1

I run a file sharing site, built on Codeigniter, PHP 7. We recently found one of the files in our www/application/controllers dir was very slightly edited to change a download request for 1 in every 3 windows user, which pointed them to a malware file instead (which had been uploaded to our server legitimately) The SSH access is locked down with a private key which only I have. The dir/file permissions were possibly not great at the time, maybe 755 or even 777.

I'm trying to figure out how a file that isn't in a public directory was edited when I'm fairly confident they couldn't have obtained SSH access?

Are there any known vulnerabilities with codeigniter that would allow this?

Thanks in advance for any help you can give.

Ryan
  • 11
  • 1
  • what version of Ubuntu are you on? – essefbx Feb 17 '17 at 17:06
  • 1
    Not really enough information here - were other services running? Is it on a dedicated server, or shared with other sites? Are you absolutely certain that there aren't SQL injection flaws or command injection flaws in your own code? And, just in case you've not seen it, the canonical response to server compromise questions is http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server – Matthew Feb 17 '17 at 17:15
  • it's a dedicated box with OVH, Ubuntu 16 Xenial. The DB is on AWS RDS, with IP lockdown, and that itself is clean, no compromise there. The actual code change was directly to a php file, it was very subtle, and only targeted Windows users. I've been looking through my code but it's a fairly simple app and I keep within the Codeigniter framework 99% of the time to ensure everything passes through XSS & CSRF safety measures etc. The upload directory is above the web root so isn't public, only the app can put files there. That all seems fine. Unsure how somebody could edit a php controller file? – Ryan Feb 18 '17 at 11:40

0 Answers0