runnerjp Posted January 27, 2010 Share Posted January 27, 2010 Hey guys, Too my horrer i opened my unfinished website today to find there had been a posting under my admin account. I belive this is through hacking my account and cant find how they did it. Im hoping someone would be able to replicate this in order for me to fix the error and secure mysite before it goes live. The address is http://www.runningprofiles.com Jarratt Perkins (phpfreaks name is on the page linked 'Login - PHP FREAKS!!! PLEASE HELP ME') Link to comment Share on other sites More sharing options...
Yucky Posted January 29, 2010 Share Posted January 29, 2010 Could you post the code you use for your login? Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 29, 2010 Share Posted January 29, 2010 And, post the code you are putting on each page to restrict access to the content on it to only a logged in visitor. Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 29, 2010 Share Posted January 29, 2010 Also tell us what a phpinfo(); statement shows for the register_globals setting. Link to comment Share on other sites More sharing options...
runnerjp Posted February 1, 2010 Author Share Posted February 1, 2010 Hey sorry about the delay. Below is the login code. <?php ini_set('session.cookie_lifetime', 0); ini_set('session.cache_expire', 0); session_start(); header("Cache-control: private"); ?><?php require_once ( 'settings.php' ); if ( array_key_exists ( '_submit_check', $_POST ) ) { if ( $_POST['username'] != '' && $_POST['password'] != '' ) { $query = 'SELECT ID, Username, Active, Password FROM ' . DBPREFIX . 'users WHERE Username = ' . $db->qstr ( $_POST['username'] ) . ' AND Password = ' . $db->qstr ( md5 ( $_POST['password'] ) ); $ip = $_SERVER['REMOTE_ADDR']; $user = $_POST['username']; $date = date("m/d/Y g:i:s"); mysql_query("UPDATE users SET ip = '$ip' WHERE username = '$user'"); mysql_query("UPDATE users SET lastlog = '$date' WHERE username = '$user'"); if ( $db->RecordCount ( $query ) == 1 ) { $row = $db->getRow ( $query ); if ( $row->Active == 1 ) { set_login_sessions ( $row->ID, $row->Password, ( $_POST['remember'] ) ? TRUE : FALSE ); header ( "Location: " . REDIRECT_AFTER_LOGIN ); } elseif ( $row->Active == 0 ) { $error = 'Your membership was not activated. Please open the email that we sent and click on the activation link.'; } elseif ( $row->Active == 2 ) { $error = 'You are suspended!'; } } else { $error = 'Login failed!'; } } else { $error = 'Please use both your username and password to access your account'; } } ?> The stop login function on each page is.. checkLogin('1 2'); /** * checkLogin * * Applies restrictions to visitors based on membership and level access * Also handles cookie based "remember me" feature * * @access public * @param string * @return bool TRUE/FALSE */ function checkLogin($levels) { global $db; $kt = split(' ', $levels); if (!$_SESSION['logged_in']) { $access = false; if (isset($_COOKIE['cookie_id'])) { //if we have a cookie $query = 'SELECT * FROM ' . DBPREFIX . 'users WHERE ID = ' . $db->qstr($_COOKIE['cookie_id']); if ($db->RecordCount($query) == 1) { //only one user can match that query $row = $db->getRow($query); //let's see if we pass the validation, no monkey business if ($_COOKIE['authenticate'] == md5(getIP() . $row->Password . $_SERVER['USER_AGENT'])) { //we set the sessions so we don't repeat this step over and over again $_SESSION['user_id'] = $row->ID; $_SESSION['logged_in'] = true; //now we check the level access, we might not have the permission if (in_array(get_level_access($_SESSION['user_id']), $kt)) { //we do?! horray! $access = true; } } } } } else { $access = false; if (in_array(get_level_access($_SESSION['user_id']), $kt)) { $access = true; } } if ($access == false) { header('Location: http://www.runningprofiles.com/error.php'); exit(); } } phpinfo(); shows - reg_globals as off Link to comment Share on other sites More sharing options...
d_barszczak Posted February 9, 2010 Share Posted February 9, 2010 Hi Runnerjp, Just had a quick look at the code and it does not look like you are checking any data that is submitted before you use it to query the database. This may have left the site open to SQL injection attacks. There are a few posts on this forum that explain how to prevent injection attacks. Link to comment Share on other sites More sharing options...
Recommended Posts