PHPit hacked? Never!
(Page 1 out of 2)Update: The "hacker" responds! More at page 2.
It seems someone has managed to exploit a bug in my CMS code to allow himself access to the CMS. I already knew about this bug a few weeks ago, but I just never fixed it. Call it lazy, or no time, but it did mean there was a bug. I didn't worry about it too much, because very little can be done from the CMS. Only this website goes down (for a short while), and I get database backups every 24 hours (it's automatic!) so there is hardly any data loss.
Restoring PHPit didn't take very long either, and I had it back online within about 20 minutes. Of course, the bug has been fixed now, and no 'hacks' can occur anymore.
The hacker did claim to have "root access to my server", which is completely false. Heck, I don't even have root access myself, because I'm on a shared server. So the hacker definately didn't have root access, or any access at all to be honest. He/she could only access the CMS, which has very little power.
Of course the hacker had to slander me a bit. I don't know whether you read it, but the hacker claimed that I though I was a great PHP coder, and he seemed to disagree. If the hacker is reading this: I don't think I'm a fantastic PHP coder, but I'm not a bad one either. I'm still going through the learning process, and at the moment I'm really trying to get a grip of PHP patterns. At least I spend my time useful, instead of destroying other websites.
Having said that, now is probably a good time to point to some PHP Security articles:
- PHP: Security by example (Flash)
- PHP Security Mistakes
- ONLamp: PHP Security, Part 1
- ONLamp: Ten Security Checks for PHP, Part 1
- PHP Security Guide
- On the Security of PHP, Part 1
April 13th, 2006 at 6:38 pm
May I point out that this also means that your host has a security leak on your server. You could simply write a PHP file to readout the root password and TAKE OVER THE WORLD!!!… ehhh… I mean take over the server.
You should realy mention to you host that he sould not run apache as root and/or change the privileges on the server so dirs outside the webroot can’t be accessed by www-data (the default apache user).
Regards,
Arnold Daniels
http://www.helderhosting.nl