All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
I'm being hacked
I am currently experiencing a hack where files on my server are being modified. The application is built with PHP and MySQL.
The files were uploaded or modified, but the access logs appeared normal. There were no POST requests, and there were no signs of injection or XSS in the GET requests.
Initially, I was using a server on CloudWays. They analyzed the SSH access logs and found no unauthorized access. I then contacted Sucuri on CloudWays' recommendation, but they were unable to solve the problem.
Afterwards, I moved the server to AWS and set the file owner to root. SSH access was restricted to the AWS console, and I configured the server to only allow Cloudflare IPs on ports 80 and 443.
Considering the vulnerabilities of PHP applications, I blocked shell_exec, system, etc. using disable_functions in php.ini.
I also installed tamper-proof software to prevent files from being uploaded, modified, deleted, or having their ownership changed.
However, today I found that a PHP file owned by root was modified. Additionally, PHP and .sh files in the backup folder outside the home directory were also changed.
There were no suspicious activities in the access or SSH logs.
My PC has not been hacked, and my AWS key or login information has not been leaked.
A hacker contacted me, claiming that the attack occurs at the top of the middleware, making it impossible to defend against and leaving no logs. Is such a vulnerability possible?
Can anyone please suggest a solution to solve this problem?
Comments
Honestly the information provided is too vague. I'd be happy to audit your php code to see if there is any glaring issues, but it's very hard to advise otherwise.
What PHP program?
What I'm curious about is, is there a vulnerability in the PHP application that allows this behavior?
This is a self-developed program. It has had security updates every year and works with PHP 8.1.
How should we know if your custom application has vulnerabilities? PHP itself is probably not rootable by default, so what kind of information are you looking for exactly?
The developer has continuously patched it, and Sucuri has also reviewed it.
Very easy to pivot from php access to full root access
OK and we are which of those two exactly? We have no clue what you are running there...
Is it possible to pivot even if I block functions like shell_exec, exec, system, fopen, etc?
Even if these functions are blocked, they can be bypassed, or other ways to get full access. For example, running on aws they could request the metadata url to attempt to escalate their privileges.
There are so many variables at play.
Yes, im pretty sure you can disable those in your php config. If your application has exploitable holes this is only duct tape though and would be (when doubling as a fix) considered bad practice as you are not really fixing anything and chances of missing some dangerous function are astronomical (hint: even database functions can often be used for code execution).
Very possible. Did they mention which plugin or library is being exploited? It sounds like mass scanning/automated box popping if you're moving your site between providers and still getting hacked, so you're probably not alone with this.
Update all your libraries and keep an eye on their respective security advisories because it's likely someone will identify/patch the issue if it's a mass exploitation scenario.
You'll also want to make sure you have clean backups and a strategy to redeploy your site rapidly in case it gets defaced/wiped. Do a full OS reinstall and then restore from backup to make sure they haven't left any persistent access.
Also, stop using Root now you know they can pop your site. Make them work to escalate privileges from the Web Server user, and, again, update all your OS packages to make it harder.
Maybe also try running a popular Privilege Escalation checking script on your server and fix any issues you find to reduce the chances of a breakout...and, probably most importantly, make sure the [potentially] compromised server is isolated from the rest of your network, (disable VPNs etc), to ensure a bad situation doesn't escalate
If your application has any bugs then hacker can upload shell and using that they can do whatever they want. For example changing file permission or do whatever. They can also open a new port and add unauthorized access.
Two things can be happened
1. Bugs in your php code which allows attacker to exploit the application. It can be sqli, file upload or rce or anything
2. Your server security is compromised since you're using aws i believe their network is okay. So it can be any application or anything running inside the server. Check process and open port to get better idea.
You can jail your php code inside home directory. This way even if attacker get access they'll not be able to modify anything outside home. Dont forget to run your webserver as non root user. Otherwise if they get access to files via php code issue they'll be able to change files permission so file permission will be not effective.
It's difficult to find out the bugs but you can use a few tricks. for example you can put custom log or mailing code to notify you inside these files which is getting modified by the hacker frequently. For example you have abc.php file you can mail the dump of $_request, $_server and ip which try to access it. You can also create bash script to check wheather a file is modified or not and set mail notification there.
Thank you everyone for your kind responses.
I was shocked that I could pivot root privileges from PHP.
I was even more relieved because there were no problems with imunify360.
Ultimately, the conclusion is that the source code must be reviewed.
If there is a good solution, please advise.
Also, did you patch these critical vulnerabilities from April, (the one affecting Windows hosts looks particularly bad): https://socradar.io/critical-php-vulnerabilities/
Setup some kind of external logging.
At least it's worth a try.
A rudimentary way of checking is to run a constant tail -f on access logs etc, have this open in a terminal at all times.
all above points ^
Try something like Imunify360, might help.(not guaranteed.)
You could also try deploying this to your server, it'll cut out some automated attacks: https://www.crowdsec.net/
Same with ModSecurity for your Web Server, but much better. Harder to setup but stops most automated nonsense: https://www.modsecurity.org/
And as it's likely you're getting caught by automated scanning, try running a web application vulnerability scanner on your site and see what it finds. It's unlikely you're being victimised, so something like this will probably be OK: https://pentest-tools.com/website-vulnerability-scanning/website-scanner
If there is a vulnerability in the current PHP application and it is possible to steal root privileges, could you tell me how to isolate it in public_html?
I want to prevent the log file from being modified.
Mentally strong people run application on immutable storage.
Vulnerability? Reboot the server and the changes are reverted.
“Php file owned by root…” - that is all you need to say.
The reason for changing the ownership of public_html files to root was to block file modification.
Even if chown is root, it doesn't mean you can hijack root privileges, right?
(Of course in a container (without docker))
If you have a custom developed PHP application, it is highly recommended to add an additional layer of security by implementing verification and validation of GET and POST variables.
This approach will significantly enhance the overall security of your PHP application. By validating user input, you can mitigate the risk of various security vulnerabilities, such as SQL injection, cross-site scripting (XSS), and other malicious attacks. Failure to properly sanitize and validate user input can lead to serious security breaches, compromising the integrity and confidentiality of your application and its data
i would still assume that the server is compromised even if there's no alarms going off, better to be safe then sorry.
I used Cloudflare Enterprise, and Nginx also filtered out all methods other than POST and GET, but the hacker seems to have bypassed this.
Are you sure that the attacker is not bypassing CF?
and since you mentioned CF Enterprise,
Its about time that you get professional security auditors/researchers involved, looks like something very critical/production is being attacked.