HACKED: My website is constantly hacked

[LichKing255]

PHP Version

8.3

CodeIgniter4 Version

4.5.5

CodeIgniter4 Installation Method

Git

Which operating systems have you tested for this bug?

Windows

Which server did you use?

apache

Database

Mysql 8

What happened?

My website is constantly hacked

Steps to Reproduce

I use this .htaccess in public_html:

<Files ".htaccess">
    Order Allow,Deny
    Deny from all
</Files>

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/public/
    RewriteRule ^(.*)$ public/$1 [L]
</IfModule>

Permission file is 444

and use this .htaccess in public folder:

<Files ".htaccess">
    Order Allow,Deny
    Deny from all
</Files>

<FilesMatch "^(errorlog\.html|.*\.txt|.*\.json|.*\.sqlite3|.*\.lock)$">
    Order Deny,Allow
    Deny from All
</FilesMatch>

Options -Indexes

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

    # Remove trailing slash
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.*)/$
    RewriteRule ^(.+)/$ $1 [R=307,L]

    # Restrict direct access to .php files
    RewriteCond %{THE_REQUEST} ^.+?\ [^?]+\.php[?\ ]
    RewriteRule \.php$ - [F]

    # Route all requests to index.php
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ index.php?$1 [QSA,L]
</IfModule>

# Compress text files
<IfModule mod_deflate.c>
    <FilesMatch "\.(css|js|x?html?|php|woff|ttf|png|jpg|gif)$">
        SetOutputFilter DEFLATE
    </FilesMatch>
</IfModule>

# Expiration headers
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresDefault "access plus 1 month"
    ExpiresByType image/x-icon "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/png "access plus 1 month"
    ExpiresByType image/gif "access plus 1 month"
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 year"
    ExpiresByType text/html "access plus 600 seconds"
    ExpiresByType font/ttf "access plus 1 year"
    ExpiresByType font/woff "access plus 1 year"
</IfModule>

# Cache-Control headers
<IfModule mod_headers.c>
    <FilesMatch "\.(ico|jpe?g|png|gif|woff|ttf)$">
        Header set Cache-Control "max-age=2592000, public"
    </FilesMatch>
    <FilesMatch "\.(css)$">
        Header set Cache-Control "max-age=2592000, public"
    </FilesMatch>
    <FilesMatch "\.(js)$">
        Header set Cache-Control "max-age=2592000, private"
    </FilesMatch>
    <FilesMatch "\.(x?html?|php)$">
        Header set Cache-Control "max-age=600, private, must-revalidate"
    </FilesMatch>
</IfModule>

# Disable ETags
<IfModule mod_headers.c>
    Header unset ETag
</IfModule>
FileETag None

# Remove Last-Modified Header
<IfModule mod_headers.c>
    Header unset Last-Modified
</IfModule>

# Additional Security Rules
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} act= [OR]
RewriteCond %{QUERY_STRING} sw= [OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]

I have also used form validation in all my pages and in configs use :

    public bool $forceGlobalSecureRequests = true;
    //Cookie Secure
    public bool $secure = true;

But every day files are uploaded to my public_html:

chosen.php index.php lowpr.php simple.php and ...

And they also change my .htaccess file to open the uploaded index.

I don't have any file upload section on my pages either.

Expected Output

Here I am sending you some of the files that are uploaded on my host.

How do I fix this problem?

Anything else?

file_hacked.zip

[ddevsr]

What exactly your problem with CI4? can you check hole in your code?

[samsonasik]

It has nothing to do with framework, until we have proof :), hire security auditor for your server setting setup and site.