Whoever ordered the book PHP-Sicherheit via my amazon link - thank you for that. You won't regret it.
Of course, I also have this book in my bookcase. The co-author is Stefan Esser, reporter of a lot PHP-vulnerabilities, initiator of the month of PHP bugs and maintainer of the suhosin project.
The book is a must-have for administrators (of PHP applications) as well for PHP developers.
It starts with a chapter explaining how an attacker will work on getting as much information as possible of a to be attacked host. Besides that all types of vulnerabilities are explained. The authors give advices on how to harden your PHP installation and how to produce secure code. Finally, the authors present projects like suhosin as well as filter/IDS solutions like mod_security with whitelist or blacklist approaches.
I've created a new tutorial that shows how to move credentials outside of the webroot. By default TYPO3 stores any kind of configuration into file typo3conf/localconf.php. Besides graphics configuration, etc... also database username/password and the encryption key is stored in there.
Although there's no way to get hold of this data as website user, I personal don't like the approach to store data that is intented to kept private inside the webroot.
The tutorial does explain the reasons in more detail. Have a look!
Like million other hosts in the internet, this box is attacked to exploit vulnerabilities.
I recently saw following piece of code in a Remote File Inclusion (RFI) attack. Although it might be created by a kid, it's still a nice snippet that I want to share with you. Guess what, it actually works.
I hope you see what's wrong here. There's no additional information. This guy is only reporting the impact of a hack. There's no way to help you with this information; furthermore such report doesn't help the TYPO3 community either as our team is unable to analyze it.
The right way:
In short, collect as much information as possible!
In detail:
What happened? What's the impact of the hack? Defacement; your website suddenly delivers malware; there's a new backend user "blackhat"?
When has it happened? When did you recognize the hack? By analyzing the logfiles, when do you estimate did the attacker succeed with his hack?
How have you became aware of the hack? You clients reported malware on your site? You were getting from google to your website and it looks different (with all those links to vi**ra pills).
Where has it happened? on a dedicated server (rootserver, virtual server), on a virtual hosting shared together with other hosting provider customers; is there any other software installed that might be vulnerable
Strange data or behaviour? different website output when accessing the website directly (through a bookmark) or via referrer (directed to from a search engine); new not TYPO3 related files (webshell.pl)
What kind of software is installed? TYPO3 version, list of installed extensions with version numbers (are they up to date); is your server up to date with all those TYPO3 Security advisories
Is your local client safe? did you check your local client with at least two different malware scanners; did you recently access your website via insecure wireless lan; how do you transfer data to your server (via insecure ftp, sftp, scp)
Data you should and we are interested in: TYPO3 sys_log table entries, web server access logs, PHP error logs, modsecurity logs, list of unexpected files or files with a strange access/modification time, OS logs (auth, audit, messages, secure), IDS logs, AIDE/tripwire reports
Bonus: You have already analyzed the complete hack and are now able to report the exact attacker's entry point. Great, your place in the top ten of "best vulnerability reports" is guaranteed. But we're sorry, first rank is already given away! ;-)
