My php site was hacked by codes uploaded as image..?

Question

Yesterday my site was comprised. The attacker changes the index.php file to their own (with all their glory messages and greet). I\'ve notified the hosting company about thi

Answer 1

Image file with arbitrary PHP code can't be exploited with direct request to it, e.g. http://www.mysite.com/uploads/image.jpg?cmd=somecode.

Still, it can be used with Local File Inclusion vulnerability.

For example, in index.php you use include('pages/' . $_GET['page'] . '.php');, then attacker can upload image with PHP code inside and execute commands with smth like this: http://www.mysite.com/index.php?page=../upload/image.jpg?cmd=somecode%00

UPD: changed file in URL to page

Answer 2

JPEG files can contain arbitrary data in them in addition to the actual image data; it's part of the spec. Thus, merely checking if an image is a valid JPEG does not mean that the file is necessarily completely harmless.

Answer 3

My image file up-loader setting are: upload file to temp folder, creat new image using imagecreatefromjpeg or imagecreatefrompng or imagecreatefromgif and save, delete uploaded file from temp folder (all these stuff happening within same script action, so file uploaded in temp folder does not exist for long time)

Answer 4

This may not be a vulnerability in your code. I had the same thing happen to me a few weeks ago. Although ALL my index.php files were removed, even ones not directly web accessible. In my case, it was a security hole in Linux. Not anything to do with my code. This was the reply from my hosting provider (A2Hosting), regarding the problem. Once I convinced them it wasn't anything I did, they figure things out pretty quickly.

"A recent exploit in the Linux kernel was used to grant administrative (root) access to users' directories on the server. The attack consisted of removing index files found in directories and replacing them with the attacker's desired content: A black web page with the attacker's code name, "iSKORPiTX (Turkish Hacker)". This hack was massive across the internet and used a previously unknown vulnerability, limiting our ability in preventing it."