• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

How to stop hackers from putting php-scripts on sites

Frater

Regular Pleskian
Like most I'm running many sites using virtual hosting on our server.

Some of those sites get malicious php-scripts pushed onto them.
Luckily these scripts can be recognized easily as they have 'www-data' or 'apache' as its owner.

Of course I prefer to make it impossible for hackers to put those files in these folder.
One way of doing that is by changing the permissions, but somehow many sites can't work properly if they don't have everything open. Why is this?
Some sites even make PHP-files with that owner.

Should a good site be able to prevent such hacks even if some folders have r/w-access for all users or is r/w-access for all users always a no-go?

But the problem here is that I can't tell my clients to stop using these open folders.

Currently I have a cronjob that will scan all folders for these files and kill them.
Sometimes some slip through, but I will inspect them and change the script.
I prefer to know a bit more and hopefully I can prevent it.

# cat /usr/local/sbin/rename_php
Code:
#!/bin/sh

APACHE_USER=`ps aux | egrep '/(apache2|httpd)' | awk '{print $1}' | sort | uniq -c | sort -n | tail -n1 | awk '{print $2}'`

if [ -z "${APACHE_USER}" ] ; then
  echo -e "I could not obtain the user of the Apache webserver\r\nI will do nothing!" >&2
  exit 1
fi

EXCEPTIONS=`mktemp`
STRING=`mktemp`

# remove at least the write flags from the root folder
find /var/www/vhosts -type d -name httpdocs -exec chgrp psaserv {} \;
find /var/www/vhosts -type d -perm /go=w  -group psaserv | grep -v anon_ftp | xargs -I{} chmod og-w {}

echo 'Yahoo!!!
eval
Array
\.\$j51.*\.\$j51.*\.\$j51.*\.\$j51.*GLOBALS
s20=strtoupper
array_diff_ukey
perchd
chr.102.*chr.108.*chr.116.*chr.101.*chr.54
Obfuscat
certsbus.com
examsbibles.com
php include.*/.*\.jpg
php include.*/.*\.png
is_uploaded_file.*FILES.*tmp
\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6C\\x61\\x74\\x65\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5F\\x64\\x65\\x63\\x6F\\x64\\x65\\x28
\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65
\\x63\\x72\\x65\\x61\\x74\\x65\\x5f\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e
echo stripslashes
hashcracking.ru
md5.rednoize.com
crackfor.me
Bruteforce
read.*write.*execute
chr.[0-9]*.*chr.[0-9]*.*chr.[0-9]*.*chr.[0-9]*
Array..1.=>..., .0.=>...,
php eval.\".>\".base64_decode
auth_pass=.*default_action=.*FilesMan.*preg_replace
GIF89a1
Hacked by
disable_functions.*echo.*DisablePHP
subject = stripslashes .*POST
gzinflate.base64_decode
HTTP_USER_AGENT.*array.*Google.*MSNBot
eval.*\(.*base64_decode.*\(
base64_decode.*base64_decode.*base64_decode.*base64_decode
isset.*REQUEST.*REQUEST.*fwrite
urldecode.*Message-ID.*Subject:.*base64_decode
auth_pass = \"[0-9a-f]+\"' >${STRING}

echo 'exception.php' >${EXCEPTIONS}

find /var/www/vhosts/ -type f -user ${APACHE_USER} -name \*php  | xargs -I{} egrep -lif ${STRING} {} | grep -vf ${EXCEPTIONS} | xargs -I{} mv {} {}x

echo 'RewriteCond.*HTTP_REFERER.*google.*icq' >${STRING}
find /var/www/vhosts/ -type f -user ${APACHE_USER} -name .htaccess -mtime -1 | xargs -I{} egrep -lf ${STRING} {} | xargs -I{} mv {} {}x

rm ${STRING}
rm ${EXCEPTIONS}
 
Last edited:
Back
Top