Jump to content

Quite distressing security issues

andrew2110

By andrew2110
in PHP Coding Help

 Share

Recommended Posts

andrew2110 Newbie

andrew2110

Posted
Posted

Hi Guys,

 

Over the last couple of weeks my site has been hacked repeatedly, first the administration section of the site only - so I took steps to make this fully secure including restricting it so only certain IP / Pin number combinations can access it, followed by a login over SSL using encrypted password / username combo... Just when I was feeling proud of myself for making something I thought was pretty secure, I find out that a whole table in my database has been emptied.

 

Luckily I back everything up every night so not much was lost, but still I need to find a way to try and stop this kind of thing from happening. The only two ways I can think of that people could do something like this would be to find how to login to my plesk control panel and login to the mysql database from there from which they would see phpMyAdmin... Or do some kind of mysql injection from one of the html forms on my site.. Are there any other methods people could use to ruin my database like this?

 

If anybody fancies trying to break my system and letting me know how I can fix it, please send me a PM :)

Link to comment
Share on other sites
Brian W Regular Member

Brian W

Posted
Posted

mysql injection is likely it. I'd give you a percentage, but i'd be out my A$$, but its a really high percentage of php related hacking is mysql injection. You need to make sure that ANYWHERE that people can input info that even touches your database (likely 100% of your forms) you have the stings being stripped of anything potentially bad; namely double and single quotes. " '

look into the manual about magic quotes

Some one else may be of more help to you, but thats my 2 cents.

Link to comment
Share on other sites
andrew2110 Newbie

andrew2110

Posted
  • Author
Posted

I agree with you, and the only part that doesnt strip that bad things is the part that wasn't intended for public use (the admin section which was hacked into)... I'll double check that no mysql injection can take place... It's all quite terrifying why people want to try and hack my silly little site though, it's not even launched yet :(

Link to comment
Share on other sites
xtopolis Member

xtopolis

Posted
Posted

Also, change ALL passwords relating to your site, and start fresh.

Plesk, mysql,etc.. all passwords, even ones only "you" know.

 

Even your admin section should have checks and balances.  But like I said, possibly start fresh, checking each page at a time as you reimplement it, or start from scratch.

Link to comment
Share on other sites
Brian W Regular Member

Brian W

Posted
Posted

Also, change ALL passwords relating to your site, and start fresh.

Plesk, mysql,etc.. all passwords, even ones only "you" know.

 

Even your admin section should have checks and balances.  But like I said, possibly start fresh, checking each page at a time as you reimplement it, or start from scratch.

He has restricted the IP address to only his he says, thats a decent check isn't it? (only one problem, sometimes your ISP changes your IP)

For information on strong passwords: http://www.microsoft.com/protect/yourself/password/create.mspx

 

Link to comment
Share on other sites
andrew2110 Newbie

andrew2110

Posted
  • Author
Posted

The admin section is the only section with that level of security (only allowing my IP address), I'm pretty happy that part can't be hacked now, sometimes the IP address might change and I'll have to reconfigure which IP address / pin number combo is allowed but thats a small price to pay..

 

For cleaning up all other form inputs I have:

 

$allowedTags='<p><strong><em><u><h1><h2><h3><h4><h5><h6><img>';
$allowedTags.='<li><ol><ul><span><div><br><ins><del>';
		$inputContent = strip_tags(stripslashes($_POST['inputData']),$allowedTags);
		$inputContent = addslashes($inputContent );

Which I thought should do the job... but perhaps not...

 

Link to comment
Share on other sites
xtopolis Member

xtopolis

Posted
Posted

He has restricted the IP address to only his he says, thats a decent check isn't it?

 

No.  If they have access to his cpanel, mysql database, ftp, etc, they can circumvent his stuff.  That is why I suggest he starts fresh, changing every password.  Why would I use a script/webpage to do something, when I can directly interface with mysql, raw files?

 

In a vast majority of security related issues, the attacker is usually someone that the attackee knows, or that the attacker knows information about.  When it comes to security, there is no such thing as trust.  If his site is small and not yet even released, then why would someone attack it?  A good hacker will hack for value/profit, not usually for fun.  So, @the op, did you piss off anyone recently that would have a reason to hack your site?  Or does your site hold something of value?

Link to comment
Share on other sites
CroNiX Member

CroNiX

Posted
Posted

Most likely they hacked in through the url via variables being passed through $_GET/$_POST.  One thing to do is whenever you are doing something with the database in your code and it uses something from $_GET/$_POST to access data in your db you need to sanitize that variable.

 

Like if you have some SQL that is similar to this:

SELECT * FROM tableName WHERE username = '$_POST['username']';

 

Before you run a query like that you need to properly escape it.

$username = mysql_real_escape_string($_POST['username']);

then you can 

SELECT * FROM tableName WHERE tableName.username = '$username';

The problem when you are using a form or something that gets data from the user (or even just from the url variables, the user can type in SQL into that form and do just about anything they want...like DROP tableName;

If you sanitize anything retrieved via $_POST/$_GET you can eliminate most of this.

 

Link to comment
Share on other sites
andrew2110 Newbie

andrew2110

Posted
  • Author
Posted

We're a skill gaming site and in prelaunch I think we've managed to upset a rival site - uvme.com who have seen some of their associates come over to us. Not saying thats absolutley the case that they've come and started to try and hurt us, but just speculation, but then there are several other big companies in the market who might have their feathers ruffled by us..

