Jump to content

My forum has been hacked...help

runnerjp

By runnerjp
in Beta Test Your Stuff!

 Share

Recommended Posts

runnerjp Advanced Member

runnerjp

Posted
Posted

Ok a user has been able to access my site and delete all forum posts/ and post under my admin name this

 

"--------------------------------------------------------------------------------

 

  Charlie Chaplin once said something to the effect of:

 

'Humour is an act of defiance; that we must laugh at our helplessness against the forces of nature, or go insane.'

 

And where is he now? Dead. 

 

"

 

I have set up a test account to see whats happening.

 

username: demo

password: demo

 

its only happening on the forum area.  www.runningprofiles.com  ( i added phpfreaks login so you can see its my site)

Link to comment
https://forums.phpfreaks.com/topic/191353-my-forum-has-been-hackedhelp/
Share on other sites
  • 1 month later...
ignace Advanced Member

ignace

Posted
Posted

Hi pugjr. thats my friend company. he can offer it for free.

 

If he will do that for all your friends he'll soon be out of business plus it ain't fair to give it away to someone for free while another should pay for it? Creating this kind of situations will screw you sideways

oni-kun Member

oni-kun

Posted
Posted

@runnerjp. Please do read up on common security practises, The most probable cause of this is an SQL interjunction from unsecure code. If you showed us some key elements (How data is sanitized, or displayed) and if you are properly escaping the data (It seems you're double escaping) then we could help. But for now, Just disallow anyone to log in, and post here for help on your code security or take time as required to fix your script. There's no harm in making a mistake, maybe this could be a simple wakeup call to show you there are a lot of people who try these things, so it's essential to secure coding correctly.

d.shankar Regular Member

d.shankar

Posted
Posted

D.Shankar, Are you an idiot? You're promoting using horrible code with such incredibly obvious security flaws, All, On the magic notion that some website can prevent hacking!

 

 

 

 

Oh really ?? Then dig it out Mr.Idiot

 

Why this world is full of greedy people ?? When someone comes to help there are people like oni-kun who always criticize others.

 

If you do find flaws then try to help my friend or else keep your mouth shut and dont boast your skills. its really unneccesary here.

oni-kun Member

oni-kun

Posted
Posted

I was trying to help.. but he was trying to criticize. nothing else

 

If someone asks for help, You give it to them. You do not promote poor programming practises with a paid service which is ridden with horrible coding. Blatent advertising does not provide educational, productive or comprehensional value to the original poster.

 

This is not a place for your pointless idiocrastic ideas, If you cannot come up with a valued solution or comment, Then simply do not post.

 

If you do find flaws then try to help my friend or else keep your mouth shut

 

You demand help on someone elses poor project?

Are you 14? Should you not be on these forums?

Volestar Newbie

Volestar

Posted
Posted

Today, my dad showed me a must-have on stuff like passwords. If you have the newest version of PHP, it's SHA256(string), which is basically a method of encoding text. It was designed by the NSA itself. If you have PHP 4, use this:

bin2hex(mhash(MHASH_sha256,string))

If you use this method for a password, it can simply save the result to the MySQL database, and when logging in, use the same method to check if what they entered gets encoded into the same thing as it is in the MySQL database. The best part is that this method isn't reversable, which makes it as secure as possible. Hope this helps for any future sites with passwords.

Volestar Newbie

Volestar

Posted
Posted

Send encrypted passwords to your database instead of a visible password.

When logging in, check if username's password input encrypts into the same thing as it is in the database.

There are 3 common methods: SHA-256, SHA-512, and SHA-1. Personally, I would recommend SHA-256.

If you want to filter passwords to make sure they're not dumb, (I am not trying to advertise, just helping out) I made an encrypter at my SHA256 testing site.

 

The SHA-256 method is the most common encryption method.

bin2hex(mhash(MHASH_sha256,$password));

If you like large annoying text, use SHA-512 to ensure maximum security.

bin2hex(mhash(MHASH_sha512,$password));

If you like simplicity, use the crackable SHA-1.

sha1($password);

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Volestar, you are wasting your time typing in this thread.

 

The original post'er (OP) started the thread long ago and has since started at least one other thread for the same exact problem where it was determined that his code (after we managed to get him to post it so that someone could determine what it was or was not doing) had several shortcomings that allowed almost anyone to delete and edit the content on his forum.

 

All the replies in this thread from April 06 (two months after the original post) onward don't really address the security problems in the OP's code because that code was not supplied in this thread and it is not really possible to specifically determine which of the dozen or more possible things are causing the problem on a site simply by visiting the site.

 

The problem in the original post in this thread did not really have anything to do with the information you are posting and in fact randomly posting commonly available information in a help forum is a waste of your time because no one that would actually be helped by it will ever see it.

 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.