Forum Rules Security Announcements

Security related public announcements by phpCOIN personnel. This forum can NOT be posted to by the public

  Reply to this topicStart new topic

> Help ! I think my phpCOIN was exploited !, What to do (and what NOT to do)
Posted: September 21, 2009 08:27 am
Quote Post

The Janitor

Group: Admin
Posts: 3,639
Member No.: 3
Joined: August 25, 2006

This guide is intended to serve as quick reference as to the minimum steps that should be taken following a suspected exploitation or intrusion into a domain hosting phpCOIN. Is is NOT intended to be a definitive guide, nor replace any industry standard working practices relating to security incidents or reporting, and it assumes you have the requisite technical knowledge to complete the listed tasks.

This guide assumes you are confident that the attacker did not gain "root" access or "escaped" out of the vhost that was hosting the phpCOIN installation.

What NOT to do:

Do NOT rush off and restore your backup fileset and database - this will only serve to erase any evidence that could be used for forensic analysis !

What to do:
  • Disable public access to the domain that hosts your phpCOIN
  • Make a backup copy of the complete fileset (remember to include any "hidden" files and any CGI scripts from the vhost)
  • Dump the SQL database as a backup
  • Make a backup of ALL log files covering the exploit period (including http(s), FTP SSH etc)
  • Document every step you take in a txt file, and include any notes or ideas or hunches for future reference
  • Zip up a copy of all the files you have just created and send them to support<at>phpcoin<dot>com
  • Delete ALL the files in the vhost fileset (and any CGI files you weren't expecting to find or have a suspicious modification date - don't forget "hidden" files)
  • Restore a clean copy of the phpCOIN fileset (you should always have a current clean backup copy stored off-site ! )
  • Empty the database of all data
  • Import the most recent database backup (you should always have a recent clean backup copy of the database stored off-site - the recommended frequency of this backup will heavily depend on the site usage)
  • CHANGE the phpCOIN database username and password and edit the config (or config_override) files to reflect the changes
  • CHANGE the phpCOIN admin username/passwords and the domain FTP, control panel, SSH username/password etc etc
  • If you suspect the attacker successfully exploited phpCOIN as a user or admin or accessed the phpCOIN dataset, change all your clients username/passwords for their phpCOIN access, control panel access and FTP access etc etc
  • Communicate with the phpCOIN developers (on the forum and/or by email at the address given above) regarding what steps, if any, may need to be taken to secure your phpCOIN installation
  • Follow any recommendations and code 'fixs' if issued by the phpCOIN developers
  • Restore public access to the domain.
If you suspect that an attacker gained "root" access or "escaped" out of your vhost environment, you should immediately back-up everything and contact your server administrator and inform them of your suspicions and follow any directives or recommendation they make.

You may also have a legal requirement and/or responsibility to inform your customers of any suspicion or possibility of related data exposure

Please see Reporting Security Incidents, How to report a suspected exploit for additional information relating to working with the phpCOIN developers in resolving a security incident.

The developers of phpCOIN accept no responsibility nor liability for any consequences or claims as a result of using this guide

***** Unless otherwise stated, all replies refer to the following *****
--- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post.
--- All relevant HotFix files applied - One of the four included unmodified themes - The original language files .
--- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :)
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topic


Inscrita el Registro Mercantil de Mallorca Tomo 2140, Hoja No. PM-51034, Folio 135
This website owned and operated by: Technology Services RPVW S.L. CIF# B57345084
Avda Constitucion 48 Bajos Alaro 07340 Baleares SPAIN
Tel:+34 971518362    Fax: +34 971518368    eMail: