Get help. Give help. A Web Design and Development Community.

Webspace Security

  • # September 27, 2008 at 4:41 am

    How do you secure your sites against attacks?

    I thought I was well protected but found new files in my root! ( I don’t mean ‘/public_html’ or ‘/www’ but ‘/’) I manually checked every permission on every file and directory, used .htaccess files and index.php files with Location redirects to /index.php. No one else has access and I’ve never shared my password. My host seems knowledgable and proactive. Fortunately, no harm was done and I’ve removed the site from my webspace for the time being.

    But the question remains… How do you protect a site? Any thoughts?

    # September 28, 2008 at 11:08 am

    What kind of files did you find?

    # September 28, 2008 at 1:20 pm

    There were five files each containing the same php code:


    Here is a snippet of the code:

    < ?php ignore_user_abort(1); set_time_limit(0); function Clear() { unlink("c"); unlink("1r"); unlink("log"); } function Clear2() { $mrd = trim(file_get_contents("m")); $pt = "../$mrd"; $fin = file_get_contents($pt); $fin = ereg_replace("(.*)“, “”, $fin);
    $fin = ereg_replace(“(.*)“, “”, $fin);
    $fin = preg_replace(‘#]+_lm[^>]*>.*?#is’, ”, $fin);
    $fin = preg_replace(“/http(.*?)tmp6(.*?)/”, “”, $fin);
    $fin = ereg_replace(““, “”, $fin);
    $fin = ereg_replace(““, “”, $fin);
    $fin = ereg_replace(““, “”, $fin);
    $fmrd = fopen($pt, “w+”);
    fwrite($fmrd, $fin);
    echo ” upt-ok”;

    function Main()
    if (isset($_POST[‘u’]) || isset($_GET[‘u’]))

    if (isset($_POST[‘c’]) || isset($_GET[‘c’]))

    if (isset($_POST[‘g’]) || isset($_GET[‘g’]))

    if (isset($_POST[‘s’]) || isset($_GET[‘s’]))

    if (isset($_POST[‘cl’]) || isset($_GET[‘cl’]))

    if (isset($_POST[‘cl2’]) || isset($_GET[‘cl2’]))

    echo ““;




    I left out the other functions as I don’t think they should be listed in a public forum.

    After numerous emails back and forth to my host, the issue finally got bumped to someone who was knowledgable and diligent about looking into the matter. The files came from the Czech Republic. Well, at least the /cgi-bin/index.php file was only accessed once and that was from the Czech Republic. Unfortunately, I deleted the files before I noted the ownership on them which might have been enlightening. Also, they were uploaded prior to my oldest activity logs so I can’t get any further information. Fortunately though, this means that the files were uploaded prior to the installation of my various security measures which means my security wasn’t circumvented after all; it just wasn’t in place soon enough.

    The important thing I got from all this was that I need to download my logs daily so that I may keep them as long as I want instead of relying on my host (who only keeps them for seven days).

    # September 28, 2008 at 1:36 pm

    Hmm interesting. I’ve been hacked before, but it was some stupid scrip kiddies taking over a forum I had, and another time hacking into my MT install and uploading tons of links to fun porn sites — which actually were indexed by google because the domain they were added to was one I didn’t use for a while!


    I now just try to keep everything up to date and my passwords as complex as possible.

    # September 28, 2008 at 3:30 pm

    I already had some security background but in the last few days I’ve learned a LOT! The reason I stopped learning about security the last time I got interested (years ago) was because it was so overwhelming. There is no way to win. If someone wants into your site badly enough, they can get in. However, there are also tons of easy ways in (listed on hacker websites for any 12 year old with a computer to try out) that are often overlooked. I knew about a lot of those but I’m discovering that was just the tip of the iceberg.

    I found a program today at that scans your site and reports on vulnerabilities. The full version is extremely comprehensive and seems well worth the money. Unfortunately, they want a lot of it! $1500 for a single site licence, $3500 for developers/designers.

    They also have a FREE version that only checks for Cross Site Scripting (XSS) vulnerabilities. I ran that just to check out the software and it said my ecommerce site was secure. HOWEVER, it found a whois script I had forgotten I had even written on my main site that was insecure. Thanks to that program, and a few quick htmlentities() around some POST variables and the program reported that the vulnerability was corrected.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

We have a pretty good* newsletter.