Web server. Program safely


consejos_seguridad_ordenador--644x450

A lots of text editors or IDE's are configured to save a backup copy of the files that are being edited, in such a way that, if we have a file called my_conexion.php, a backup copy of the file named my_conexion.php will be created ~

With these files finished with the character ~ we must be very careful because they are NOT files PHP that he Web server understand that you must execute, but treats them as one more text file, therefore if we make the mistake of uploading that file to the production server we will have our code exposed to anyone. Sometimes this code may not be useful for a possible attacker but in most cases we have access to databases or queries, so if they have access to the code with these files, we are publishing the structure of the database and if it is not, for example, well designed we can expose it to ID and brute force attacks or we can even be telling the attacker that the encrypted user keys are not stored, which by the way, NEVER it must be done.

Knowing this, we must be very careful not to upload files to our server that are NOT HTML, CSS, PHP, JSP and others, depending on the programming language that we are using. This includes not only files ending in the ~ character, but for example .sql files. If we make the mistake of uploading these types of files, we are most likely giving users and the access password, in addition to the structure of the entire database, so "Hacking" the website is simple child's play.

If we have not taken into account this security primitive or we are not the only ones who upload files to the server and we want to check that there are no files of this type on the server, we can do it with a simple command in the terminal logged in as root to be able to access all directories. We can do:

find / -yam *~

With the previous command we search from the root for the files whose name ends with the character ~

find / -yam *.sql

With this command we look for the .sql files that could have been uploaded to the server.

Finally, it never hurts to make a

find / -yam *.txt

To rule out that we do not have text files in our source directory.

We can optimize the search a bit, limiting the directory to search with the directory where the web sources are stored. In this case we can make a

find /var/www/ -yam *~

With this we no longer search from the root, but only in the directory of the web source files.

These searches will return a list, if any, of the files that meet what is specified in the name. If any of these searches return files, we have to do the following. First examine each and every one to see what we have been exposing, if they are users and / or passwords, we must change them, update our code, upload it and delete said backup files from the server. If no access information and / or database structure has been compromised, we simply delete these files.

rm /file_path/backup_file.extension ~

We hope it has been useful to you.

Previous Change separator in Excel for .CSV files
Next 20 LINUX Commands for System Information

No Comment

Leave a reply

Your email address will not be published. Required fields are marked *