php site defacing [duplicate]

First thing you should do, if you haven't already done so, is lock the server down as much as you realistically can while you determine what the cause is. In an ideal world, I'd take the machine off line while I found out what was going on.

Try to determine what the root cause of this was (pardon the pun). If this is some kind of attack over http, work out where it came from, and what else might have been compromised. Might this be a compromise of the whole box?

Your kernel is about 2 years old, your PHP is not the most up to date for that branch. I guess your apache install isn't either. Are you using an installed CMS type package for the site? Is that up to date? Have you removed any install directories? What are the permissions on the files?

If it was me:

1. Take the machine off line
2. Ensure that the problem is contained (possibly a reinstall to be sure)
3. Ensure software is up to date and all known security holes covered
4. Restore content from known good backup (you have a backup, right?)
5. Look at something like Tripwire

This might be a complete overreaction to your problem, but until you know the scale of the 'defacing' you won't know how far to take it.

First, check FTP transfer logs about index.php and check IPs of connections - are they from foreign country like China, Russia etc. If true - change FTP password, clean site and malware-scan all PCs where password was used/saved. It is quite common for malware to steal saved password or include keyloger, which are sent to intruder and used to make sites distribute/host malware. Also, remember FTP sends all passwords in plaintext, so dont use it open wifi or other untrusted networks.

if that does not work, check site for: a)file upload scripts. Check for file paths/path validation. Also, check that file type is really validated, not just extension . Apache mod mime has insecure "feature", so files like evilscript.php.gif will be executed as php. Ref:

"Care should be taken when a file with multiple extensions gets associated with both a MIME-type and a handler. This will usually result in the request being by the module associated with the handler. For example, if the .imap extension is mapped to the handler imap-file (from mod_imap) and the .html extension is mapped to the MIME-type text/html, then the file world.imap.html will be associated with both the imap-file handler and text/html MIME-type. When it is processed, the imap-file handler will be used, and so it will be treated as a mod_imap imagemap file."

Solution: disable php on directories, where uploaded files are moved.

b)include|require (_once) . They can be used for remote file inclusion, so attacker can write php script, which will be executed at server and can change/delete files. Look for something like include ($_GET | $_POST | $_COOKIE | $_REQUEST | $_SERVER)(.?*) Solution: disable remote_fopen, if your site does not need them. Otherwise, do same proper input validation (Which would be sane thing to do :). Also, i suggest to disable register_globals.

c)Eval`ed user input / remote files. Remember that user input can reside at database.

Also, check your site for uploaded backdoors, so called "shells". Most secure thing to do is to restore from known safe backup :)

There are many ways to do this. Is there any Input field on your main page or (another one) which coud be incorrectly parsed for exploit attempts ?

First make the PHP files readable by the webserver but not writable. Second check your various input fields for possible exploitation.

it's quite popular recently with malware stealing saved passwords [ most often from total commander ] and sending those credentials to command-center. later on other machines connect via ftp, download index.php/html and append malicious js/php. all automated.

A way to limit attacks to web apps in apache is to load and fine tune apache's mod_security

Link: look this Introducing mod_security article