CodeIgniter Forums

Full Version: I think my website got hacked
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3
Hi,

I've uploaded an opening page for my project which is CI and it was working for a month as well, suddenly yesterday I release that my website is down (screenshot web.jpg) and then I was checking my FTP and I saw many random files are located to my FTP (look at the second screenshot).
--when I deleted the random files, will generate automatically after few minutes!

My code details:
I have only an input to get email address.
I'm using CSRF, XSS and all validation about the input.
Also I trim the input value.
I'm using active records to save data to my database.

I tried to talk to my server's tech support.
I was talking to 6 person to solve the problem.

They mentioned "if you remove the files will be fine" and another person said "the issue is not from us and your coding has problem". Another person said "That most hackers use some kind of encryption to mask there hacks." Another person said "But there is files that actually use legitimate encryption , thus they are pulled into the searchs." And the last person who solved the problem and make my website live again was saying "the issue was about the Php version. You were using 5.4 and I updated to 5.6".

I told him but still I can see the random files in my FTP.
When I was asking him "that means this issue won't happen again? He said no" !

I'm pretty confuse about what was the real reason?
If i got hacked, what's the solution to protect ?
If it was Php version, why before yesterday was working well?

The tech support never reply to my questions.

Anybody can help me in this?
I appreciate if anyone share some security articles with me (not only CI security). I need to protect this project 100% , coz we will have transactions and important data and important users. We don't wish to loose them.

Thanks a lot.
Are you using an encrypted FTP, or just plain FTP? If plain, you need to make sure that all computers on your network are scanned for viruses. This happened to me once, and it was an infected computer that was sniffing network traffic and sending my FTP credentials to who knows where.
(12-15-2015, 07:17 PM)skunkbad Wrote: [ -> ]Are you using an encrypted FTP, or just plain FTP? If plain, you need to make sure that all computers on your network are scanned for viruses. This happened to me once, and it was an infected computer that was sniffing network traffic and sending my FTP credentials to who knows where.

that point of time which the website was down i never open my FTP, totally i never use my laptop for whole day.
Which kind of the network you are talking about? i don't think my laptop connected to any network!
How do you connect to the Internet?
I think, these are your session-keeping files, but for some reason they are put in a wrong place.
(12-15-2015, 08:07 PM)ivantcholakov Wrote: [ -> ]I think, these are your session-keeping files, but for some reason they are put in a wrong place.

I agree with @ivantcholakov. Your website has not hacked
(12-15-2015, 08:07 PM)ivantcholakov Wrote: [ -> ]I think, these are your session-keeping files, but for some reason they are put in a wrong place.

What do you mean the session-keeping files ?
For this page which is only add the emails in the DB I didn't use session I just use the session for showing the errors of success action which is in using set_flashdata() and as I read this session will delete after redirect a page!

But if it's the case how can I solve it? Can you please advice me Smile
This sounds like session configuration problem. Can you post your config/config.php or the relevant excerpt dealing with session parameters?
> I just use the session for showing the errors of success action which is in using set_flashdata() and as I read this session will delete after redirect a page!

It means you use session.

The files are the files which store session data.
But you don't store data permanently in sessions, the files are 0 byte.
(12-15-2015, 11:31 PM)ciadmin Wrote: [ -> ]This sounds like  session configuration problem. Can you post your config/config.php or the relevant excerpt dealing with session parameters?

here you go:
PHP Code:
$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = NULL;
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;
$config['cookie_prefix']    = '';
$config['cookie_domain']    = '';
$config['cookie_path']        = '/';
$config['cookie_secure']    = FALSE;
$config['cookie_httponly']     = FALSE

its all about session in my config.php
Pages: 1 2 3