I have recently been the unfortunate recipient of some website hacking leading to a minor bit of spam injection into my mail server. Nothing too serious and due mainly to an old version of Centos and some WordPress code that could have been constructed a little bit better, but anyway. So what do you look for when checking your webserver and how do you keep it a little bit more secure?
\nIn my case, I had a few random .php pages inserted and my investigation spurned me on to take the basic steps I should have done in the first place. Some of these were already correct but no harm in covering them:<\/p>\n
# require HTTP 1.1 for POST\n<IfModule mod_rewrite.c>\n\tRewriteCond %{THE_REQUEST} ^POST(.*)HTTP\/(0\\.9|1\\.0)$ [NC]\n\tRewriteRule .* - [F,L]\n<\/IfModule><\/code><\/pre>\n<\/li>\n<\/ul>\n<\/li>\n- Setup a PHP file on your website to allow you to quickly review what is going on from anywhere. Mine does this for example:<\/li>\n<\/ol>\n
<\/p>\n
<?php\n$badtext = array(\"<\",\">\");\n$goodtext = array (\"{\",\"}\");\n$output = shell_exec('ls -la webcam.jpg');\necho \"<pre>$output<\/pre>\";\n$output = shell_exec('date');\necho \"Page Refreshed:<pre>$output<\/pre>\";\necho \"Who has been trying to hack simkin.org...<br>\";\n$simkinhackers = shell_exec('tail -n60 \/var\/log\/simkin.org-access_log | grep \"POST\"\n');\nforeach(preg_split(\"\/((\\r?\\n)|(\\r\\n?))\/\", $simkinhackers) as $line){\n \/\/output the first bit of each line with the ip address\n $pos = strpos($line, \"-\")-1;\n \/\/now the rest of the line\n $ip = substr($line, 0,$pos);\n if (strlen($ip)>1) {\n echo \"<br \/><a href='chkIP.php?item=\".$ip.\"'>\".$ip.\"<\/a>\";\n echo \"<a href='https:\/\/www.abuseipdb.com\/check\/\".$ip.\"'>.<\/a>\";\n echo substr($line,$pos,strlen($line)-$pos);\n }\n}\n$simkinhackers2 = shell_exec('tail -n60 \/var\/log\/simkin.org-access_log | grep \"USER\"');\nforeach(preg_split(\"\/((\\r?\\n)|(\\r\\n?))\/\", $simkinhackers2) as $line){\n \/\/output the first bit of each line with the ip address\n $pos = strpos($line, \"-\")-1;\n \/\/now the rest of the line\n $ip = substr($line, 0,$pos);\n if (strlen($ip)>1) {\n echo \"<br \/><a href='chkIP.php?item=\".$ip.\"'>\".$ip.\"<\/a>\";\n echo \"<a href='https:\/\/www.abuseipdb.com\/check\/\".$ip.\"'>.<\/a>\";\n echo substr($line,$pos,strlen($line)-$pos);\n }\n}\n$simkinhacker3 = shell_exec('tail -n60 \/var\/log\/simkin.org-access_log | grep \"action=upload\"');\nforeach(preg_split(\"\/((\\r?\\n)|(\\r\\n?))\/\", $simkinhackers3) as $line){\n \/\/output the first bit of each line with the ip address\n $pos = strpos($line, \"-\")-1;\n \/\/now the rest of the line\n $ip = substr($line, 0,$pos);\n if (strlen($ip)>1) {\n echo \"<br \/><a href='chkIP.php?item=\".$ip.\"'>\".$ip.\"<\/a>\";\n echo \"<a href='https:\/\/www.abuseipdb.com\/check\/\".$ip.\"'>.<\/a>\";\n echo substr($line,$pos,strlen($line)-$pos);\n }\n}\n$simkinhackers4 = shell_exec('tail -n200 \/var\/log\/simkin.org-access_log | grep \"lostpassword\"');\nforeach(preg_split(\"\/((\\r?\\n)|(\\r\\n?))\/\", $simkinhackers4) as $line){\n \/\/output the first bit of each line with the ip address\n $pos = strpos($line, \"-\")-1;\n \/\/now the rest of the line\n $ip = substr($line, 0,$pos);\n if (strlen($ip)>1) {\n echo \"<br \/><a href='chkIP.php?item=\".$ip.\"'>\".$ip.\"<\/a>\";\n echo \"<a href='https:\/\/www.abuseipdb.com\/check\/\".$ip.\"'>.<\/a>\";\n echo substr($line,$pos,strlen($line)-$pos);\n }\n}\n# Grab the IP addresses to a logfile\n $ip1 = shell_exec('tail -n60 \/var\/log\/simkin.org-access_log | grep \"POST\" | egrep -o \"([0-9]{1,3}\\.){3}[0-9]{1,3}\"');\n $ip2 = shell_exec('tail -n60 \/var\/log\/simkin.org-access_log | grep \"USER\" | egrep -o \"([0-9]{1,3}\\.){3}[0-9]{1,3}\"');\n $ip3 = shell_exec('tail -n200 \/var\/log\/simkin.org-access_log | grep \"lostpassword\" | egrep -o \"([0-9]{1,3}\\.){3}[0-9]{1,3}\"');\n $textstring = $ip1.$ip2.$ip3;\n file_put_contents('~\/badpeople.log',$textstring , LOCK_EX);\n $nul = shell_exec(\"cat ~\/badpeople.log | awk '!seen[$0]++' > ~\/badpeople.txt\");\n $handle = fopen(\"~\/badpeople.txt\", \"r\");\n if ($handle) {\n while (($line = fgets($handle)) !== false) {\n \/\/ process the line read.\n echo \"<br \/><a href='https:\/\/www.whois.com\/whois\/\".$line.\"' target='new'>\".$line.\"<\/a>\";\n }\n fclose($handle);\n } else {\n \/\/ error opening the file.\n }\n ?><\/pre>\n\n- Whitelist your website to only allow POSTing to pages you expect to see POSTS (see:\u00a0https:\/\/perishablepress.com\/protect-post-requests\/)<\/li>\n
- Keep a backup<\/li>\n
- Update everything regularly with sudo apt-get update or yum update<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"