Codeigniter application getting hacked, code injected in index.php
There's a couple of things you can do:
- Check your logfiles for POST requests to files with weird or unfamiliar names, e.g.
.cache_123.php
- these could be backdoor scripts, especially filenames starting with a dot, thus hiding it from the (regular) filesystem. - Download the complete live site and do a site-wide search for things such as
base64_decode
,exec
,preg_replace
,passthru
,system
,shell_exec
,eval
,FilesMan
- Have your entire (downloaded live) site checked by running it through anti-virus software (AVG, Avast, ...)
- Chmod upload directories 775 instead of 777 if possible
I know this is an old thread, but I'd like to add an option to figure out what and where the problem is occurring.
Create a hook which loads each time (doesn't matter at which stage) and dump the $this->input->post() and ->get() to a log file together with the classname and method name.
This way you will see quick enough where the problem started.
I think is far easier to hack through a PHP app rather than an FTP server. Do you have any upload forms ? If you can't go with a VPS, try asking your host to move it to another shared server.