Re: hacked!!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Oct 3, 2014 at 3:18 PM, Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx>
wrote:

> On 10/3/2014 2:10 PM, Richard wrote:
>
>>
>>
>> ------------ Original Message ------------
>>
>>> Date: Friday, October 03, 2014 13:52:54 -0400
>>> From: Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx>
>>> To: php-general@xxxxxxxxxxxxx
>>> Cc:
>>> Subject: Re:  hacked!!
>>>
>>> On 10/3/2014 1:31 PM, Richard wrote:
>>>
>>>>
>>>> As a note, in this day and age, I strongly recommend against
>>>> shared hosting. There was a time when it was cost-effective, but
>>>> at this point in time, virtual hosting is a much better approach.
>>>> With virtual hosting you are rather more protected from others on
>>>> the same hardware and often have access to the logs, so can see
>>>> what's going on.
>>>>
>>>>
>>>>      - Richard
>>>>
>>>>
>>>>
>>>>  What is virtual hosting?
>>>
>>> PS - I looked at a log but all that is there is references to
>>> every access to every file in my domain.  GET/POST/....  ips,
>>> files, paths,blah blah blah.
>>>
>>> What is one supposed to glean from this?
>>>
>>
>> Try doing a google search for shared vs. virtual hosting -- that
>> should return a number of pointers you can follow.
>>
>> When looking at logs it helps greatly to have the timeframe narrowed
>> down as tightly as possible -- so that's generally the first task.
>> Then, in web server logs, look for things that are out of the norm
>> -- e.g., a POST that has an odd name (or the names of the files in
>> question), or GETs that have QUERY_STRING values. Note, if you don't
>> properly sanitize the input (QUERY_STRING) that you're pulling from
>> a GET or POST, that can potentially be used as a path for doing fun
>> things on a site.
>>
>> You should also be looking at the server security-oriented logs. In
>> a shared-hosting environment you likely don't have access to them,
>> but once you've narrowed down the likely timeframe you can talk with
>> your hosting provider and have them look.
>>
>>
>>      - Richard
>>
>>
>>  What is any log going to tell us?  Only if it tells me exactly how they
> got to my site will it be worthwhile.  I really don't care who did it - I
> just care how.  That's not going to be in a log, is it?
>
>
> Yes it will. The one thing that I have not seen mentioned is if this could
be due to your hosting provider not installing the latest security updates.
Often, they don't. Here is an example of what I viewed in my logs today:

[149.210.135.28] - - [03/Oct/2014:12:20:56 -0400] "GET
/wp-content/plugins/wysija-newsletters/readme.txt HTTP/1.1" 404 - "-"
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8)
Gecko/20100722 Firefox/3.6.8"

1) If you look closely, the last line is a hack attempt. It was not
successful because I have firewall rules that monitor all incoming and
outgoing traffic.
2) On shared servers, another user on the site could have an insecure
script that allowed the hacker to gain access to your account or all
accounts hosted on the server.
3) If you use the command line, please note that others can see commands
being run by you or others.
4) Before you go changing passwords, it may be REALLY important to find out
HOW they did this, because the security hole may still be there.

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux