Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how to secure my website

Tags:

security

php

I know securing any website is a very tough and broad topic to be discussed upon but i want to relate this question to my specific website which i've been working on. It was coded in php by some other programmer around 2004 and i am responsible for it's management. My problem is it's being hacked time and again. I have noticed following things when it's been hacked.

  1. .htaccess file has been modified
  2. index.php and config.php files were modified
  3. Admin password has been changed
  4. Uploading files in server
  5. changing file permission of files and folders

I have worked on the code, it has been properly escaped and i think there is no probability of sql injection. Since most of the problem is related to files and permission i have a doubt about the server security but due to the reason that it was coded around 2004 surely it will lack some security, so what other things do i need work upon in my code to prevent my site being hacked for above mentioned problems?

Thanks in advance.

like image 667
uttam Avatar asked Jun 14 '12 11:06

uttam


People also ask

Why is my website not secure?

The reason you are seeing the “Not Secure” warning is because the web page or website you are visiting is not providing an encrypted connection. When your Chrome browser connects to a website it can either use the HTTP (insecure) or HTTPS (secure).


1 Answers

Since files have been modified, this is unlikely due to SQL injection bugs.

Possibilities to get to the files:

  • Guess/steal your FTP password
  • Hack the server (you can't really do anything about that)
  • Insufficient isolation on the server, meaning other customers can change your files (you can't really do anything about that either)
  • Remote code execution bugs

Now since you say the website is from 2004, it could be that it uses eval for templating or include for things like site.php?section=foo and then include foo.php in the code somewhere which were both done frequently back in 2004. So I'd do a quick file search for eval and the regex include(.*\$.*) as well as require(.*\$.*). Those are prime suspects depending on how they were used.

like image 194
mensi Avatar answered Oct 16 '22 04:10

mensi