Baccou Bonneville web site has been hacked on September 12, 2005. All PHP files had been changed. The index.php file had been changed to a page on the glory of the hacker named "morocco.security.rulz". Another page presented "PHPShell by Macker Version 2.6". This page consists of two programs: Haxplorer, a server side file brower and PHPKonsole, which allows to run commands on the web server (see screenshots).

My thoughts considering this attack:

• Hopefully, we make use of a Revision Control System (CVS) so that we were able to restore the pages
• There was probably a lack of precaution in our web page and directory rights
• The attack is not yet fully explained. It seems that a POST was made on the blog just before the attack started. Is there a security hole in b2evolution?
• Is it really an exploit to hack the web site of our small company?
• It's also a proof that our web site exists: it has been hacked.

Update (09/15/05)
The hack is now fully explained. My web hosting provider used PHP safe_mode. For more information about safe_mode, you can read the following article: PHP's safe_mode or how not to implement security by Ilia Alshanetsky. To summarize, do not use safe_mode!