Hosting PHP

What to expect when your expecting… to be hacked

A bit of a disappointing one this. Theres nothing worse (well, I’m sure there is but in this context lets leave it as is) than receiving that dreaded e-mail from your host. It starts with a subject line similar to

Security Incident Concerning

and a body of text along the lines of

A security risk has been detected on your server.
We have been informed that your server contains or redirects to harmful or malicious content, such as malware or phishing sites.

Not at all ideal. In summary ā€” the server in question began to host malicious content. It was from a domain that I don’t use and have a holding page only up, and a user at some point has reported the URL as a malware/phishing attempt. This then gets reported to my host, who then reports it to me.

After getting the email I was a bit perplexed as to how this site had been flagged as a security risk. I checked the URL given and sure enough, a redirect was in place taking it away from my server to some other (compromised) server. I thought it might have been a coding issue that allowed my domain to freely redirect pages (meaning any attacker could mask their own server with mine). I logged in and checked a few things. It wasn’t my code that was doing anything. I checked and seen a few other files that shouldn’t have been there, all with recent creation dates. A quick

find . -maxdepth 20 -mtime -20

netted me a few files that had been created 2 days prior. These were in a variety of directories, and as I spread my domains across a couple of servers these files also appeared in those directories. The suspect files all were all Base 64 encoded, and executed php scripts – given that they all started with

<?php eval(base64_decode('BASE64ENCODEDSTRINGHERE')) ?>

These files either redirected pages, contained a mass emailer (LeafPHPMailer) or opened up a (pretty feature rich but visually poor) file manager. I’m not going to go into too much detail but the reason for the infection came from one WordPress installation that I had completely forgot about after transferring to the new host. Its a site thats very seldom accessed, and to be honest, doesn’t require a WordPress Installation, but it was an easy CMS solution for someone.

Using an out-of-date plugin the attacker managed to place obfuscated PHP file on the server. This file was then accessed via a web browser which ran the PHP code, and allowed other files to be placed in different locations on the server.

When I deployed these servers I began hardening them against attacks like this. Unfortunately, I didn’t finish it. Some of my actions stopped the potential full-scale destruction of the server which I’m thankful for, but I’m a bit annoyed I didn’t finish my hardening steps.

Having separate users for different tasks on the server helped. This meant that any file modifications were only able to be done at the root web-directory level. Config files, where appropriate were hosted out-with the directory, and permissions meant that other files could not be modified. There were a few other steps that I’m not going to go into detail about however cashing up on a couple of guides on how to harden or secure your server should help.

After figuring out what happened, and how it happened, I stopped any public access – essentially shutting down the HTTP Daemon, removed any newly created files matching the time scales above, pretty deleted any WordPress installations and re-downloaded fresh copies of the MD5-checked files from, then manually checked all the database tables for Indicators of Compromise (IoC’s) line by line, entry by entry, and slowly reloaded everything.

I then finished my hardening that I should have done before.

I think it’s important to vent that “hacking” isn’t hacking any more. It’s what used to be known as “Script Kiddies” who are now essentially Serious and Organised Crime Groups that use these phishing and malware scams to extract money. Theres no hacking in the traditional sense – just the unauthorised access to computers that wreck havoc on people who are caught by it. It’s the same as a teenager using a Low Orbit Ion Cannon.

Am I embarrassed this happened to me? Of course. Annoyed? Yep. But I’m also relieved that it did ā€” it means I was able to stop it before it became much, much worse.