Advice sought on security breach: document space file hacked
I'm facing a security problem on my client's web sites, and need some advice.
Two sites have suffered a total of three security breaches over the past several months. In each case a PHP script in the site's document space was modified to redirect the user or load content from a suspicious site.
The last time this happened was over the past weekend. The thing that was different about this incident was that it happened despite a very strong password that should have made it essentially impossible for anyone to get access to the FTP account.
I sent the hosting service a support request, asking for a copy of the FTP log and any other assistance or advice they could provide.
I got the log, which showed no FTP access to the modified file during the period when the breach occurred.
With the log I got a form email which said in effect, "We're very concerned for your security, but we aren't responsible for anything that happens to your site. If you can't fix the problem yourself, here are some great security tools and services you can buy..."
They made a list of suggestions, none of which seem to apply to this case. The FTP password is now very strong, as I said. There is no commercial software on the site to be infected. The site does not have any downloadable software that might be infected, and does not allow users to upload anything or post messages.
I'm not expert enough to be certain that the applications I developed for my client are bulletproof, but I don't see how any sort of "front door" attack, like a SQL injection attack, could lead to the problem we've encountered.
I'm pretty sure that when I contact tech support again, they're going to want me to prove that the problem isn't mine before they'll look at it. Which is my reason for seeking help.
Is there any way a vulnerability in my code could enable someone to modify files in my document space?
If so, I'd appreciate pointers on how to correct the vulnerabilities, if there are any, or prove that there aren't, if there aren't.
Once I've done that, I'd appreciate pointers on how to demonstrate to the hosting service that the ball is in their court.