Re: hacked!!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




------------ Original Message ------------
> Date: Friday, October 03, 2014 15:18:53 -0400
> From: Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx>
> To: php-general@xxxxxxxxxxxxx
> Subject: Re:  hacked!!
>
> On 10/3/2014 2:10 PM, Richard wrote:
>> 
>> 
>> ------------ Original Message ------------
>>> Date: Friday, October 03, 2014 13:52:54 -0400
>>> From: Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx>
>>> To: php-general@xxxxxxxxxxxxx
>>> Cc:
>>> Subject: Re:  hacked!!
>>> 
>>> On 10/3/2014 1:31 PM, Richard wrote:
>>>> 
>>>> As a note, in this day and age, I strongly recommend against
>>>> shared hosting. There was a time when it was cost-effective, but
>>>> at this point in time, virtual hosting is a much better
>>>> approach. With virtual hosting you are rather more protected
>>>> from others on the same hardware and often have access to the
>>>> logs, so can see what's going on.
>>>> 
>>>> 
>>>>      - Richard
>>>> 
>>>> 
>>>> 
>>> What is virtual hosting?
>>> 
>>> PS - I looked at a log but all that is there is references to
>>> every access to every file in my domain.  GET/POST/....  ips,
>>> files, paths,blah blah blah.
>>> 
>>> What is one supposed to glean from this?
>> 
>> Try doing a google search for shared vs. virtual hosting -- that
>> should return a number of pointers you can follow.
>> 
>> When looking at logs it helps greatly to have the timeframe
>> narrowed down as tightly as possible -- so that's generally the
>> first task. Then, in web server logs, look for things that are
>> out of the norm -- e.g., a POST that has an odd name (or the
>> names of the files in question), or GETs that have QUERY_STRING
>> values. Note, if you don't properly sanitize the input
>> (QUERY_STRING) that you're pulling from a GET or POST, that can
>> potentially be used as a path for doing fun things on a site.
>> 
>> You should also be looking at the server security-oriented logs.
>> In a shared-hosting environment you likely don't have access to
>> them, but once you've narrowed down the likely timeframe you can
>> talk with your hosting provider and have them look.
>> 
>> 
>>      - Richard
>> 
>> 
> What is any log going to tell us?  Only if it tells me exactly how
> they got to my site will it be worthwhile.  I really don't care
> who did it - I just care how.  That's not going to be in a log, is
> it?


The web server logs likely won't show you explicitly how, but will
give you pointers of things to look at -- e.g., a php script where
the QUERY_STRING aren't being properly sanitized. With the system
security-related logs you'd be looking for accesses from
non-standard locations. That would probably point to the "simple"
issue of compromised ftp credentials. The problem is that in a
shared-hosting environment you may not be able to tell connections
to your content vs. that of some other user, making it harder to
figure out if that's the source.

Doing hacking forensics is not simple and you're unlikely to get
answers handed to you, but if you want to figure out the cause of
this hack, and fix it, then this is what's needed.
 

    - Richard



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php





[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux