Securing a website

I'm currently lookin开发者_JS百科g into a web site that has been hacked for phishing purposes. Apparently, a PHP file was introduced and used to upload files and perhaps change directory permissions. I suspect this was done through a public writable directory or through an unsecure image upload script.

What steps can I take to make the site as secure as possible?

The most important step is to restore the code form a backup. The attakers could create any backdoor for future use.

Your http_access logs could probably tell the original point of intrusion.

Also check the file permissions your webhost uses. In many cases the vulnerability lies not inside the page itself but the hosting company not separating the space of different customers (so it could have spread from an other customer on the same webhost).

The question is tagged PHP so I'm assuming that your server side language is PHP. It is also a fairly general question but some advice is

1. If only image files are meant to be uploaded verify that the file has a valid image extension and mime type and use getimagesize(). Even if you are not accepting only image files check the extension and mime type against a whitelist of allowed extensions and types. Also when you use move_uploaded_file choose your own name and extension.

2. Ensure that arbitary files can't be requested by keeping your upload directory outside the web root and checking any data that your file requests depend on.

There is more information here

The two most common attacks my php websites receive is SQL injection and Remote File Inclusion. My IDS picks up about 6 attacks per day. The #1 thing you can do as a developer is always validate user input. Never pass user input (like request variables) directly to a SQL query.

Read up on remote file inclusion:

http://www.theprohack.com/2010/07/simple-tutorial-on-remote-file.html