Website Compromised by idk who!

No Harm intended. Just for demo Purpose.


Technical Details for admins/developers:
First off, all files are safe. Just changed index.php and .htaccess. Moved original one to index-backup.php and htaccess-backup

How I got here?
- The user dashboard is publicly accessible without any authentication: pec.edu.np/posts
- One can visit it and upload malicious PHP file in image upload field and get access to the www-data user.
- He can view all the files in the web servers which includes phpMyAdmin's credentials, Laravel's api-key and student's uploaded files when applying to college (certificates, citizenship images)
- He also can compromise other sites hosted on the same server. In this case, tukisoft.com and balajidiyo.com.np
- He will then upload backdoors to have persistence. So even if you fix the site now, he might still have access through the backdoors. He also can delete the whole site data and take the site down.
- Going further, escalating privileges can also give root access to the whole server.
Developers, if you didn't get what I'm saying, you should look for other jobs. You aren't ready for this responsibility
Thanks. Fix it soon.