What do I do after a PHP site break-in?
September 14, 2004 10:02 PM Subscribe
A couple months ago my site was lightly hacked. It happened again on a site for a friend of my father, possibly not as lightly. -->
posted by sailormouth to computers & internet (4 answers total)
The weakness in both cases for piss poor php coding. I had written the code a few years ago w/o thinking about vulnerability. Basically I had an index page and then index2.php (I know real original) for everything else. Content of other pages were loaded when the filename was passed in the querystring.
One site passed the entire filename. The other site appended the extension on the file.
Well some Brazilian haxors passed their url to a "jpg" with command line commands. Viola they can dink around some. Everything they did is in the logs.
On my site they only wrote an index.html file after trying to get up in the server (unsuccessfully) to get to some config info. I deleted the file, rewrote my php code, and went on with my life.
Well on the other site some files were loaded.
Files include: f3, kmod, mremap, r0nin, telnetd, ptrace, tfmaster, some perl, C, eggdrop (tar), and psyBNC (tar). It mostly seems like they were setting up IRC stuff.
I took all of their files/dirs and moved them. Changed all login info. I reworked my php to close the obvious hole.
So after all of that backstory here is my question: What specifics should I look for in their trail (cmds in logs and actual files) to see if they were able to compromise anything serious?