Please help, this site keeps getting hacked, I have escaped all my sql input, as well as applying intval() to almost all input variable, I have hit a brick wall, I can always use PDO, but that would be a monumental task, and it may be something simple that I am missing.
link to my verifying txt file : http://www.apdec.org.za/phpfreaks.txt
link to the site : http://www.apdec.org.za/
specifically I have been hacked on the branch names and page content.
I have a full backup of code as well as the database.
I would really appreciate any help.
thanks
Craig
this site keeps getting hacked
Started by geeks, Jan 17 2012 09:40 AM
-
This topic is locked
15 replies to this topic
#2
ManiacDan
-
- Staff Alumni
-
- 2,578 posts
Likely to be eaten by a grue
- LocationPhiladelphia PA
Posted 17 January 2012 - 10:19 AM
If you're saying that your SVN was hacked, it's not a problem with your code, it's the server itself.
NOTE: Sometimes the answers you get on a forum won't be entirely correct. Think for yourselves. Why did you ask for evens and get odds? Why is the output sorted backward? Do the research, learn something.
"The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002
Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
"The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002
Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
#3
geeks
-
- Members
-
- 15 posts
Member
- LocationSouth Africa
Posted 17 January 2012 - 11:58 AM
Thanks, how do I check if it's code or server, I am on a shared hosting server.
#4
ManiacDan
-
- Staff Alumni
-
- 2,578 posts
Likely to be eaten by a grue
- LocationPhiladelphia PA
Posted 17 January 2012 - 12:10 PM
What is the actual problem? What are the symptoms? How far down does the hack go? Are files on the filesystem being modified?
NOTE: Sometimes the answers you get on a forum won't be entirely correct. Think for yourselves. Why did you ask for evens and get odds? Why is the output sorted backward? Do the research, learn something.
"The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002
Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
"The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002
Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
#5
geeks
-
- Members
-
- 15 posts
Member
- LocationSouth Africa
Posted 17 January 2012 - 03:29 PM
Strictly database hacks, nothing serious, the hacker keeps putting a "fix your security fail" message on the home page, and changing branch names.
all that information is stored in the database, so it would appear to be an sql attack of some sort.
Thanks for the help so far, it is much appreciated
all that information is stored in the database, so it would appear to be an sql attack of some sort.
Thanks for the help so far, it is much appreciated
#6
ManiacDan
-
- Staff Alumni
-
- 2,578 posts
Likely to be eaten by a grue
- LocationPhiladelphia PA
Posted 17 January 2012 - 04:29 PM
You keep saying "branch names" like we know what that term means.
If he's changing the home page, he has access to the code as well, unless the string he's inserting comes from a database table.
If he's changing the home page, he has access to the code as well, unless the string he's inserting comes from a database table.
NOTE: Sometimes the answers you get on a forum won't be entirely correct. Think for yourselves. Why did you ask for evens and get odds? Why is the output sorted backward? Do the research, learn something.
"The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002
Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
"The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002
Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
#7
geeks
-
- Members
-
- 15 posts
Member
- LocationSouth Africa
Posted 18 January 2012 - 01:10 AM
You keep saying "branch names" like we know what that term means.
basically it is a non-profit organisation and they have different branches, these branches are stored in a database.
sorry my bad, everything being edited by the hacker is stored in the database.
code seems to stay in place.
Thanks again, I am not a hacker or a security specialist, and this was my first project (the code is not the best).
#8
gizmola
-
- Administrators
-
- 3,811 posts
Advanced Member
- LocationLos Angeles, CA USA
Posted 18 January 2012 - 01:59 AM
Well it looks likely that you have a sql injection exploit.
Did you use mysql_real_escape_string() to escape all the strings you are accepting via inserts, updates and deletes? I'm guessing no. Start there.
Did you use mysql_real_escape_string() to escape all the strings you are accepting via inserts, updates and deletes? I'm guessing no. Start there.
Follow me | My homepage | L.A. LAMP special interest group | LA PHP Developers Group | Movie Review Site | Video news for kids | Have you read the TOS?
#9
geeks
-
- Members
-
- 15 posts
Member
- LocationSouth Africa
Posted 18 January 2012 - 02:19 AM
Did you use mysql_real_escape_string() to escape all the strings you are accepting via inserts, updates and deletes?
I think so, I am going to double check them all again to be sure.
#10
darkfreaks
-
- Members
-
- 4,883 posts
Advanced Member
- LocationAustin,Texas
Posted 06 March 2012 - 04:40 PM
seems like as mentioned secure against SQL exploits either using PDO() or mysql_real_escape_string()
http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/
also if you have server access to your VPN or SVN might look into getting and installing some freesource anti DDOS software.
http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/
also if you have server access to your VPN or SVN might look into getting and installing some freesource anti DDOS software.
