Hack Attack...

What do you think of http://www.zone-h.org ... They list a bunch of Hackers and Defacements Attack, 3 sites I operate have been listed here before... and my recent one by this guy and his forum at http://www.numberonehack.org/ ... (anyway you can hide there links on the post since they actually like publicity)...

In this light I have a question, I have a prevention for html inject on my scripts, but how can I protect against them actually putting an index.html file inside my folders when my main index page is on index.php... How can I point my server just to read my index.php rather than the index.html? I think I can do that with htaccess? But im not totally a pro with the access file though, just tried to learn it in the past 6 months...

while your question is not really clear to me... you should check at the apache site mod_rewrite and maybe the directive "DirectoryIndex"

Yep I do use DirectoryIndex on my htaccess, but the problem is the hackers are able to create an index.html file on the root folder... How do I prevent this...

by securing the server?

Thanks for the Answers, yes I want to secure my server, but the problem is not on the server, maybe it's on my scripts...As I checked, theres frequent access on my php file, and maybe there is an open exploit. anyways, I hope I can plug the holes soon...

sure, what is the function from this script?

I cant pinpoint specifically yet, just discovered the problem 2 days ago, and have no time to troubleshoot it, or hard test the script...

... but there is some interaction possible with this script?

Have you contacted your host?

Those turks fellas probably are those that I know because I think they used the same trick on you.

1) There is an XSS vulnerability in your site or in another site of your server. Something like include $_GET['something'] ;
2) Check your crontab entries. They use it to get more permissions
3) Check the /tmp directory. They upload a service there (a perl script) that do this job (creating an index.html on every wwwroot directory)

Hope that helps ;)

I think in this times its not bad to disable this php directive:

allow_url_fopen = 0]

EDIT:

wrong directive:

use
allow_url_include = 0

hm... just noticed that this setting is for servers with php 5.2 or higher

Do they hacked one site or the whole server?

Are your sites running in safe mode?

Another tip. Run this from SSH in your htdocs directory :


Those hack scripts usually don't run with root privileges so there will be no way for them to touch your files this way.

actually on those 3 sites, the two subdirectories and the first attack was a full home page defacement, the home page defacement was due to an insecure host... the subdirectory attacks I think and might be due to my sloppy PHP security...