PHP eval(gzinflate(base64_decode(..))) hack – how to prevent it from occurring again

hackingPHPSecurityvulnerabilities

We recently had a website hacked, where some PHP code was injected into the index.php file that looked something like:

eval (gzinflate(base64_decode('s127ezsS/…bA236UA1')));

The code was causing another php file (cnfg.php) to be included, which was causing some pharmaceutical-related spam to be displayed (but only visible to googlebot et al). This looks like the pharma hack for wordpress, except we're not running said software. The code has since been removed, but I'd like to prevent such occurrences from happening in the future.

I realize this is a pretty broad problem and there could be a myriad of security holes which could be responsible, but thought I'd put this out there in case anyone has had experience with such a problem in the past.

What are some potential security holes that would allow these php files to be uploaded? And what can I do to prevent this from happening in the future?

Cheers

Best Answer

You need to find out how that got there.

  • Did the attacker have access to the filesystem through sftp/scp?
    • If this happened you need to lock down your remote access methods
  • Did the attacker use some uploader script or some bug in an existing script that allowed them to modify files?
    • Fix the script, change the permissions on your scripts and web content so that the web server process cannot change them. The web server should be limited to modifying files in a data directory somewhere. Your scripts and files should generally not be owned or write-able by the web server.
  • Did the script come as part of some malicious software you isntalled?
    • I have seen things like that included as part of wordpress templates. An unsuspecting user downloaded templates from some random site. Those templates included the a function to run code off an external web server. This combined with poor permission settings allowed the attacker to modify other things.
Related Topic