TerrePorter's avatar

server hacked

Hey all, just got done restoring my website. Somehow a file was uploaded to the public directory. i only have two functions that require date from the user. I havent figured out how they got the file on the server. Would any of you have any ideas?

0 likes
18 replies
jlrdw's avatar

What host was it. To upload a file to a server they would have to have access to the server, like ftp credentials. Or someone could upload a file if a login is not required.

Start a ticket and find out if others on same service was also hacked.

TerrePorter's avatar

readerschoice.suncoastnews.com. I dont think they could have got the ftp as it is ssh key based, And i have never been able to login use ssh, just figured out other ways to get stuff done. I cant create a ticket, i am the ticket. I checked all the other sites and didnt find the file. I also reset the ssh keys, and changed all the passwords on all of the sites, just incase.

TerrePorter's avatar

It was a phpshell type file. it was a interesting launcher, they used a data-image to store the base64 code but then had a wrapper function preappend the beginning and prepend end before eval.

I will checkout the link. thanks

martinbean's avatar

Hey all, just got done restoring my website. Somehow a file was uploaded to the public directory. i only have two functions that require date from the user. I havent figured out how they got the file on the server. Would any of you have any ideas?

@terreporter Not from those sparse details.

It’s not just uploads that can be exploited. Any route that also takes user input in the form of query string parameters or route parameters can be exploited if you’re not sanitising the data properly.

martinbean's avatar

It does. But the key word there is some. It’s not magically going to protect you from every attack vector or if you’re writing vulnerable code.

jlrdw's avatar

Sanitizing is removing html tags to prevent xss, or blade uses htmlspecialchars.

But it doesn't do a virus scan on uploaded files.

TerrePorter's avatar

@andyandy thing is i dont have any file uploads on the site they are putting the files on. They put 6 new files today in random places in the public folder. problem is they have full access to the home directory of the server where i am hosting about 10 other sites. I tried to inject some code on the site but those all failed. Trying to get ssh access to really dig in to the server.

martinbean's avatar

@terreporter Again, it’s not just file uploads that can be an attack vector.

Check your server access logs for suspicious requests. Your vulnerability is obviously somewhere else.

You can’t just keep saying, “But I have no uploads on my site” when there’s clearly another way attackers have compromised your server.

Also, as your server is compromised, you now may have a legal duty to report this breach if you’re dealing with any customer data, especially if as you’ve admitted there’s 10 other sites on the same server. There’s nothing to say the attacker’s haven’t taken a dump of your database(s) and now using your customers’ data to access other services, or impersonate your service and contact them to try and get more data from them…

You really need to find the vulnerability, patch it, and inform your customers.

1 like
TerrePorter's avatar
TerrePorter
OP
Best Answer
Level 12

I think i found the hole and patched it. And of course was someway they were doing their uploads, never doubted it, problem was finding it. And in this case it was in a different site on the server. I dont have any client information on the server or in the database. There is only two sites that are really live since i shutdown my company, and those are only live for parts of the year.

TerrePorter's avatar

how to i remove the best answer i click on it by mistake

Savlon's avatar

Have you checked the server logs? Try identify the timestamps on the uploaded files and check the logs against those.

Are you sure there are no forms that allow users to upload a file? Even if the user is part of the admin team?

TerrePorter's avatar

I couldnt find anything in the logs. The site that had the files on it didnt have any upload ability. It was another site that i thought was broken (not compatible with php 7.4) apparently still had enough of the backend to use a known hack on it.

sr57's avatar

how to i remove the best answer i click on it by mistake

You cannot, update your title : "NOT SOLVED - ..."

I couldnt find anything in the logs

If sb enters your site, and if this sb is good, you 'll see (quite) nothing ... don't waste your time; SECURE your site, ie

  • make your .env not public

  • change all your credentials

PS : if you realle want to analyse, make a raw copy of partition(s) and analyze locally.

Please or to participate in this conversation.