Jump to content


Photo

this site keeps getting hacked


  • This topic is locked This topic is locked
15 replies to this topic

#1 geeks

geeks

    Member

  • Members
  • PipPip
  • 15 posts
  • LocationSouth Africa

Posted 17 January 2012 - 09:40 AM

Please help, this site keeps getting hacked, I have escaped all my sql input, as well as applying intval() to almost all input variable, I have hit a brick wall, I can always use PDO, but that would be a monumental task, and it may be something simple that I am missing.

link to my verifying txt file : http://www.apdec.org.za/phpfreaks.txt

link to the site : http://www.apdec.org.za/

specifically I have been hacked on the branch names and page content.


I have a full backup of code as well as the database.

I would really appreciate any help.

thanks
Craig



#2 ManiacDan

ManiacDan

    Likely to be eaten by a grue

  • Administrators
  • 2,608 posts
  • LocationPhiladelphia PA

Posted 17 January 2012 - 10:19 AM

If you're saying that your SVN was hacked, it's not a problem with your code, it's the server itself.

NOTE: Sometimes the answers you get on a forum won't be entirely correct. Think for yourselves. Why did you ask for evens and get odds? Why is the output sorted backward? Do the research, learn something.

"The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.


#3 geeks

geeks

    Member

  • Members
  • PipPip
  • 15 posts
  • LocationSouth Africa

Posted 17 January 2012 - 11:58 AM

Thanks, how do I check if it's code or server, I am on a shared hosting server.

#4 ManiacDan

ManiacDan

    Likely to be eaten by a grue

  • Administrators
  • 2,608 posts
  • LocationPhiladelphia PA

Posted 17 January 2012 - 12:10 PM

What is the actual problem?  What are the symptoms?  How far down does the hack go?  Are files on the filesystem being modified? 

NOTE: Sometimes the answers you get on a forum won't be entirely correct. Think for yourselves. Why did you ask for evens and get odds? Why is the output sorted backward? Do the research, learn something.

"The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.


#5 geeks

geeks

    Member

  • Members
  • PipPip
  • 15 posts
  • LocationSouth Africa

Posted 17 January 2012 - 03:29 PM

Strictly database hacks, nothing serious, the hacker keeps putting a "fix your security fail" message on the home page, and changing branch names.

all that information is stored in the database, so it would appear to be an sql attack of some sort.


Thanks for the help so far, it is much appreciated


#6 ManiacDan

ManiacDan

    Likely to be eaten by a grue

  • Administrators
  • 2,608 posts
  • LocationPhiladelphia PA

Posted 17 January 2012 - 04:29 PM

You keep saying "branch names" like we know what that term means. 

If he's changing the home page, he has access to the code as well, unless the string he's inserting comes from a database table.

NOTE: Sometimes the answers you get on a forum won't be entirely correct. Think for yourselves. Why did you ask for evens and get odds? Why is the output sorted backward? Do the research, learn something.

"The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.


#7 geeks

geeks

    Member

  • Members
  • PipPip
  • 15 posts
  • LocationSouth Africa

Posted 18 January 2012 - 01:10 AM

You keep saying "branch names" like we know what that term means. 


basically it is a non-profit organisation and they have different branches, these branches are stored in a database.

sorry my bad, everything being edited by the hacker is stored in the database.

code seems to stay in place.

Thanks again, I am not a hacker or a security specialist, and this was my first project (the code is not the best).






#8 gizmola

gizmola

    Advanced Member

  • Administrators
  • 4,126 posts
  • LocationLos Angeles, CA USA

Posted 18 January 2012 - 01:59 AM

Well it looks likely that you have a sql injection exploit.

Did you use mysql_real_escape_string() to escape all the strings you are accepting via inserts, updates and deletes?  I'm guessing no.  Start there.

#9 geeks

geeks

    Member

  • Members
  • PipPip
  • 15 posts
  • LocationSouth Africa

Posted 18 January 2012 - 02:19 AM

Did you use mysql_real_escape_string() to escape all the strings you are accepting via inserts, updates and deletes?


I think so, I am going to double check them all again to be sure.


#10 darkfreaks

darkfreaks

    Advanced Member

  • Members
  • PipPipPip
  • 4,951 posts
  • LocationAustin,Texas

Posted 06 March 2012 - 04:40 PM

seems like as mentioned secure against SQL exploits either using PDO or mysql_real_escape_string

http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

also if you have server access to your VPN or SVN might look into getting and installing some freesource anti DDOS software.






#11 darkfreaks

darkfreaks

    Advanced Member

  • Members
  • PipPipPip
  • 4,951 posts
  • LocationAustin,Texas

Posted 10 July 2012 - 08:36 PM

Vulnerability description
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
This vulnerability affects /events.php,searchresults.php
Discovered by: Scripting (XSS_in_URI.script).
The impact of this vulnerability
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

Attack details
URI was set to 'onmouseover=prompt(914554)>
The input is reflected inside a tag element between single quotes.

URL encoded GET input Searchterms was set to 1<ScRiPt >prompt(957795)</ScRiPt>
The input is reflected inside <title> tag.
The input is reflected inside a text element.
The input is reflected inside a tag element between double quotes.



#12 The Little Guy

The Little Guy

    Advanced Member

  • Members
  • PipPipPip
  • 6,676 posts

Posted 14 July 2012 - 11:47 PM

I searched a hacking forum, and found this link:

http://www.apdec.org...ch=2&article=58'

Could this be what is causing your problem?

when you query is expecting numbers, force the value to a number like this:

$branch_id = (int)$_GET['branch'];
$query = "select * from branches where branch_id = $branch_id";

phpLive - A powerful library that implements many common tasks to make php programming faster. Supports extensions and plugins. Current version: 1.0.0-Alpha
Twitter: http://twitter.com/phpsnips
http://dreamhost.com (promo code: 8RN4)
$30 off 1 year of hosting
$40 off 2 years of hosting

#13 ignace

ignace

    Now mod flavored

  • Moderators
  • 6,251 posts
  • LocationBelgium

Posted 15 July 2012 - 02:36 AM

TLG can you provide the link to the hacking forum thread. There might be more useful info for the OP.

#14 The Little Guy

The Little Guy

    Advanced Member

  • Members
  • PipPipPip
  • 6,676 posts

Posted 28 July 2012 - 05:59 PM

Here are the search results:
http://www.hackforum...post&order=desc

You may need an account to view them.
phpLive - A powerful library that implements many common tasks to make php programming faster. Supports extensions and plugins. Current version: 1.0.0-Alpha
Twitter: http://twitter.com/phpsnips
http://dreamhost.com (promo code: 8RN4)
$30 off 1 year of hosting
$40 off 2 years of hosting

#15 flynismo

flynismo

    Newbie

  • New Members
  • Pip
  • 5 posts

Posted 05 November 2012 - 11:47 PM

It's your search box in the top right corner.

Use htmlspecialchars() and/or strip_tags() to clean user input.

And avoid using $_GET method

#16 Stefany93

Stefany93

    Advanced Member

  • Members
  • PipPipPip
  • 170 posts
  • Age:20

Posted 15 November 2012 - 04:04 AM

^^ I usually do like that when I have to get a numerical value from a query string:

$category = filter_input(INPUT_GET, 'category', FILTER_SANITIZE_NUMBER_INT);

Filter_input is an awesome function for security.

Edited by Stefany93, 15 November 2012 - 04:06 AM.

"Never take counsel of your fears!" - Stonewall Jackson
My site - http://dyulgerova.info





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com