All ways to edit files using php? (security)

I am having some serious security breaches in my website. After securing the webserver, i will now secure my php files.

Thus, i want to know all the methods might be used to upload or edit php files due to an exploit in my php scr开发者_运维技巧ipts.

If your webserver was compromised, there is no way around reinstalling the whole webserver! As mentioned above there might be rootkits already installed. I guess by "securing the webserver" you also reinstalled it?

It all depends what your webserver is hosting. If you use a CMS of any type (joomla, ...), or a forum, then check for updates for these.

I agree with the things mentioned above:

• Check where your users can upload images or other files
• Check your includes in the php files: if you use dynamic including (ie: include($_GET['sitename'] . '.php');) then please whitelist check those items. meaning only sites that are known should be included
• Look at your PHP Logs (you can find the path to your php logs in your php.ini). Those logs (especially notices and warnings) give loads of hints of flaws in your program. You might find out how the attacker could compromise your server there (if you know when the server was attacked)
• While you're at it: check for SQl Injections. (http://php.net/manual/de/security.database.sql-injection.php)
• Search for usages of "eval" and system execution functions like "exec" (http://at2.php.net/manual/en/book.exec.php)

sigh, hundreds and hundreds. Apply proper safety checks in code, and for heaven's sake, don't make anything writable/executable for the web-user which shouldn't be (no lazy blanket 0777 as people seem to indulge in).

One of the most common issues is code like include($_REQUEST['site'].'.php') which allows the attacker to include code from remote servers if allow_url_include is not disabled in php.ini

You should check out the file io section of Exploitable PHP Functions.

Look for a web shell script, basically a PHP file which allows anyone to do anything when accessed.

Hackers generally try and make it look non malicious, for example, disguising it as a Google Webmaster Tools authentication file google-34facsdb7fdfd33c.php.