Hardening for an old PHP landing site and customers virtual servers

Answer these questions to help the Community help you with Security questions.

What is the domain name?
taskcontrol.net (landing page, user registrations)

Have you searched for an answer?
yes

Please share your search results url:
We needed to put the sites out of service right now

When you tested your domain, what were the results?
We have seen some tables and configuration files missing…

Describe the issue you are having:
After several months working fine, now we found some malicious activity have been happened on our site, deleting some database tables and some configurations files. No codes changes are been doing for more than one year before. No configuration changes. Nothing changed from our side.

What error message or number are you receiving?
None. Data deletion founded.

What steps have you taken to resolve the issue?

1. We can’t modify or upgrade code site (bugdet constraint)
2. We suspect sql-injection and or XSS activity
3. The site already has a valid SSL certificate with Full Mode Security thru Cloudflare Dashboard
4- Only ports http and https are enable thru Cloud Provider firewall rules

So we are thinking in creating a VALID URLS List for all the applications url’s so the user will just allow to browse those valid URL not able to change nothing from there.

**So Now Questions are: **

**1- Does cloudflare have some kind of security tool/service to implement this? if yes kindly describe the steps/links to follow to implement it? **

2- Also about our customers virtual servers, we need to detect only the valid IP range from each of them to be able to login to their sites securely…as those IP are changing dynamically is there any way/tool Cloudflare provide us to manage that kind of situations?

** 3- Any better method/technic/service offering by Cloudflare to improve the security for all of these situations?**

Was the site working with SSL prior to adding it to Cloudflare?
Yes

What are the steps to reproduce the error:

1. Customer data are missing from several tables (mysql RDBMS).-
2. We have taken the site offline due to this malicious activity
3. Right now out of service requiring to be online ASAP (Urgent!)

Have you tried from another browser and/or incognito mode?
Yes

Please attach a screenshot of the error:
Database tables rows (mysql) were deleted so we cannot share…

Any other suggestions to improve our security taking into account our constraints of time and budget are welcome.

As always thanks for your valuable input!.

Roberto (Site Administrator)
taskcontrol.net

Firewall Rules. Best to read the docs on what’s available that fits your use case:

Firewall Rules can limit access by CIDR:

If you’re on a paid plan, you can use WAF Managed Rulesets, which can protect against some vulnerabilities:

2 Likes

Hi sdayman, thanks for your fast response.

I was diving into the documentation you suggest to me, but still seems to be fairly complicated to build a number of rules for the entire website. I was wondering if it is possible to have something like a “list of valid url’s for the website” , import it into the firewall (somehow, someway) and then be up and running again.

I will be more precise:
Suppose we have this valid url for the site:

htt­ps://www.example.org/articles/index?section=539061&expand=comments

The rule should be something like this:

htt­ps://www.example.org/articles/index?section=???&expand=???

Now, if the url request has that format (it doesnt matter the variables values here), the firewall enable the traffic, otherwise it will deny it…and the same process for all the valid url’s …

What we are trying to avoid here is any modification of the URL (valid for the site) so the attackers wont be able to “add” others variables,code,objects etc in the URL ( in the begining, the middle or the last part of it).

Now, is there any easy way to achieve that ? any nearly real example link? or should we dive deep into the rule engine and try to figure it out?

Thanks in Advance,
Roberto

any suggestion?
thanks

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.