Recently my web server was hacked. someone uploaded a php file manager called extplorer and changed all of my web pages and i was wondering what possible ways they could of uploaded something to my server without direct access to it i know that you can sometimes execute a php script on a servers webpage if it is not designed correctly but i had no entry points like that and i just had php installed in case i needed it i wasn't using it anywhere and i didn't have anything else installed on that system there was not ftp or ssh are there any other methods the attacker could of used to get those files in the root directory of my server?
Asked
Active
Viewed 685 times
0
-
There might be many. FTP, ssh, Telnet, RCE in installed software, any other language a web app might be written in other than php, just to name a few. This question is too broad without a detailed assessment of what software was running on the server at the time of the attack (as the attacker might have closed the hole after access was gained). – Tobi Nary Nov 22 '17 at 16:41
-
3Possible duplicate of [Server compromised for 2nd time, cannot locate source of attack](https://security.stackexchange.com/questions/9234/), [How can I determine from where injected script came from?](https://security.stackexchange.com/questions/165622), [Determining the point of compromise on an infected web server?](https://security.stackexchange.com/questions/16305), ... – Steffen Ullrich Nov 22 '17 at 17:11
3 Answers
0
As @SmokeDispenser mentioned in is comment, this is a very broad question, so the list below is very general.
- Stolen Credentials - You need to be able to update the PHP files yourself, so you need to have some sort of interface to do that. It's possible that an attacker stole those credentials and used the interface just like you did.
- Remote Code Execution Bug - It's possible that your code has a bug which allows users to execute arbitrary code, and the attacker exploited this to download the file to the server. If you are using a framework, such as Wordpress, cakePHP, etc., the bug might exist in that software.
- Another with another application on the system which allowed the user to gain access to the filesystem.
The first two items are the most likely attack vectors. Do you know the original owner of the file? That might be the best clue as to how that file was created.
Dan Landberg
- 3,312
- 12
- 17
-
http://extplorer.net/files that is the php program he uploaded my server is a windows machine with just php and apache – Nik Hendricks Nov 22 '17 at 16:59
0
It could have easily been a bug or miss configuration of apache that allowed them to break in.
You could be running an old version of apache with unknown vulnerabilities. It could be a zero day bug.
Maybe there's a kernel exploit, we have no idea which kernel you are using either it could be super old.
Buffer over runs and such are great way to inject code you want to run which then opens up additional attack vectors.
cybernard
- 518
- 2
- 10
0
Could be a path traversal attack as well. Attacker accesses a legitimate page of the webserver and tries putting this into the url "../../../system.ini" as an example, finds that he has access to the directory and/or server configuration file and uploaded his malicious file. You should review the logs to determine root cause. I would also run a vulnerability scanner on your site (NetSparker, Acunetix, Owasp ZAP, or Vega).
f3rr4r1_r3d
- 9
- 3