Website Hacked - What Next?

N

niteryder

Verified User
Joined
Jun 10, 2004
Messages
35
I just noticed that one of the websites on my server was hacked into. They modified the index page and had it redirect to their page. I backed up the server and then deleted the domain and re-added it.

Aside from that, and changing the admin and root password, what else should I do? I have a firewall on it and I don't allow SSH from the world, only my ips. I also ran chkrootkit.
 
If only one site has been affected it's likely that the website itself was attacked through a vulnerability in the software it was running, and that the attacker may not have had access to root to do any damage to any other website.

However the attacker could have, as user apache, gotten into and defaced many sites; you should check all sites on your server, and the status of your PHP SafeMode Configuration settings for all your domains.

Jeff
 
jlasman said:
If only one site has been affected it's likely that the website itself was attacked through a vulnerability in the software it was running, and that the attacker may not have had access to root to do any damage to any other website.

However the attacker could have, as user apache, gotten into and defaced many sites; you should check all sites on your server, and the status of your PHP SafeMode Configuration settings for all your domains.

Jeff
Click to expand...


All other sites look fine. What is the recommended setting for php safemode? Right now, Safe Mode & Open BaseDir are off for all domains.
 
Generally we have Safe Mode on and Open BaseDir off for all domains unless requested otherwise.

Other comments accepted :) .

Jeff
 
Same here Jeff... i learnt my lesson the first time around :D

PS some of the big hosts ive tried before over here have Safe Mode off... just wondering why they have safe mode off by default? Do they want hackers or are they likely employing some other method that keeps the hosting safe?

Nath.
 
I use open_basedir on (and it will be default from the next release of DirectAdmin) and safe_mode off, because it often cause some problems for clients (it's better to disable dangerous functions than enable safe_mode). I use safe_mode on in /usr/local/lib/php.ini (for more security), but off in virtualhosts.
 
Found few more security issues. You should add ini_set to disable_functions, because it's very dangerous now (until PHP 5.2.5: Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). You should disable ~user too, because with it virtual host settings aren't set, so open_basedir and safe_mode aren't set too. You should disable dl() for security reasons too. And for all versions of PHP (as I mentioned) it's worth to disable functions as: symlink, shell_exec, exec, proc_open, popen, system, passthru, escapeshellarg and escapeshellcmd. And it's recommended to have safe_mode on in /usr/local/lib/php.ini for now (it can be off for virtualhosts).
 
Martynas, can you please write a short how-to on how to use your suggestions?

Some of us aren't php-literate.

Thanks.

Jeff
 
How-to for ~user part should be written by DirectAdmin, because I don't know what they're planning to do with it :) I've already reported everything, and John is planning to remove IP/~user at all (it will be possible to enable ~user, but it will be disabled by default) and it should be changed to user.hostname.com or domain.hostname.com. :) About ini_set, probably it's better to go on PHP 5.2.5 (CVS) than disable it. About disable_functions and safe_mode part - you just need to edit /usr/local/lib/php.ini (probably using nano, joe or vim), and set disable_functions to something like this:
Code: 
disable_functions = dl, symlink, shell_exec, exec, proc_open, popen, system, passthru, escapeshellarg, escapeshellcmd
About the safe_mode:
Code: 
safe_mode = On
Maybe I'll write "How-to secure PHP&Apache" in my free time, but I can't promise :)
 
You must log in or register to reply here.
Back
Top