Attempted site hack

Forum Moderators: phranque

Message Too Old, No Replies

Attempted site hack

jake66

2:26 am on Jul 29, 2007 (gmt 0)

In my error logs I am seeing repeated attempts of:
[code][23-Jul-2007 19:39:04] PHP Warning: fopen(/home/**/public_html/cache/_index.php_site=<snip>) [<a href='function.fopen'>function.fopen</a>]: failed to open stream: No such file or directory in /home/**/public_html/includes/classes/page_cache.php on line 261[code]

How did they find out the structure to these files? They are includes and are unpublished. How can I stop them from inserting this file?

[edited by: trillianjedi at 5:24 pm (utc) on July 29, 2007]
[edit reason] Please see TOS re specifics, thanks... [/edit]

WesleyC

7:26 pm on Jul 31, 2007 (gmt 0)

I use a technique I've developed after working on shared servers for some time to block malicious includes. I'm not entirely sure how well this works, but no one's successfully hacked a site I've made yet.

Try adding this to the absolute beginning of all pages that shouldn't be viewed directly:

if (!isset( $RaNdOmVaRnAmE ) )
{
/* Insert some code here to log the attempted connection's IP for tracing, if desired */
die();
}

Then, add a line to all of the pages that need to include these pages...

$RaNdOmVaRnAmE = "";

This way, anyone who attempts to visit the page in question directly instead of through a normal channel is met with a blank page that won't do anything.

The most likely suspect if you're on a shared server is one of the other occupants of the server--since PHP can scan through directories, another site on the same server might be able to (either purposefully or from having themselves been hacked) scan through your website folder's contents.

Also, if you use any of the most commonly-known CMSs, you might as well assume that everyone under the sun knows the location of every page in your site--since PHP CMSs are easily downloadable and generally easy to reverse-engineer, their folder structure is extremely easy to discover.

jake66

4:36 am on Aug 14, 2007 (gmt 0)

I'm on a VPS, but am I still open to php scanning?

I am not particularly sure how to impliment this code. On an /include/ type of file, that is only called upon via script (not directly)? or in file that is never used in general, but one that hackers look for (like /phpmyadmin.php)?

jtara

3:35 pm on Aug 14, 2007 (gmt 0)

1. Your source files shouldn't be downloadable, since the server will execute them. If you use the X-bit hack, make sure you haven't forgotten to set the Execute bit on scripts - otherwise the script won't be executed, and the source code will be visable to users.

2. Included source files don't need to be accessed by your users - only by the PHP (or other language) interpreter running on your server. Make sure that they are NOT accessible to users! One easy way to do this (if you are writing your own code) is to put them in a subdirectory, and don't map a URL to that subdirectory. Otherwise, you might have to do some fiddling with .htaccess. Users should get a "404" error when trying to access included files.

ANY included file, BTW, not just executables. Why should users be able to see bits and pieces of headers, menus, etc. that are put-together by the server? They shouldn't.

3. Whether on a dedicated, shared, or VPS server, give only user permissions to source files - make sure there are no group or world permissions. This may not be practical, though, if your web server runs as a different user.