Hacking issue!
Sorry to be posting again with nothing to actually contribute, but I'm having a hacker issue with one of my websites. I'm not one to jump on sudden suspicions of hackers, and I don't victimize myself, but this is the second time someone's hacked my site.
After the first time, I was extremely cautious. I uploaded my site to a new server and made sure not to install any interactive PHP scripts. I did, however, continue to code my website in basic PHP, but nothing that required a connection with an SQL database or any sort of log in - just simple PHP pages with dynamic inclusion and switch functions.
[/END SOB STORY]
My friend's webhost (my friend was hosting me at the time) sent this as a response to my e-mail:
Considering I did not have a phpBB script uploaded, the only alternative is that he hacked my site through my actual php pages (at least according to her webhost).
So my question is this: What are the security risks/vulnerabilities of just normal, non-interactive php pages?
And if anyone can provide any security tips, that would be greatly appreciated!
The good news is, I'm working on a simple gallery script that does not require an SQL connection or anything, so hopefully I'll be able to post that soon! :)
EDIT Under the cut is the code I've been using on my main page/subpages. Also, I'd like to clarify that I was not blaming PHP, but myself for my faulty coding. I'm simply looking for a solution to the issue - not a scapegoat to beat because my website was hacked.
And for the sub-pages:
For the language.php file:
After the first time, I was extremely cautious. I uploaded my site to a new server and made sure not to install any interactive PHP scripts. I did, however, continue to code my website in basic PHP, but nothing that required a connection with an SQL database or any sort of log in - just simple PHP pages with dynamic inclusion and switch functions.
[/END SOB STORY]
My friend's webhost (my friend was hosting me at the time) sent this as a response to my e-mail:
"Do NOT put any php pages back up on this site if you wish to host it with us and certainly not any phpbb boards which were most likely used in the attempt to hack our server."
Considering I did not have a phpBB script uploaded, the only alternative is that he hacked my site through my actual php pages (at least according to her webhost).
So my question is this: What are the security risks/vulnerabilities of just normal, non-interactive php pages?
And if anyone can provide any security tips, that would be greatly appreciated!
The good news is, I'm working on a simple gallery script that does not require an SQL connection or anything, so hopefully I'll be able to post that soon! :)
EDIT Under the cut is the code I've been using on my main page/subpages. Also, I'd like to clarify that I was not blaming PHP, but myself for my faulty coding. I'm simply looking for a solution to the issue - not a scapegoat to beat because my website was hacked.
<?php
include("language.php");
<HTML>
<HEAD>
<TITLE>EXXXOTiQUE » a ×××HOLiC site</TITLE>
<link rel=\"stylesheet\" href=\"holic.css\">
<script language=\"JavaScript\" src=\"hover.js\"></script>
</HEAD>
<BODY bgcolor=\"#1C0D23\" topmargin=\"0\">
<table width=\"100%\" cellpadding=\"0\" cellspacing=\"0\">
<tr>
<td align=\"center\">
<table cellpadding=\"0\" cellspacing=\"0\">
<tr>
";
include("layout.php");
echo "
</tr>
<tr>
";
include("nav.php");
echo "
</tr>
<tr>
<td valign=\"top\" id=\"content\" width=\"741\">
<table cellspacing=\"0\" cellpadding=\"20\">
";
// --- DYNAMIC INCLUSION
$page = basename($x);
if(!$x)
include("main.php");
else
include("$x.php");
echo "
</td>
<!-- END CONTENT -->
</table>
</td>
</tr>
<tr>
<td><img src=\"bottom.gif\" border=\"0\"></td>
</tr>
</table>
</td>
</tr>
</table>
</BODY>
</HTML>
";
?>
And for the sub-pages:
<?php
// --- MAIN PAGE DISPLAY
if(!$holic) {
echo "
Content.
";
}
// --- INTRODUCTION
elseif ($holic == "introduction") {
echo "
CONTENT - deleted for convenience. No php was used within the echo tag, though.
";
}
?>
For the language.php file:
<?php
$self = "index.php";
// NAVIGATION
$information = "$self?x=information";
$introduction = "$information&holic=introduction";
$prologue = "$information&holic=prologue";
$summaries = "$information&holic=summaries";
$themes = "$information&holic=themes";
$culture = "$information&holic=culture";
$clamp = "$information&holic=clamp";
$merchandise = "$information&holic=merchandise";
function tankoubon($num, $isbn) {
echo \"
<td><img src="merchandise/tankoubon_$num.gif" border="0" alt="Volume $num" align="left" class="image"></td>
<td>XXXHolic Manga Volume $num<br>
Romanji: XXXHorikku<br>
Price: <A href="http://www.amazon.co.jp">¥560</a> | <a href="http://www.sasugabooks.com">$7.50</a> <br>
ISBN #: $isbn
</td>
\";
}
?>
