This may help i came across it a little while ago on a site |
This message is aimed at everyone who has converted their website to PHP using the index.php?x=about.html method to include their pages, as seen in many tutorials all over the web (like for example at EnglishSun.org).
This method is very insecure, and allows hackers to gain access to your server. Because you are specifying what file to include via a URL, anyone can change the bit after x= to something else to include any file they want. This means they are able to see sensitive files, that hold password and other sensitive information. Once a hacker has gained access to your server, they will generally proceed to upload malicious scripts (like trojans or egg drops), with which they can attack other networks and send out SPAM emails. This eats up the bandwidth and disk space you're paying for, and can get you kicked out by your host. And, even worse, if any damage is caused to the server you're hosted on, your host can hold YOU totally responsible for those damages, because you allowed the hackers to gain access by using insecure coding! If they wanted to, they'd have the right to sue you over this.
I've discovered this because several friends of mine recently contacted me after having problems with hackers on their servers. In trying to figure out what let the hackers gain access, I discovered the insecurities in this script. Also, one of those friends noticed she had been getting a lot of referrals from Google.com for searches looking like "allinurl: index.php?x=". This means that there are people out there specifically looking for sites using these scripts, they are being targeted by hackers because it is KNOWN these sites are insecure.
Therefore, it is VERY important that you change your coding ASAP, as in RIGHT AWAY, if you were using this method of PHP coding. Here's what you should do if you used this script:
1. Change your passwords for your domain control panel and MySQL databases. It can't hurt to change your password to your email accounts as well, just in case.
2. Change your coding. There are other ways of converting your pages to PHP, two examples of which can be found here:
Fitting In With Your Site
3. Make sure there are NO urls left in your site anywhere that use the "?x=filename.html" method to include files.
4. Contact your host, and explain to them that you've just discovered you were using a script that wasn't completely secure. Tell them that it might have let hackers gain access to the server. Your host will then be able to run a security check on the server to get rid of any malicious scripts that might be present if you have been hacked.
5. Spread the word. It's very important we let as many people as possible know about this ASAP so they can protect themselves. Please post about this in your blogs, forums, mailing lists, LiveJournals, etc. If you know of anyone who has a tutorial up on how to implement this method, please send them a link to this thread. The more people read this, the more will hopefully be able to change their coding before they get hacked. Feel free to include this entire message, or alternatively, include a link to the thread about this at CodeGrrl.