MessageBoard FAQ: Asking Intelligent Questions| Newbie Help Response Team
Basics: print_r()|what does a particular function do? |how does this work?|PHP returns no error|PHP Books?|Ajax Books?
Basics: print_r()|what does a particular function do? |how does this work?|PHP returns no error|PHP Books?|Ajax Books?
#11
darkfreaks
-
- Members
-
- 4,883 posts
Advanced Member
- LocationAustin,Texas
Posted 10 July 2012 - 08:36 PM
Vulnerability description
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
This vulnerability affects /events.php,searchresults.php
Discovered by: Scripting (XSS_in_URI.script).
The impact of this vulnerability
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.
Attack details
URI was set to 'onmouseover=prompt(914554)>
The input is reflected inside a tag element between single quotes.
URL encoded GET input Searchterms was set to 1<ScRiPt >prompt(957795)</ScRiPt>
The input is reflected inside <title> tag.
The input is reflected inside a text element.
The input is reflected inside a tag element between double quotes.
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
This vulnerability affects /events.php,searchresults.php
Discovered by: Scripting (XSS_in_URI.script).
The impact of this vulnerability
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.
Attack details
URI was set to 'onmouseover=prompt(914554)>
The input is reflected inside a tag element between single quotes.
URL encoded GET input Searchterms was set to 1<ScRiPt >prompt(957795)</ScRiPt>
The input is reflected inside <title> tag.
The input is reflected inside a text element.
The input is reflected inside a tag element between double quotes.
MessageBoard FAQ: Asking Intelligent Questions| Newbie Help Response Team
Basics: print_r()|what does a particular function do? |how does this work?|PHP returns no error|PHP Books?|Ajax Books?
Basics: print_r()|what does a particular function do? |how does this work?|PHP returns no error|PHP Books?|Ajax Books?
#12
The Little Guy
-
- Members
-
- 6,676 posts
Advanced Member
Posted 14 July 2012 - 11:47 PM
I searched a hacking forum, and found this link:
http://www.apdec.org...ch=2&article=58'
Could this be what is causing your problem?
when you query is expecting numbers, force the value to a number like this:
http://www.apdec.org...ch=2&article=58'
Could this be what is causing your problem?
when you query is expecting numbers, force the value to a number like this:
$branch_id = (int)$_GET['branch']; $query = "select * from branches where branch_id = $branch_id";
phpLive - A powerful library that implements many common tasks to make php programming faster. Supports extensions and plugins. Current version: 1.0.0-Alpha
Twitter: http://twitter.com/phpsnips
http://dreamhost.com (promo code: 8RN4)
$30 off 1 year of hosting
$40 off 2 years of hosting
Twitter: http://twitter.com/phpsnips
http://dreamhost.com (promo code: 8RN4)
$30 off 1 year of hosting
$40 off 2 years of hosting
#13
ignace
-
- Moderators
-
- 5,922 posts
Now mod flavored
- LocationBelgium
Posted 15 July 2012 - 02:36 AM
TLG can you provide the link to the hacking forum thread. There might be more useful info for the OP.
#14
The Little Guy
-
- Members
-
- 6,676 posts
Advanced Member
Posted 28 July 2012 - 05:59 PM
Here are the search results:
http://www.hackforums.net/search.php?action=results&sid=b6617ba1b2b97559ccb77d02b8969b98&sortby=lastpost&order=desc
You may need an account to view them.
http://www.hackforums.net/search.php?action=results&sid=b6617ba1b2b97559ccb77d02b8969b98&sortby=lastpost&order=desc
You may need an account to view them.
phpLive - A powerful library that implements many common tasks to make php programming faster. Supports extensions and plugins. Current version: 1.0.0-Alpha
Twitter: http://twitter.com/phpsnips
http://dreamhost.com (promo code: 8RN4)
$30 off 1 year of hosting
$40 off 2 years of hosting
Twitter: http://twitter.com/phpsnips
http://dreamhost.com (promo code: 8RN4)
$30 off 1 year of hosting
$40 off 2 years of hosting
#15
flynismo
-
- New Members
-
- 5 posts
Newbie
Posted 05 November 2012 - 11:47 PM
It's your search box in the top right corner.
Use htmlspecialchars() and/or strip_tags() to clean user input.
And avoid using $_GET method
Use htmlspecialchars() and/or strip_tags() to clean user input.
And avoid using $_GET method
#16
Stefany93
-
- Members
-
- 116 posts
Advanced Member
- LocationBG
- Age:19
Posted 15 November 2012 - 04:04 AM
^^ I usually do like that when I have to get a numerical value from a query string:
Filter_input is an awesome function for security.
$category = filter_input(INPUT_GET, 'category', FILTER_SANITIZE_NUMBER_INT);
Filter_input is an awesome function for security.
Edited by Stefany93, 15 November 2012 - 04:06 AM.
"Never take counsel of your fears!" - Stonewall Jackson
My site - http://dyulgerova.info
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
