New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
This doesn't stop a whole class of attacks, for all we know this could be simple SQLi, nothing of the above would prevent extraction of valuable data and unless you using secure enclave or some form of TEE wrapping it in docker container doesn't stop any memory sniffing - this a whole wrong way about going about securing your application.
Would gaining root in the docker container actually allow full access to the hosts memory. I'm not really informed on docker but if that's possible there's a lot of options for the attacker.
There's also the question if the database would run inside out or outside the container. Mysql's
SELECT INTO OUTFILEmight not be an exploit in itself but at the very least give the attacker some room.Does your aaPanel port opened to public? If the vulnerability is from Wordpress, the hacker should not gain root access.
This is just FUD. Most data have no value to an attacker other than using it as a hostage to get your money and disrupt your business. The data itself is useless. Credit card numbers? Fraud transaction is protected by bank. Identity theft? Equifax is already hacked and your personal data is already leaked on the dark web.
This is why most malware are just ransomware that encrypt your data and hold it hostage until you send money. The bad guys don't want your data because it's useless to them.
No offense but this approach is somewhat strange. Gaining application data is already bad but if the attacker can actually gain access to the hosts memory chances are he can escape the container. Sure, some dumb bot running automated attacks won't do that but actual security isn't limited to some theoretical weak adversary.
All I can say is that I hope you don't work with any PII data, especially in regulated industry, and in countries where you and stackholders of the business have a legal obligation to protect that. We prefer, and do, go to arduous lengths to ensure our front door is secure rather than running around silly wtf hacks like resetting immutable filesystems and pretending all is good in event of a compromise, and we don't say/think/relate to fcuk it Equifax was hacked so chill bro your data is probably out there, we take the obligation of harboring someone's information seriously (for multiple reasons not least legal liability)... But even on a technical level your approach is bewildering, fix the problem, not layer on hacks...
I won't even start on credit card numbers because I'd have to explain the levels of PCI compliance and what you need to be at level where you can store untokenized credit card details, clue it's not some $599 godaddy package...
Just think about what happens if GDPR is involved. I'm not sure if it is even possible to report an ongoing breach. If that isn't a thing i guess reporting one breach every 3 days should suffice
OP's overall approach to the situation is already somewhat unique but this duct taping is basically like handing him a gun to shoot himself in the foot with.
This is to lower your ranking on Google.
In reality, they were deleting seo-related files, changing meta tags to noindex, and deleting links from Google Webmaster Tools.
The port is blocked.
Only when connecting to the panel does AWS open the port directly.
If it's SQLi, shouldn't there be a GET or POST log?
where did he mention he is using aapanel
also aapanel has bad security?
i am asking out of curiosity and it seems he is using aapanel too
https://lowendtalk.com/discussion/comment/3968049#Comment_3968049
You should be. Because you can't.
There is nothing inherently insecure with PHP, any more than there is with Python, Perl, or JavaScript. You can certainly write insecure applications, but it's not like someone can say "oh, you've got PHP...ba dum ba dum, and now I'm root."
What is the application? It's not fair to ask for help and then have us pull teeth to get info. Post a link, please.
So what? if you have shoddy code, POST and GET is an attacker needs. I think @WebProject was talking more about a WAF that filters URLs.
Did you drink?
Web Application Firewalls are not the only solution for securing applications. Security measures can also be implemented at the code level. For instance, requests can be validated to ensure they originate from the same server, and POST/GET requests can be checked for potential injection attacks. The security aspects of an application should be considered and implemented during the development phase, depending on the specific requirements and potential vulnerabilities of the application.
100% of text is likely AI-generated
Based on the username and CF Enterprise subscription whilst running a simple php/mysql backend I guess it's likely to be some questionable Tipper365 script (possibly nulled if not working with the vendor) targeting markets where online betting and casino operations are illegal, Malaysia and Thailand are big for these operations. It wouldn't surprise me if their developer(s) or sysadmin were just not paid and decided to take it into their own hands. I think it's clear no one can help the OP at this point.
If the OP suspects a hack, the simple process is WIPE all data on the server, reformat the disk (if applicable) and reinstall the OS and server from ground up.
Next, DO NOT run any app/script as root, specially php, java, python and such.
Do not run shell files through php/java/python. Use the programs functions to make what you need.
If you need to modify a file that the web-user (usually www-data) does not have access to, chmod the file to www-data and NOT the other way around where you run the script as root.
Do not use any unprotected uploads that can be a gateway to upload shell scripts to your server.
Finally do NOT use any nulled scripts as many of them have backdoors to hack your server.
You said your computer is safe, but YOU SHOULD CHECK AGAIN AND MAKE sure it's SAFE. No Backdoor to trojans on your PC.
...
and you probably would want some chmod 777 with that because apache was complaining?
you should start and try to understand the concepts of linux user their permissions and switching between them.
you php files are owned by root? highly likely all the processes then are run under the root user as well and therefore these processes can access and modify everything with simple file operations, no need for exec or advanced privilege escalation.
seriously, before thinking about complex material like docker containers and stuff, try working with basics. set up a fresh system and do not touch owners or permission if you do not know what you are doing. preventing file access is NOT done by changing the owner. simple as that.
You are mistaken. Just because the PHP file is chown by root, it does not mean that the webshell or backdoor can use root privileges.
php-fpm assigns www-data as the permission by default.
When connecting from a web shell, it becomes www-data or nobody
"If I just set the permissions tight enough, my backdoored application won't be able to do any harm!"
It's kinda fascinating how OP has gotten all the pointers he can realistically get and still is toying around instead of getting things done. I guess he's still waiting for some kind of silver bullet, which simply doesn't exist.
... and then all it needs is some kind of privilege escalation and voila: root. Quit fooling yourself with the idea of being able to limit the impact. There's dozens and dozens of ways to exploit holes. Tight permissions and all that are good. It'll make exploiting a little harder but it also won't do more than that. In the end you'll have to fix the underlying flaw. Nothing else is going to secure your box. Even if you manage to deter the current attacker with increased complexity the next one, which has a better grip/another approach, might be just around the corner and then it'll be the same thing all over again.
He said one page back that he contacted rack911labs.
That's move in the right direction imho.
I agree and sympathize with you.
And I hired a security company, and I'm waiting for an attack.
I just hope that the hacker's intrusion route can be identified.
Oh, i didn't see that. Well, that's good as someone knowledgeable taking care of this seems to be exactly what he needs. I just somewhat fear that they'll want to charge him an arm and a leg if it really comes down to auditing the PHP application (or @vpn2024 's guess is right and they outright refuse - betting probably won't concern them but i kind of doubt they would touch nulled stuff), so he moves back to flipping permissions again.
Edit: I feared wrong. Good move @OP!