Question Hacked - can you help?

[GuiltySpark]

Hi, I was recently hacked and looking for some help.

I allow users to upload images to my site and use a JS plugin that calls a PHP script to upload the image. I stupidly didn't filter the types of files that could be uploaded, so someone uploaded and then ran a php file that accepted input and executed a shell_exec().

Before I plugged the hole I used the script and did a "whoami" and found it was the Plesk system user.

I had just assumed the default Apache user wouldn't be the Plesk system user?

Is there something I have done wrong in my setup or am I misunderstanding it?

Thanks in advance.

 

[Peter Debik]

When allowing uploads, POSTs and even GETs, all that user data that is transferred to a server must be checked. For POSTs and GETs the data should be escaped, so that no SQL injection can be inserted in such data. For uploads - as you have already noticed - it is a good idea to prevent .php files form being uploaded. If at all, these should be moved out of the temporary upload directory to be stored in a "secret" directory, but in general it is better to disallow such uploads in general.

Then you will also want to add at least this to the "Additional configuration directives" section of the PHP configuration of the domain:
disable_functions=exec,passthru,shell_exec,system,popen,show_source,pcntl_exec,proc_open,proc_terminate,proc_close,pfsockopen
This not only important to have for your upload scenario, but also for existing scripts on the server. You never know if a script doesn't either include malware or if it opens a back door so that someone can upload malware.

And you should also check if your /tmp partition is protected against script execution. Anything in /tmp must not be executed.

 

[GuiltySpark]

Thank you so much for your helpful information.
I will definitely look into this.