Site Hack .. tried to register forbidden variable index.php
Permalink
Good Morning Team
OK now one of servers a concrete5 site got attacked and the server shut it down.
Apache error message:
Apr 22 09:49:17 elastic4 suhosin[24059]: ALERT - tried to register forbidden variable '_SERVER[DOCUMENT_ROOT]' through GET variables (attacker '94.242.198.110', file '/data/ADMINvillagebookshopcouk/www/index.php')
The site was on version, 5.6.0.2 i believe.. I have updated the site no problems, but the theme issues I have mentioned before.
The root/index.php was set to 755 permissions I have change to 744 for extra security. The site seems to be fine, I think the server picked up on the attack and shut down the sites Apache. Once I restarted the site it came up fine with no signs of code injection so far?
Just thought I should let you all know, and if their is any think i can do to stop this again?
Thanks
Carl
OK now one of servers a concrete5 site got attacked and the server shut it down.
Apache error message:
Apr 22 09:49:17 elastic4 suhosin[24059]: ALERT - tried to register forbidden variable '_SERVER[DOCUMENT_ROOT]' through GET variables (attacker '94.242.198.110', file '/data/ADMINvillagebookshopcouk/www/index.php')
The site was on version, 5.6.0.2 i believe.. I have updated the site no problems, but the theme issues I have mentioned before.
The root/index.php was set to 755 permissions I have change to 744 for extra security. The site seems to be fine, I think the server picked up on the attack and shut down the sites Apache. Once I restarted the site it came up fine with no signs of code injection so far?
Just thought I should let you all know, and if their is any think i can do to stop this again?
Thanks
Carl
My understanding is that it's looking for scripts that use that server array variable AND have register_globals set to On. Register_globals is something that should always be left off, which is has been the default for a long time.
I'm not sure what can actually be configured with suhosin, but one suggestion would be to get it to blacklist any IP that triggers that kind of rule, instead of shutting down apache. That kind of request is ONLY going to be dodgy, not a legitimate request.
Or if it's one particular IP all the time, I'd just blacklist that manually.
With server permissions, I'd agree with your thinking to reduce them where possible. Site hack scripts often target index.php and .htaccess files indiscriminately (regardless of cms), so if you've set them as completely unwritable, it's going to be another barrier.
As a side note, this month has seemed really active for hackings, I'm wondering if it's just what I'm seeing or if there is a large increase in activity. Wordpress has been a big target for brute force attacks, but legacy Joomla sites seem to have suffered a lot as well.