I’m sorry if this is not really an appropriate question to ask on here, but this has happened to me a number of times and I don’t understand what’s going on because I do not have an upload form on my website. Somehow someone is uploading lots of PHP files to my FTP server. These files were even picking up traffic thru Google Analytics. I have a contact form, and it does need to be beefed up security wise, but can a hacker UPLOAD files and alter my .htaccess file through it?
What type of hack is that? I would love to do more research on it to take preventative measures.
It is very possible for a hacker to upload files through a PHP site. I’ve seen it many times.
PHP has the potential to be very insecure. Getting in through PHP isn’t very hard if your configuration is weak. Check your access logs and look for anything that seems wrong, particularly a whole bunch of requests from a single IP address. If they are in that deep, your access log may itself be compromised, and beyond even that.
Contact forms and database driven pages are easy to create with vulnerabilities, and no amount of PHP configuration tweaking will fix that. Look for cross-site scripting vulnerabilities, If you’re using a database, SQL Injection attacks, and make sure that there is nowhere in your website that uses a GET parameter in a file path, like reading a file, or writing a file. Don’t count on stripping a GET parameter, don’t count on regexing it clean, just don’t do it.
With regard to FTP, if you can, just turn it off and only upload files through SFTP or SCP. If possible, don’t use password authentication, use public key instead.
Ultimately if they are changing files on your file system, you may end up saving yourself time by fixing any vulnerabilities you can find, re-installing the OS from scratch, and reconfiguring PHP and FTP to be secure.
There are some toolkits out there than will do basic tests against your site that are worth a look too. Check out https://www.owasp.org/index.php/Main_Page