in 2004. So I'd do a quick file search for eval and the regex include(.*\$.*) as well as require(.*\$.*). Those are prime suspects depending on how they were used.

网友答案:

Someone probably has direct access to the server, rather than to (a) script(s) in particular. This doesn't sound like a security issue having its origin in the codebase.

You might wanna consider moving the entire site to another provider if this has happened time and time again. Start over somewhere else, with fresh passwords, access control, etc.

网友答案:

OWASP top 10 is very good read. Some guesses of mine.

  • outdated OS which has vulnerabilities.
  • MySQL injection and maybe all password stored in plain-text which is very very bad. For authentication you should be using something like openID instead. Also when you have MySQL-injection you should pronto update code to use PDO(prepared statements) if possible.
  • read/write permissions not set properly or APACHE/PHP running at elevated level?

My advice to you is:

  • read up on information on OWASP. Then cleary look for flaws in your code. Every line could be source off problem. Maybe you should ditch old code, because very insecure?
  • reinstall your OS, because you could have a rootkit even?
网友答案:
  • Never use just shared hosting, use at least managed servers / keep the system up to date
  • Check your php.ini for security issues (that you can google)
  • Check your Apache/Nginx/... configs for overrides
  • Never communicate unencrypted with the server (use SFTP, SSH, ...)
  • Never trust external values (also from Cookies), always escape/cast those
  • Filter user input (remove line breaks, 0x00 characters, tags, ... where undesired)
  • Check all possibly existing user accounts for the server/database/...
  • Check if all services run as the correct user
  • Check file (write/execute) permissions in your web folders
  • Escape everything you show on the website, do not even trust your database data to be safe in any way
  • If you use 3rd party software, look out for security advisories
  • re-install the server, you might have been rooted
  • Use prepared statements

That's it;) This will enhance your security a lot, but experienced attackers are tough.

相关阅读:
Top