evulness

I am not sure why i can't reply to your PM, but... are you using custom made scripts? or is it a system like this forum, using SMF? if you are using an already made system, chances are, they already have this security feature on their scripts. along with others. SMF has the reputation to be one of the more secure systems, where php-nuke has quite a few flaws. all you would need to do with that snippet, depending on how you have your site setup, is when processing the post data from your forms, before it is inserted into the database, is use the clean function... something like this as an example.... var $data = array(); function EvRegister($username, $password, $email, $ip){ $data['username'] = EvClean($_POST['usr_nme']); $data['password'] = EvClean($_POST['password']); $data['cpass'] = EvClean($_POST['cpass']); $data['email'] = EvClean($_POST['email']); $data['password'] = EvEncrypt($_POST['password']); $data['cpass'] = EvEncrypt($_POST['cpass']); $getuser = "SELECT username FROM users where username = '". $data['username'] ."'"; $getemail = "SELECT email FROM users where email = '". $data['$email'] ."'"; $checkuser = EvQuery($getuser) or die( mysql_error() ); $checkemail = EvQuery($getemail) or die (mysql_error() ); if( $data['password'] !== $data['cpass'] ){ die("The passwords you entered don't match!n"); }elseif( $data['username'] == NULL && $data['password'] == NULL & $data['email'] == NULL ){ die("Please enter data into the specified boxes!n"); }elseif( strlen($data['email']) < 5 ){ die("Please enter a valid email address"); }elseif( mysql_num_rows( $checkuser ) > 0 ){ die('The Username you entered already exists! <a href="javascript:history.go(-1)">Go back</a>');//Return an error message }elseif( mysql_num_rows( $checkemail ) > 0 ){ die('The Email you entered already exists! <a href="javascript:history.go(-1)">Go back</a>');//Return an error message }else { $query = EvInsertUser($data);//my insert checks for an array and breaks it down to key => value $ip = $_SERVER['REMOTE_ADDR']; $result = EvQuery($query)or die( mysql_error() );//Send the query to the query page if($result){ echo 'You have successfully registered!<a href="javascript:history.go(-2)">Go back</a>';//Return a success message }else{ die(mysql_error()); } } } what this does, is see how the data array is assigned to the post variables? and each post variable is cleaned via that function to answer your question, yes you have to run this function on EVERY input. without this, said hacker can insert something like this.... x'; INSERT INTO members ('email','passwd','login_id','full_name') VALUES ('steve@unixwiz.net','hello','steve','Steve Friedl');--'; into any one of your input areas, and inject his own account onto your database. there are countless other things they can to do with injections like this. in your case though, the attacker is probably using an XSS (cross site scripting) attack, so that whatever they ran on your system, is alowing them to keep reinserting the malware even after the shell commands strip the malicious code out. if you do manage to get this function onto your scripts, and the attacker is still inserting stuff, than i can almost guarantee that the server you are hosting on has been compromised. Ask them if they've had any issues like this with other clients, or if it is just you. might suggest changing your account, and passwords too... possible chance you used a weak password, and they have admin access to your account, to insert the code where ever, and whenever they like. i could sit here and list of a TON of security measures you can take on your scripts, but unless the server is 100% secure (which none ever are). you will never be completly safe. Nothing is ever 100% secure, there are always ways to get around any security measure. all you can do is take as many steps as you can to prevent.

what type of site is it? how are you cleaning your user inputs, etc? something you might find useful.... have them re-clean your files for you like they did previously. and fix your scripts, because to me, it sounds like you haven't properly secured your inputs try something like this... <?php function EvClean($string){ if(get_magic_quotes_gpc()){ $string = stripslashes($string); }elseif(!get_magic_quotes_gpc()){ $string = addslashes(trim($string));//strip your slashes, or add them to break any injections. } $string = escapeshellcmd($string);//escapes all inputs and prevent php shell commands $string = mysql_real_escape_string($string); //strips all mysql injection attempts $string = stripslashes(strip_tags(htmlspecialchars($string, ENT_QUOTES))); //removes all html special tags return $string; } $message = EvClean($_POST['message']); echo $message; ?> what this does is it runs your $message through the "Cleaner" and strips, or add's slashes, depending on your setup, then it cleans all shell commands, then strips all html/javascript, etc... and then returns the cleaned string, which you can then insert into your database, flatfiles, or echo straight out, as i have above. this isn't a 100% foolproof way to stop the attack, but it should prevent them from inserting malware onto your site. that is, unless it is the server itsself that has been compromised. in which case, you can't control that.