How to Prevent PHP Execution in HTML pages?

We were (are?) hacked by the famous "Pharma Hack" which we are fairly certain is a whole in Word Press.  The hackers are only able read and write file for the one user on this one domain. This domain uses static HTML files and only a single directory for PHP/Word press:

/public_html/
    / many different folders, with plain html files

   /blog
     # word press is installed here

Now, these hackers are able to write to locations like

/tmp
/var/lib/Dovecot/contro/ThisDomainUserMailAccoung Directory

What they are doing is cloning existing pages in

/public_html
     /flowers
        index.html  #where this  file will have a single line of PHP inserted the top; it executes a base64 encoded string which when uncoded look like "include /var/lib/Dovecot/control/thisDomain/boc

this "boc" file (and others) are copies of, e.g. /public_html/flowers/index.html

with links to online pharmacies for Cialis and Viagra.

Google crawls our site.. the line cause the "boc" file to be inserted on top of the flowers/index.html...

Later if you search "Mydomain Flowers" in Google you will see cached pages with the Pharma links.

NOW: we are undertaking steps to harden security upgrade everything. But I want to prevent future attacks.

I need one thing today:

How do I prevent the execution in any file on the server that is outside of

/public_html
  /blog # Word Press is here; PHP needs to execute

  /Flowers
    index.html # is here... even if a php script is added to the page, I don't want it to be executable.

what do we do?




           
   
SivakatirswamiAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CraisisCommented:
This is dependent on what server software you are running.  In basic terms, setup your webserver to run inside a chroot.

If you tell me which server you are using (nginx, apache, etc.) I might be able to help with more details.

-David
acbxyzCommented:
If the page is parsed through php or not decides your webserver.
Which is it? Apache?
How much can you change the config? Your server or an ordinary web space from a hoster?

Using apache and with full config file access, you can limit parsing .php-files through php (module or cgi) on the folder /var/www/.../blog

If the filenames remain index.html php-code will never be executed by a correct configured webserver. But if something like index.php is in your DirectoryIndex, maybe with a higher priority than index.html, this will be executed by using "domain.tld/folder/" only.
Abhijeet RananawareWeb & Mobile DeveloperCommented:
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

SivakatirswamiAuthor Commented:
1) We running CentOS and Apache

2)  I have set the "parsed pages" to both .html and .shtml (because we use a lot of server side includes in both .html and .shtml

3) it is a dedicated server and I have access to everything including the core httpd.conf

4) we user VirtualMin and WebMin as our control panel (be these only read settings for an other wise standard linux web server configuration, unlike Plesk or cPanel or Ensim)

we are using the php_module to implement PHP...
CraisisCommented:
For apache2 I would setup mod_chroot following the instructions at http://www.cyberciti.biz/tips/chroot-apache-under-rhel-fedora-centos-linux.html

This does increase some of the tediousness when working with it, but the increase is well work it IMO.

-David
SivakatirswamiAuthor Commented:
@abhijit

We are working on the very process described at the sites you gave in these links. But I want an answer to this question to "harden" this particular domain even more. i.e restrict execution of PHP to only /blog

@ craisis/david:  each domain is chrooted... the hacker can act (and is only acting) inside this one domain... I can tell by where he pokes files that he can only write to directories with permission for this one user (we have 6 other domains running on the same machine) I have grepped the entire server for rogue files repeatedly and they *only* ever appear in this one domain or system folders that accept writes from for this user (like the mail folder for this user in DoveCot) and they are only being written by the PHP scripts inserted at the top of files. So If we migrate to a new machine, upgrade and harden everything. I still want to lock php execution into /blog  (word press) only.

SivakatirswamiAuthor Commented:
@ Craisis:

RE chroot... wow, this looks great...we will definitely implement this on our new box we are setting up in Jan....

but php can still run inside the jail "above" /blog  

acbxyzCommented:
How do you tell apache it should parse pages through php? And are you using the apache module mod_php
LoadModule php5_module /path/to/libphp5.so
...
<FilesMatch "\.ph(p|tml)$">
SetHandler application/x-httpd-php
</Files>

Open in new window

In this case, you only need to limit the SetHandler to the desired directory
<Location "/blog">
<FilesMatch "\.ph(p|tml)$">
SetHandler application/x-httpd-php
</Files>
</Location>

Open in new window

SivakatirswamiAuthor Commented:
I was wrong. I searched httpd.conf for "LoadModule php*" and it is not there... Instead our control panel (Virtual Min) uses per domain directives like this:

where this is the home directory for one web domain

<VirtualHost ####.###.###.###:80> # all directives for this domain here

<Directory /home/myDomain/public_html>
Options Indexes Includes FollowSymLinks ExecCGI
allow from all
AllowOverride All
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
FCGIWrapper /home/myDomain/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/myDomain/fcgi-bin/php5.fcgi .php5
</Directory>


</VirtualHost>

So presumably this would work


<Directory /home/myDomain/public_html>
     Options  Includes FollowSymLinks ExecCGI
      allow from all
      AllowOverride All
</Directory>

# the above means no PHP will be execute in the public_html html directory
# but if we add this, will it then work in the /blog directory?

