Tracking down a hacker (my site has been compromised)

- Is the server space managed by someone else? Is it a shared host? If it's a shared host or a server managed by someone else, the attacker may have come in by exploiting some software or services on the server that you have no control over. If it's a shared host, they might have gotten in through someone else's insecure script, and been able to get at your files through inadequate user separation.

- Is that HTML directory set to be world-writable? If so, you may want to look at any scripts that have the ability to write to the server.

As for tracking down the attacker, you might have a look at your access and error logs. IIRC, there are tools you can use to scan and analyze your logs, although I don't know them offhand. Also, if you're running on managed space, talk to the people who run the servers-- they might have more access and insight into what happened.

Heya, Tarantulus.

If a file has been overwritten, you might have suffered from a file path injection attack.

Quick example:
[code=php]
move_uploaded_f ile($_FILES['upload']['tmp_name'], $_SERVER['DOCUMENT_ROOT'] . '/uploads/' . $_FILES['upload']['name']);
[/code]

If the value of $_FILES['upload']['name'] is "../index.html" for example, your file might get overwritten.

To protect against file path injection, use realpath() (http://php.net/realpath) and do a strpos() against a known good directory.

Also, any script that include()'s or eval()'s User input can be compromised.

For example (and a very crude one, but bear with me):
[code=php]
include $_GET['script_name'] . '.php';
[/code]

If the value of $_GET['script_name'] is 'http://some-evil-domain.com/evil/script', then you'd be lucky if all that happened was your static index got rewritten!

To protect yourself against PHP code injection, you should get in the following habits:

• Never ever ever trust input, no matter where it comes from. If it's supposed to be an int, cast it (http://php.net/manual/en/language.ty...e-juggling.php). If it's supposed to be a string, run it through a switch or in_array() to ensure that only "safe" values make it through.
  
• Don't trust data from your database, either. If an attacker manages to inject any malicious code into your database, you have to be able to detect it. If you can, trigger some kind of alert when you encounter an attack that originates from database data, as you will have a much easier time tracing an attack if you know what script probably put it there.
  
• Always escape output. If it's going to the database, run it through mysql_real_esca pe_string() (http://php.net/mysql_real_escape_string). If it's going to be sent to the browser, use htmlentities() (http://php.net/htmlentities).
  
• Never send ID numbers to the browser. The User's ID might be e.g., 428, but you should never send the browser to profile.php?use r=428. Use his (unique) username instead and send the browser to profile.php?use r=mickeyc. Best Buy got in trouble for this.

I bring up that last point because a crafty hacker might not be able to crack your login page, but if you rely on a User ID coming from the browser somewhere, then he might be able to use that to execute a script as, say, an Admin User.

Hi. The attack on your machine probably came from somebody else's hacked zombie machine.

Thanks for the detailed responses.
I'm not doing any file manipulation in my scripts, and for all of my SQL input I'm so I'm assuming from what you've all said that the attack vector is out of my control (it's a shared host).

thanks a lot