Welcome to the Linux Foundation Forum!

My site has been used for Phishing

Help please,

I have a website that someone has been able to hack and install phishing pages!

I need to set the security to make this impossible. Looking back in the logs I found this code snippet:

"GET /index.php?page=latestnews//conlib/prepend.php3?cfg[path][contenido]=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 200 6578 "-" "<?eval(base64_decode('</p>

After the page=latestnews there is a reference to conlib/prepend?cfg[path][contendido] which appears to install a page on the root directory from which they seem to be able to install phishing sites.

I have several sites on a dedicated FastHosts server but only 1 is being attacked?

Has anyone come across this and can recommend what to do?




  • marc
    marc Posts: 647
    That looks like an sql injection...

    parametrize your queries

  • Hi marc,

    I've been through the database and it doesn't appear to be a sql injection.

    More like an attack through Contenido CMS which we are not using but maybe installed as standard by FastHosts.

    But, I can't find out how to disable this?

    My main goal is to be able to tell FastHosts that the site cannot be attacked in this way again.

  • marc
    marc Posts: 647
    Well, it's not an *sql* injection but it's an *injection* after all. You php code allows any paramter and the prove is :"../../../../../../../../../../../../.."

    Your security problem is there ;)

  • woboyle
    woboyle Posts: 501
    1. Don't allow any input beyond specific formats.
    2. For database I/O, DO NOT USE SQL in your forms - use stored procedures that do not take arguments as partial sql strings, but are only data passed in bound variables.
    3. For all other input data, validate EVERYTHING.

    It's not impossible to secure a web site from hacking, but it takes time and effort. If you don't want to invest in security, you will continue to be insecure.


Upcoming Training