Our site was recently hacked by someone using GETs and POSTs. Somehow they uploaded a file called paypal.zip and proceeded to unzip it into a folder. It appears from the raw access logs that they included other URLs in the URL for my page; they seemed to use this to unzip the file and write other files?

I don't really know how hackers do this, but I was wondering if there is a way (htaccess?) to automatically run a script when anyone accesses my site? I thought I could check for bad words in the request---e.g. paypal, chdir, upload, bankamerica, etc.---and then redirect if I find a possible attack. Any suggestions?

Are there any Pear (or other) security packages that can be set to run on each hit on the site? My web host suggested PHPIDS. Are there any others that would handle such attacks?

Thanks

are you not sanitising your data with each page request? have you checked and tweaked your security settings?

for a start, if you're allowing uploads then include a mimetype check in your php script for the type of files you want to allow.

if you're using GET and POST data to access a mysql database, you should be using mysql_real_escape_string() for every piece of user input.

check your file permissions. nobody except the owner of the documents and directories needs write access (unless you're running a script to write text files into a directory), so any files and folders with 777 permissions need to be adjusted.

it's probably easier to allow filtered good words than it is to disallow bad words. work out how the attack happened, exactly what exploit the hackers applied, and how you can strenghthen that hole.

As tfg said, definitely check your file permissions. I like to create one directory like /data or /uploads and set its permissions and all subdirectory permissions to 777, or if you can, set their ownership to apache:apache. Then, only upload files to this directory or a subdirectory. Do not put any scripts here, except for an index.php that boots you out of the directory if you try to navigate to it with a browser.

Also, do the rest of the stuff tfg recommended... I just wanted to mention that bit about the directories...

The users on this site do not have access to the database, and they do not have an opportunity to upload any files. I believe that the URL is the access point, based on the raw access logs. Is there any way to run a script (php) on every attempted access to a page. I thought that I might search (strpos()) for any bad keywords that I've found in the access logs and then allow/disallow access based on that?

Thanks for your help.

Oh, btw, do you guys know of any good books on web page security? It looks like I may need to brush up on it!

are you sure it's your web application? maybe the it's server that has security flaw.

The web host doesn't really have any built-in tools (i.e. no click-and-play wizards) to deflect malicious queries in a URL. I'm looking into using .htaccess's mod_rewrite to check query strings for bad words.

This article has some good examples:

http://corz.org/serv/tricks/htaccess2.php

At this point, I've got a script that runs on my index.php file and checks for malicious keywords, like chdir, file=, etc.