Got Hacked, advise needed

One of my sites was found with spam links included in the index.php

the site has no database
just a simple contact form (that uses mail())

I found "prefer.php" file in my public_html/lib/
that was actually doing the insertion/injection in index.php
but how did it get there (I can send it if anyone wants to see it)

I am sanitizing/filtering all the inputs for email headers injection
but maybe not correctly for XSS attacks or PHP remote inclusion

are there some patterns I should be scanning for ??

should I include any directives in .htaccess ??

How can someone write a file on my server with
just exploiting a contact form ??

any pointers/advice would be greatly appreciated

[Promote your blog for free....]

So the prefer.php wrote  to the index.php?

In any case if something wrote to any page of your site, you should check the scripts that use the fopen() and fwrite() functions.

An other thing you should check is other directory index files (index.php on www root folders) that have the same problem. If this is the case then someone hacked the server and you should contact your hosting company (or let me know if it is your own server)

Good luck

thanks for the reply Nikola,

the server is not mine so I also asked the admin
they told me that I should alwasy have my .php files as CHMOD 644
apparently I did not have them

Would that be enough for them to get access ??

I will check all my fopen, fwrite functions but I am pretty sure
the filenames for them are hardcoded
that does not cause a problem right ??

I did not understand this part though
----------
An other thing you should check is other directory index files (index.php on www root folders) that have the same problem.
---------

[Free WordPress Themes]

sounds to me that the provider is hiding some problem, I had the same problem before with a shared hosting account.

look the hacker is not some stranger, I think it's another customer

Olaf thanks for you input,
It is indeed hosted on a shared host.

2 support guys concluded that keeping the .php files as 644
will prevent other attacks

They were both definite about that !!!
But never offered to explain how such a think could have happened !

[Free WordPress Themes]

what permissions do you have for these files? a normal server will use 644 as default

I never knew that I should be worried about this
but now I will, everything is turned to 644

[Free WordPress Themes]

I never knew that I should be worried about this
but now I will, everything is turned to 644

if you upload a file this should be 644 automatically or the server is wrong configured

I feel for you Giorgios. One of my database driven sites apparently become a target on a Vietnamese hacker forum. It seemed that they figured out I was using a vulnerable script and encouraged their members to post that forum's banners and links on my site. Don't some folks have anything better to do with their time?

Hopefully, your problem is much easier to fix and you will get your site fully secure quickly.

[Free WordPress Themes]

This 3rd party script are big problems, even Wordpress is a risk since there are problems in the past. These days I bought a website with some custom script, it is so bad scripted that I think about to move the whole thing into the RB.

[Promote your blog for free....]

These guys usually use an XSS vulnerability to include a remote script to your code. Then they use the /tmp folder to install an application that checks all the www directory index files (index.php on every site) and deface it.

In addition there is another vulnerability which may gives them the right to run their app as root, which means that your files will be defaced anyway (this is a problem with crontab)

I never knew that I should be worried about this
but now I will, everything is turned to 644

if you upload a file this should be 644 automatically or the server is wrong configured

I have probably changed the file permissions after uploading them.
The hosting company has been great so far, everything works as advertised and the support questions are usually answered within the hour.

These guys usually use an XSS vulnerability to include a remote script to your code. Then they use the /tmp folder to install an application that checks all the www directory index files (index.php on every site) and deface it.

In addition there is another vulnerability which may gives them the right to run their app as root, which means that your files will be defaced anyway (this is a problem with crontab)

Olaf and Nick
Its my own script, simple of course but does don't allow input with

content-type:
bcc:
cc:
document.cookie
onclick
onload
;
~
|

Anything else I should be checking at ??

[Promote your blog for free....]

You should check if you are including files from $_GET or $_POST. For example :

 include $_GET['action'] . '.php';

You should check if you are including files from $_GET or $_POST. For example :

 include $_GET['action'] . '.php';

Thanks Nikolas but I was not doing anything that dangerous !!

[Guest]

[35.548]

Yahoo crawler, Baidu Spider, mybaseballcards, Msnbot