Hacker inserted script in PHP web pages

Today one of my PHP websites was hacked -- 3 times! I'm trying to figure out how it was done and prevent it from happening.

6 pages and 6 include files had the same script inserted at the start.

<?php eval(gz_deflate(base64_decode(...))); ?>

deflating it reveals that the script is supposed to redirect to an online pharmacy page.

Now ... how???

The server runs Ubuntu, apache2, and PHP5.

It happened at 6:35 this morning.  Again at 12:15 and 3:15 this afternoon.

The changed files all had the same timestamp.  It was the same set of files each time.  So I believe this is scripted.

The FTP server log shows no activity at the time in question.  The Apache log shows no unusual requests or query strings.  The first time, auth.log showed that "nobody" had successfully done an su as root.  I changed "nobody" to have a shell of /bin/false.

What else should I look for to determine the security hole being exploited?

Thanks!
LVL 32
Daniel WilsonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ray PaseurCommented:
Who is your hosting company?  Is your site running a CMS or framework?
0
Daniel WilsonAuthor Commented:
I have a small company hosting my dedicated virtual machines.

No, there is no CMS or framework.

There are a couple of upload spots for CSV files ... but those areas were not touched in the attack.
0
GaryCommented:
Check you cron jobs, sounds like they have a script running on the server checking if the hack is still in place.
And harden you server.
Have you got a firewall installed like LFD?
Have you changed SSH to key authentication only, have you changed the default port?
Is your FTP using a real password - that means nothing like your birthday but like this
qx>m9*g;rN
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Seth SimmonsSr. Systems AdministratorCommented:
what version of php and apache?
maybe could have exploited some vulnerability in either one
0
COBOLdinosaurCommented:
There are a couple of upload spots for CSV files ... but those areas were not touched in the attack.

If I was going to hack you site, I would never do any damage at the entry point for the attck vector.  Do not assume any area or operation is secure, because there was no damage to them.  Uploads are a common entry point for attacks check and double check that you have done everything to insure that all uploads are secure, sanitized, validated, and if necessary authenticated.

I would never allow file uploads without a custom security level that requires some type of authentication.

Cd&
0
Daniel WilsonAuthor Commented:
Before the 3:15 hack I had turned off the only cron job I considered suspicious.

Now ... I have changed the files' permissions to 644, down from 664.  Maybe ... that will do the trick ...

My password ... isn't as bad as my birthday ... but could stand to be upgraded.

I'll look into some of the hardening you recommend.  The network is firewalled, but not this particular server.  Most ports are blocked by the hosting provider ... but those I need open are open.  I haven't checked into changing SSH to key authentication.  I'll research how to do that without shutting myself out.
0
GaryCommented:
I would disable ssh and ftp temporarily - I assume you have some server management software through which to do this but still be able to reenable them.
Cd& brings up a good point about sanitizing uploads.

Most ports are blocked by the hosting provider
Is this a managed or unmanaged VPS?

The network is firewalled
Is this hosted externally or by you?
0
Daniel WilsonAuthor Commented:
One must log into the application to upload the CSV files.  But no file artifacts remained in those areas ...

As for versions ...
PHP Version 5.2.4-2ubuntu5.27
Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.27 with Suhosin-Patch

thanks!
0
Daniel WilsonAuthor Commented:
My hosting provider runs firewalls and opens only the ports I request to my VPS.  They leave the management of the VPS to me.  I can pay for some extra work, and they do good work ... but ... that work is kind of expensive, so I do as much as I can myself.
0
GaryCommented:
Normally if the VPS is unmanaged then that means it is not firewalled and all ports are open unless you close them.
Either way I would never trust the host on an unmanaged plan to do anything. They are not getting paid to do it.
The point of an unmanaged server is that you can do whatever you want with it.

So I would be a bit worried that your server is not firewalled - software like LFD monitor who is accessing your server and can quickly block suspicious attempts e.g. someone trying to log into your SSH could be blocked after 5 attempts, ditto with ftp etc.  They also report to you suspicious activity on your server etc.
0
COBOLdinosaurCommented:
Logins are like locked doors.  They are not going to stop a serious hacker. A lock can be picked, and a login is just a minimal barrier. Anything that is uploaded has to be sanitized and validated before you allow it to be processed save or used.  The correct way to treat incoming data from any source is to assume it is malicious until you have determined that it is not.

Cd&
0
Daniel WilsonAuthor Commented:
Thanks!  Though I still don't know how he got in, you've helped me close some things down.
0
COBOLdinosaurCommented:
Good luck.  Watch your error logs closely.  sometimes hackers will cause error log entries so if you see anything out of the ordinary it is worth checking and making note of the IP.  Even if the IP is spoof or an open proxy it is information and that is what you need if the hacker continues attacking.

Cd&
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.