Update: The "hacker" responds! More at page 2.

It seems someone has managed to exploit a bug in my CMS code to allow himself access to the CMS. I already knew about this bug a few weeks ago, but I just never fixed it. Call it lazy, or no time, but it did mean there was a bug. I didn't worry about it too much, because very little can be done from the CMS. Only this website goes down (for a short while), and I get database backups every 24 hours (it's automatic!) so there is hardly any data loss.

Restoring PHPit didn't take very long either, and I had it back online within about 20 minutes. Of course, the bug has been fixed now, and no 'hacks' can occur anymore.

The hacker did claim to have "root access to my server", which is completely false. Heck, I don't even have root access myself, because I'm on a shared server. So the hacker definately didn't have root access, or any access at all to be honest. He/she could only access the CMS, which has very little power.

Of course the hacker had to slander me a bit. I don't know whether you read it, but the hacker claimed that I though I was a great PHP coder, and he seemed to disagree. If the hacker is reading this: I don't think I'm a fantastic PHP coder, but I'm not a bad one either. I'm still going through the learning process, and at the moment I'm really trying to get a grip of PHP patterns. At least I spend my time useful, instead of destroying other websites.

Having said that, now is probably a good time to point to some PHP Security articles:

• PHP: Security by example (Flash)
• PHP Security Mistakes
• ONLamp: PHP Security, Part 1
• ONLamp: Ten Security Checks for PHP, Part 1
• PHP Security Guide
• On the Security of PHP, Part 1

This article was posted on Saturday, September 17th, 2005 at 2:31 am. You can follow any responses to this article through the RSS 2.0 feed. You can leave a response, or trackback from your own site.