Website Invaded

1

Hello people,
I have a site in cakephp 3, it has the correct permissions following the recommendations.

It was invaded a few times.

In the root folder opens some files also inside the webroot folder appears several.

It has already happened that index.php has been edited.

Any solution?

2

You’ll need to figure out how the attackers gained access to your site. It was probably via some vector like FTP.

Once a server has been compromise like that, you MUST do a full rebuild of the server from the ground up. You have no way of knowing what/if the attackers installed on the server. Most of the time, they will install something on the server that will allow them access even if you fix the site’s code, and change passwords.

3

But this invader when it has access to the public_html directory is it possible to install something inside the server?

Inside the webroot folder was full of malicious files, I removed and reinstalled the framework.

I do not know how to block the attacker.

Because I do not believe it is a Framework failure

4

Yes, it is very possible for an attacker to install something on the server. If they have the ability to upload, and execute arbitrary PHP code, then they can install anything that they want.

The only way to safely deal with this is to rebuild the server from scratch, and ensure that you use a known clean version of your website. You should then ensure that the only way to log into the server is a secure SSH connection with a private/public key and no passwords. Also, setup something like fail2ban to ensure that brute force attacks are not viable.

5

A cakephp 3 crash is not possible right?
More like they can send files inside a site without access to my FTP?
Got any way to block?

I’m looking for a way to not have to rebuild the server.

6

Not from CakePHP itself. Hard to say anything more concrete without a full security audit of your code.

Like I’ve said. Once a server has been compromised, the only solution is a full rebuild. You have no way of knowing what else has been installed on the server, and chances are very good that they’ve installed a hard to detect backdoor.