I'm running a LAMP server with Centos 5, CPanel, SuPHP, Mod_Security, CSF etc. The website is being hacked with eval(Base64_decode(... being inserted into some php script. Also other .php script pages are being created in some of the website directories. I understand from research that this is a common hack. I am looking for techniques to improve protection of my site to prevent this.
I assume that there must be a problem with my file owner,group and permissions settings for an external user to be able to modify the code on pages and to create script pages.
My question is about what those settings should be. Currently I have :-
Drectories - owner and group are set to the same. This is the user name of the ftp user that I use to upload changes to the site. The permissions are set to 755.
Files - owner and group are set to the same. This is the user name of the ftp user that I use to upload changes to the site. The permissions are set to 644.
Apache- httpd.conf is set to use nobody as both user and group.
SuPHP - the UserGroup directive in httpd.conf is set to the same user/group as my files and directories.
I have googled about this topic and so I understand with Apache set to nobody, website users should be using the 'other' permissions on files and directories. This would mean Read access only. However SuPHP uses the permissions of the file owner/group when executing php pages. This means read/write permissions. This is meant to be safer but does not seem so as it allows php pages to be modified.
Clearly I have a gap in my understanding and would welcome some advice to stop the hack.
BTW : I have looked into preventing base64_decode in php.ini but it is used legitimately on the site at the moment. I have also looked into using Suhosin to disable eval() but again that is legitimately use in some places too.
Any help and advice would be very appreciated.