ibmi-brunch-learn

Announcement

Collapse
No announcement yet.

Securing PHP Programs To Block Hacking

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Securing PHP Programs To Block Hacking

    We got hacked a few weeks ago due to a vulnerability in the WYSIJA (Mail-Poet) plugin for Wordpress, which allowed a file to be uploaded and executed, resulting in ALL our PHP files being infected with an encrypted script at the beginning of them.

    Usually on a Unix/Linux based system I would use Permissions to block core files from being updated by anyone other than an Administrator, but on the iSeries everything is done using user profiles instead.

    I wondered if there is a recommended way to define IFS directory authorities to help prevent this from happening again, since the Apache error logs show that bots are "banging on the door" every day, trying to find a weak point.
    Poddys Rambles On

  • #2
    Re: Securing PHP Programs To Block Hacking

    I'm not sure that I understand what you're saying here... IBM i has all of the same permissions options that Unix does (and in some ways has some more advanced, better, options, too...)

    I'm really confused by "on the iSeries everything is done using user profiles instead." What does that mean, exactly? Unix systems also do things with user profiles, so.... what is it, exactly, that you're trying to do that you can't do on IBM i?

    Comment


    • #3
      Re: Securing PHP Programs To Block Hacking

      I have to admit that I am more familiar with changing permissions at file/folder level on a Unix server using a file manager through Control Panel on a hosted domain or using Filezilla (FTP) than doing this on the IFS on the iSeries, and there you are usually working with a number (eg: 644 means Owner Read/Write, Group Read and Public Read access only).

      With further investigation we have removed all *PUBLIC access to HTDOCS and it's subfolders, and allowed QTMHHTTP only *RX access:

      CHGAUT OBJ('/htdocslocation') USER(QTMHHTTP) DTAAUT(*RX)

      We have added Write access only to Upload folders for QTMHHTTP.

      Hopefully this is adequate and these are the correct access rights to give the outside world.
      Poddys Rambles On

      Comment


      • #4
        Re: Securing PHP Programs To Block Hacking

        use QSHELL and you can run your chmod to your hearts content same as Linux, etc
        I'm not anti-social, I just don't like people -Tommy Holden

        Comment


        • #5
          Re: Securing PHP Programs To Block Hacking

          Originally posted by tomholden View Post
          use QSHELL and you can run your chmod to your hearts content same as Linux, etc
          I hadn't thought of that, thanks Tom. I'm not too familiar with the Unix commands that are used behind the scenes though, usually I execute permission changesd through programs like a file manager or ftp program.

          I think we have everything secured now, except that the Wordpress section of the web site has it's own caching and needs to be able to update itself. I am not sure what access I need to give the Wordpress folders, without allowing intruders back in. The solution to this might be harder to find, since few people (to my knowledge) are using Wordpress on the iSeries.
          Poddys Rambles On

          Comment

          Working...
          X