PHP websites under LSPHP get HACKED all the time

#1
Hello, I have set up accounts on several well-known SHARED hosting platforms for low-traffic installations of well-known PHP-based software packages. I need to keep costs down because I am helping a non-profit organization with very tight budgets, especially in terms of long-term expenses.

On ALL of these shared hosting setups, the applications get HACKED in a matter of days or weeks - pretty much as soon as hackers find about the website.

I investigated the causes and found THE MAIN CAUSE: LSPHPs on ALL these platform run under the document root owner, effectively giving LSPHP 777 permissions. A simple upload PHP script can upload files ANYWHERE, not only inside UPLOAD folder, but also anywhere inside PUBLIC_HTML and also ABOVE PUBLIC_HTML - into the document root, FTP folder, etc. Everywhere!!

The most shocking part is that LS manual specifies that this is a correct setup by design. So once the hackers inject their code on the website, which LSPHP with its 777 permissions will gladly write anywhere under the document root, the hackers effectively own the entire document root.

The greatest mystery to me is how in the world this became even possible in 2023...
 
#3
who put this "simple upload PHP script"?
I uploaded it to the servers FOLLOWING the hacker attacks that already defaced the content and destroyed the data. The purpose of the "simple upload script" and the uploads ANYWHERE that it performed was to demonstrate to the shared hosting providers that their data security under LSPHP is non-existent.
 

uperen

New Member
#4
If you're tired of the constant threat of hacks on your PHP website, there are steps you can take to bolster your security. While it's true that PHP websites under LSPHP face a higher risk, it doesn't mean all hope is lost. Implementing a comprehensive security strategy that includes regular updates, strong passwords, secure coding practices, and reliable firewall protection can significantly reduce the chances of a successful attack. Additionally, consider exploring advanced security solutions like web application firewalls (WAFs) and intrusion detection systems (IDS) that provide an additional layer of defense.To learn more about underrated techniques to increase retail sales in 2022, check out this insightful blog post: https://claspo.io/blog/10-underrate...ot-overlook-to-increase-retail-sales-in-2022/. Protect your website, safeguard your customers' data, and stay one step ahead of hackers.
 

serpent_driver

Well-Known Member
#5
While it's true that PHP websites under LSPHP face a higher risk, it doesn't mean all hope is lost.
I'm sorry to be so blunt, but you're talking nonsense. The LiteSpeed web server is neither more nor less insecure than other web servers. 99.99% of hacks are based on bad programming and since PHP is the most widely used scripting language, it mostly affects almost all PHP scripts.
 
#6
I'm sorry to be so blunt, but you're talking nonsense. The LiteSpeed web server is neither more nor less insecure than other web servers. 99.99% of hacks are based on bad programming and since PHP is the most widely used scripting language, it mostly affects almost all PHP scripts.
It is really amazing how NO ONE read the original message. All your comments are irrelevant. It is a permissions issue and it was created consciously by the LiteSpeed team - BY DESIGN.
 

serpent_driver

Well-Known Member
#7
@solaris2023
You are still talking nonsense. If there is an issue with permissions, then the programming is responsible for it first of all. LSPHP is not a fundamentally different PHP. LSPHP is an optimized compilation of PHP built to work with LiteSpeed products through the LiteSpeed SAPI. When programming a PHP upload script, it is imperative that you take security precautions. Apparently the topic starter didn't take this into account and apparently believes that he himself is not to blame for his problems.
 
#8
To ensure the security and integrity of your non-profit organization's website, consider investing in Online store development. Our experienced team of web developers can create a custom online store tailored to your specific requirements and implement robust security measures to protect against potential vulnerabilities. By building the online store from scratch, we can ensure a secure infrastructure and implement best practices for secure file uploads and user permissions. Additionally, we will conduct regular security audits and keep up with the latest security patches and updates to maintain a strong defense against potential threats. Trust us with your Online store development needs, and we will deliver a secure and efficient platform for your non-profit organization's e-commerce activities.
 
Last edited:
Top