son Posted April 22, 2015 Share Posted April 22, 2015 Is it possible that a hacker can place phycial files and create new folders on a web server without ftp access? If so, how can I find out if the hack came via ftp or via a weak script? Son Link to comment Share on other sites More sharing options...
justsomeguy Posted April 22, 2015 Share Posted April 22, 2015 There are plenty of vulnerable PHP scripts out there which don't enough security validation and checking and allow attackers to replace or upload files. Often the first file they place will be their own PHP script which allows them to do whatever they want. If you are trying to track a particular hack then you'll need the server's access logs for the time the hack took place so that you can check the traffic to see what they were accessing. Link to comment Share on other sites More sharing options...
son Posted April 22, 2015 Author Share Posted April 22, 2015 Thanks for your feedback. Will check the access logs. However, unfortunately we are not entirely sure when it happened. Seems to have gone on unnoticed for some time. There is a security service installed which was offered by host when we discovered a number of strange things happening and were able to correct some that were obvious. However, the scans come back each day saying that the files are all okay which sort of confuses me as they are obviously not. In addition when you say scripts often lack 'security validation and checking and allow attackers to replace or upload files' can you point me in the right direction of what to google to find some more info on this. Am still puzzled how those placed .php files come to the web server in the first place. I understand once one script is there how it can create the other files and folders, but am lost as in how they got in first... Son Link to comment Share on other sites More sharing options...
Ingolme Posted April 22, 2015 Share Posted April 22, 2015 If you built a file uploader on your website and the received files are not properly validated before being saved on the server, that's an attack point for a hacker. Link to comment Share on other sites More sharing options...
son Posted April 22, 2015 Author Share Posted April 22, 2015 Thanks Ingolme. You might have just pointed me in the right direction. However, not sure how they managed to login into password protected area where this files sits. All files have test right at the top to check if user is logged in... In addition, the site security scan did not pick up on any of the dodgy scripts and host says that this is because file sat there for years apparently. However, I can for once not see how it sat there for all this time not doing anything till recently and why a security scan would not pick up dodgy scripts just because they were for a while on the site. Does this make any sense to you? Son Link to comment Share on other sites More sharing options...
Don E Posted April 22, 2015 Share Posted April 22, 2015 Where does the file(s) sit on the server? Link to comment Share on other sites More sharing options...
justsomeguy Posted April 22, 2015 Share Posted April 22, 2015 Don't assume that a PHP security scanner is going to find everything, or even most things. A scanner is only going to check for specific things, and if those are obscured in any decent way then chances are that the scanner won't find them. A scanner might check for scripts that include the eval function, for example, but it wouldn't necessarily find this: $a = 'e';$b = 'v';$c = 'a';$d = 'l';$func = $a.$b.$c.$d;$func($code);It generally takes a fairly experienced programmer to be able to open a script and determine whether the code is just messy and cluttered or obfuscated and malicious. Link to comment Share on other sites More sharing options...
son Posted April 23, 2015 Author Share Posted April 23, 2015 Thanks for all the feedback. Very helpful. The external scripts are sitting in admin folder, web root and there is a folder created in web root with two files inside... Son Link to comment Share on other sites More sharing options...
Don E Posted April 23, 2015 Share Posted April 23, 2015 (edited) Is this a shared host or ? You probably want to completely delete those files or move them to a different directory on the server; basically anywhere other than your web root or to a directory that is not accessible to the world. If you cannot/dont not want to delete them in the mean time for whatever reasons and have to keep them in the web root, add(rename) .bak to the end of the file names. If they are .php files, this won't allow the dodgy php file to run when the hacker goes to open the files via a web browser etc. Basically the hacker will get a 404 error; file not found. Even if he somehow knows you added .bak to the file, since it has .bak as its "extension" and no .php, the php code won't run. If you're certain something is going on, I would close ALL ports to all IP address except your home IP address. Hopefully its a static one from your ISP. This is in the mean time until you can figure out what's going on so no further can happen. I'd also look at your cron jobs because it's possible those scripts are set to run at certain times of the day etc and send out info to the hacker about whats going on on your server. Depending on what you're using for managing your server, you should have an area that lists cron jobs. As justsomeguy mentioned, check your logs. You should have a FTP log for example and I also believe a cron job log. (This is assuming if your server is setup with some kind of server management software and if everything was set up correctly for you to have the appropriate log files). Also make sure your ssh is NOT accessible PERIOD(if anything, only to you). If you must in the mean time until you figure out what is going on, completely close the port for that or shut down that service. If you close all ports for all IP address other than yours until you figure out what's going on, then you should be ok. Ssh should only be accessible to the appropriate users and recommend to use public key authentication instead of user/pass when logging in and using a different port number other than the default port number for ssh. Get yourself a better firewall; the kind that detects port scanning for example and blocks that IP. Anyhow, hopefully some of this was helpful. I don't know if you're on shared host or not, but if you are, you may not be able to do some of the stuff I wrote above because some hosts do things a certain way. For example, chances are you won't be able to get another firewall or close ports or close services etc. Your host said they been there for years, maybe they have and you just noticed them and they're harmless? Can you verify they been there for years by checking the dates the files were created? Are you able to see what the files contain? (If host doesn't have a 'edit file' feature, download the files to your home computer and open it via a editor. Should be okay as long as the file is not executed on a web server) If you can see the PHP code the files contain, you can see exactly what the scripts are doing. Edited April 23, 2015 by Don E Link to comment Share on other sites More sharing options...
es131245 Posted September 12, 2015 Share Posted September 12, 2015 You really should take care of owner,group and permissions on server. Well organized access on server will not allow to create anything or rewrite scripts. Only very few functions need this kind of permissions (php write perms for online editors for php scripts, create files for archiving and uploading). Link to comment Share on other sites More sharing options...
dungtroy Posted November 28, 2015 Share Posted November 28, 2015 That's secrete, however, hacker can exploit security hole via plugin or secondary interface from interface hackers, i mean they also create other path to change files, folders Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now