I've seen this kind of thing happen a number of times. Do you have register globals set to On or Off? (set it to OFF and if your programs break as a result, update the way you use the php global variables - you just have to refer to them more specifically then before syntax-wise - examples are all over the web..)
Next up if that's a no often they come through a vulnerable formmail or email script or any script that allows uploading of files. Make sure all scripts you've downloaded from free providers are up to date - if you have mail scripts replace them with tectite's formmail replacement. Fantastically secure and they update it constantly. (simple google search for tectite formmail should do)
The next most likely culprit is a blended (multiple phase) attack that started with mysql injection - if you are using a database. Two things need to be done at the minimum - audit all your code... and before any query is processed make sure the variable that is holding the query string is run through
PHP Code:
mysqli_real_escape_string($query_string);
The next thing is to look at the fields in your database and use either regular expressions or php's substitute string handling functions to strip all unecessary characters from each piece of data. Obviously a name field isn't going to have brackets and symbols - but instead of individually specifying all the symbols to take out (don't bother because mysql takes multiple character sets into account, symbols are not represented by the same data from one character set to the other). Instead use functions/regex's that allow you to basically allow all alphanumeric characters and deny everything else. Regular expressions are more versatile but php's str_replace is simpler to learn and gets the job done.
That's a start. There are plenty more possibilities but those are the more common simpler attacks. You do need to have a good look through your code and database to see if there's more stuff in there you don't recognize since the attack... you might want to establish when the hacker first got in (could be weeks before he actually did anything) and restore a backup from before then - then update the code.
Good luck. A search for php security tutorial should give you ideas for more best practices and angles of attack.
__________________
I use these guys for all my... Los Angeles IT Consulting
- Networking, Managed Services, LAN/WAN Security, Programming & Web Design.
|