<Directory /home/myDomain/public_html/blog>
     Options ExecCGI
     allow from all # do we need this?
     AllowOverride All # do we need this?

# the following should allow PHP to run, right?
      AddHandler fcgid-script .php
       AddHandler fcgid-script .php5
     FCGIWrapper /home/himalayan/fcgi-bin/php5.fcgi .php
      FCGIWrapper /home/himalayan/fcgi-bin/php5.fcgi .php5
</Directory>

I don't know why there are double entries  -- 1 for php and a 2nd one for php.5 ??
SivakatirswamiAuthor Commented:
Further more I see these options and I'm not sure which is better or safer:

PHP Run As:
__ Apache mod_php (run as Apache's user)
__ CGI wrapper (run as virtual server owner)
*  FCGId (run as virtual server owner)

i.e. current set to run as FCGId but could run as apache mod_php

but FCGId appears to be the default on domain set up.
acbxyzCommented:
<VirtualHost ####.###.###.###:80> # all directives for this domain here
  <Directory /home/myDomain/public_html>
    Options  Includes FollowSymLinks (*1)
    allow from all
  </Directory>

  <Directory /home/myDomain/public_html/blog>
    Options ExecCGI (*2)
    (*3)
    AllowOverride All # do we need this? (*4)

    AddHandler fcgid-script .php
    AddHandler fcgid-script .php5
    FCGIWrapper /home/himalayan/fcgi-bin/php5.fcgi .php
    FCGIWrapper /home/himalayan/fcgi-bin/php5.fcgi .php5
  </Directory>
</VirtualHost>

Open in new window

*1 no ExecCGI needed here
*2 I'm not sure if it is needed here, just using mod_php5.
*3 Allow from all is defined in public_html and doesn't need to be defined double
*4 If you use .htaccess-files, this is needed. But can be limited more, see http://httpd.apache.org/docs/2.2/en/mod/core.html#allowoverride

The double AddHandler and FCGIWrapper are for file suffixes.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ray PaseurCommented:
Regarding this: what do we do?

Change hosting companies at once.  Consider using ChiHost.com (I do).  Sorry for your trouble, ~Ray
SivakatirswamiAuthor Commented:
Why change hosting companies? Does it mean you don't trust the staff?

This exploit is from inside WordPress. If the staff of the hosting company wanted to access the box we would be seeing a lot more issues.

katir

Ray PaseurCommented:
This is just my personal opinion and does not reflect on your hosting company.  ChiHost.com has alerted me to numerous WordPress threats over the years.  They are on top of the current issues, they have scanned my code in their server libraries and they have notified me of the threats and the need to upgrade or restrict access to the pages.  I found this kind of service gave me enough confidence to continue using WordPress.

A good alternative might be to use Blogger.

I use and endorse ChiHost.com voluntarily - they do not pay me; I pay them.  I am a happy customer, that's all.  Best of luck getting things sorted out.
SivakatirswamiAuthor Commented:
@acbxyz:

OK the directives worked as I expected.  I'm not sure that I wasn't the one who found the solution, so do I award points to myself (smile)

1) Options +ExecCGI was require in the /blog directive of the PHP would not execute.
2) even after removing php from the directive for /public_html, it was still executing and then I discovered this rogue line buried in side comments on the top .htaccess file!

Which I commented out...Yikes!

########## ADDED BY HACKERS!  Keep an eye on this!
## AddHandler application/x-httpd-php .irev .shtml .html

and now things work as expected:

Here is a page with a date stamp at the top of the html

http://www.himalayanacademy.com/resources/test.shtml

but the blog works (WordPress)

http://himalayanacademy.com/blog/taka/

I wasted a lot of time going elsewhere to figure this out... I really need to remember to come to EE First!

WE won't be able to migrate to a new box and CentoOS 6.0 and the latest PHP until February so I hope my attempts to keep the criminals out for the next month will succeed, wish me luck!

Cheers from Hawaii






Ray PaseurCommented:
Cheers from Washington, DC.  For the weather alone, I wish I was in Hawaii!
SivakatirswamiAuthor Commented:
ChiHost looks good, though we need at least 8MB or RAM on a dedicated server... It's not clear if their "extreme" support for WP and other CMS applies to dedicated servers or to their hosted CMS offering.

 Typically dedicated server support is limited to the OS and apache, because the host doesn't have the same control over content management on a dedicated server -- which is totally in the hands of the client -- vs. virtual hosting environment --where clients are chrooted on the same box and the host runs the box; they have a little better handle on scanning and analysis.

Plus it is an issue for us with the time difference top chicago...  hosting in California is only 3 hours ahead of us..

acbxyzCommented:
########## ADDED BY HACKERS!  Keep an eye on this!
## AddHandler application/x-httpd-php .irev .shtml .html
This is what I meant with AllowOverride and that it isn't needed most times - at least not at public_html.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
HTML

From novice to tech pro — start learning today.