 

All passwords are now changed. I don't really have any friends that are capable of doing anything like this and out of the people working on the site with me, I'm the only one who's ever touched the database as the others cannot do any programming whatsoever...

 

The site is www.dukesbox.com ...

 

I think the only approach I should proceed with is one of absolute paranoia in that nothing should be trusted completley and to backup the database as frequently as possible.. (twice daily)...

 

 

@CroNiX - I'm no master of PHP but "strip_tags(stripslashes($_POST['inputData']),$allowedTags);" was intended to strip anything other than a few simple html tags that shouldnt do any kind of harm? It was my understanding mysql_real_escape_string() would also get rid of any basic html formatting I might want to let users input?

 

Link to comment
Share on other sites
CroNiX Member

CroNiX

Posted
Posted

mysql_real_escape_string doesn't touch html, it escapes single and double quotes so the database doesn't take them literally.  Also, setup mysql so that the user account you are using to access mysql via your application doesn't have DROP privileges, unless you actually use DROP in your code.  Most people don't DROP tables in their code so I always advise this.  Also, whoever did this could have also placed malicious code in your code...so you better check it.  One of the main places to check is wherever you are creating new accounts.  One thing some hackers like to do is insert code so that when a new account is created it emails the user/pass to some address so they can use it.

Link to comment
Share on other sites
andrew2110 Newbie

andrew2110

Posted
  • Author
Posted

Good advice about the 'Drop' and I'll apply that to 'Empty' as well. All I'll allow is update, insert, delete, select as thats all we use really...

 

Just done a scan of the code and all seem's to be ok, although we're showing that our CPU's our currently running at close to full capacity and with only a few users online and a quad core processor, leads me to think that perhaps a new attack is starting on our site (DDoS?)

 

 

Link to comment
Share on other sites
discomatt Member

discomatt

Posted
Posted

@CroNiX - I'm no master of PHP but "strip_tags(stripslashes($_POST['inputData']),$allowedTags);" was intended to strip anything other than a few simple html tags that shouldnt do any kind of harm?

 

<pre><?php

$str = <<<XSS
<img src="blank.gif" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; z-index: 999;" onclick="alert( 'XSS attack goes here' )" />

<script type="malacious">
but it really doesnt matter
</script>

<br /><br /><br /><br /><br /><br /><br /><br />
some random text
<h1>other text</h1>

XSS;

echo strip_tags( $str, '<img>' );

echo '<br /><a href="#">Please click this link!</a>';

?></pre>

Link to comment
Share on other sites
andrew2110 Newbie

andrew2110

Posted
  • Author
Posted

Right I understand now,

 

So even harmless sounding tags like <img> can include some nasty bits...

 

So:

 

$inputContent = strip_tags(stripslashes($_POST['inputData']),$allowedTags);

$inputContent = mysql_real_escape_string($inputContent);

 

strip_tags then mysql_real_escape_string() should be ok?

 

Link to comment
Share on other sites
xtopolis Member

xtopolis

Posted
Posted

First, read PFMaBiSmAd's advice, and check your logs.

 

Secondly, use BBC style replacements instead of allowing code tags <,>  -> [,]

 

You can test common HTML injections at http://ha.ckers.org/xss.html

Mysql, can be further filtered... by accepting parameters(wrong name?) instead (read this when you have time: http://www.scribd.com/doc/2670985/SQL-Antipatterns)  It's towards the end

 

As for your site security, you should always know expected inputs, and only allow variations of those.  Even if you allow HTML code, you start with allowing NO TAGS and then enable only the ones you want..  and even then , like I said, use BBC to replace user input, and switch it back on output.

Link to comment
Share on other sites
xylex Newbie

xylex

Posted
Posted

Found a few SQL injection spots in your app.  Anywhere you're putting an unquoted value, like a number, into your SQL query, the method you're using to sanitize won't do anything.  addslashes() is only designed to prevent people from breaking out of a quoted string, and they're already out at that point.

 

Sanitize user inputted numbers using intval() or quote them where appropriate in your SQL query.  These spots should be apparent, but if you need help, PM me if you need some specific spots that you have this issue.

Link to comment
Share on other sites
waynewex Advanced Member

waynewex

Posted
Posted

You should go to the BETA part of the PHP Freaks Forums. (It's one of the sections at the bottom beside Misc and Critique). I know for a fact that a guy called DarkFreaks who frequents that area often does a free test with his Acunetix Web Vulnerability scanner. That will tell you exactly where the weak spots, and will also tell you exactly how to fix it. You also might want to give him a login so that the scanner can log in and do the same things as a regular user.

Link to comment
Share on other sites
discomatt Member

discomatt

Posted
Posted

One thing I never do is place my admin section inside a folder called admin. Or anything else that can be guessed via brunt force.

 

Security through obscurity is not good practise... nor should the location of your script be considered a security measure ( beyond storing files outside of webroot ;) )

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

One thing I'll throw out - although it is implied but not explicitly stated above - you should validate and sanitize AND and ALL information comng from the client.

 

For example I have seen instances where no validation was performed on a certain field because a select field was used on the input form and the person writing the code assumed the select field would prevent other values. There is nothing preventing a user from creating their own form and posting it with any values they want. So check everything even if the form would prevent them from sending unknoiwn values: select fields, hiddent fieds, checkbox values, etc.

 

Also should validate cookie values as well.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.