Malicious PHP request/POST

Question

A website of mine is getting attacked lately. I've cleaned every bit of code I can, but I really can't figure out how they are able to create files and even inject files. I've turned off all writing rights, even for me. I decided to log all requests from now on, until I get this stuff fixed.

Now I've already got one result, it's ment to mess something up for sure. But I just can't figure out what is happening..

The request can be found here: https://pastebin.com/TQGnvQjz

Beginning of the file:

bsbcy=vasa&txhw=LCRrLzY6ZXVjbDoxLSZmIHdqNSI1LGA0NXYvLnFwf2NjIS4vfiR8YSk6fX8qdGkpNCY9N

I should note the way it's being printed to me, and what the URL looked like. Firstly, the url was /index.php?bsbcy=vasa So the first variable is a GET variable.

The second variable, is the POST variable. Now this looks like some base64. I tried decoding it, but base64decode.org either spits out a .bin file full of gibberish, or if I turn on live converting, it spits out the same gibberish but without me having to download it.

Does anybody know what gibberish is supposed to be? I'm betting it's something that's supposed to inject or create a file. But I can't know until I'm able to decode it.

Thanks in advance!

Regards, sanderbebo.

Answer 1

First of all, never ever ever ever use anything any user sends you directly. anything you receive through GET or POST or whatever, sanitize it. The problem you are facing is not solved by blocking writing rights. blocking rights can always be altered with codes. Whoever is attacking you, is able to attack you because you are still live and allowing him an entrance.

Now am not sure what your code looks like but you might wanna really sanitize all data inputs before processing. also, you might wanna encrypt and decrypt all data with secret keys. That way if any data comes in and it is not in line with your encryption it returns null and does not process at all. It may seem a lot of work but you work more when an attack comes through.

Consider this article it could be useful. https://www.dreamhost.com/blog/php-security-user-validation-sanitization/

Answer 2

I'm now using cloudflare and since then, no more infections.

Also put in some more checks, i.e. refusing further connections if POST values are too long. Don't know if it works like I hope it does, but it doesn't hurt normal visitors, and should annoy bots. So that's good.

Thank you people for the advice, information and the help!