Hi David: > My Dreamhost shared hosting account just had its *.php injected with some > garbage.
Sorry. Alas, injecting code into legitimate sites is the #1 source these days of infecting end user computers. So securing our rinky-dink personal websites has become quite important. I recently picked WordPress for a site and then looked for security plugins for it. The eventually lead me to write my own plugin, which somehow wound up taking about six weeks of intense work. I've passed it around for testing and code review. I'd love to hear the thoughts of the people here on it from a code level and user interface level. http://wordpress.org/extend/plugins/login-security-solution/ > egrep -lr '<\?php.+eval\(base64_decode\("[^"]+"\)\);\?>' *| xargs I'd have just grep'ed for "eval", since that should never be in any code I want to use. Your regex would miss code that doesn't have double quotes, doesn't use base64_decode, has spacing in it, etc. Oh, and lock down your file permissions. The web server shouldn't be allowed to write to any files or directories. Thanks, --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 _______________________________________________ New York PHP User Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/show-participation
