runnerjp Posted April 7, 2010 Share Posted April 7, 2010 Hey guys, I logged on to edit my website today to find that most of my forum posts have been deleted! I have no idea how they have done this.... I have made sure all $_gets and $_posts have mysql real escaped and i just cant find out how they are doing it. Can any one offer me guidence to find the errors .... i can provide access to the site to find the error itself. Anything to prevent my hard work being destroyed. Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/ Share on other sites More sharing options...
Deoctor Posted April 7, 2010 Share Posted April 7, 2010 can u provide access to this and let us see it .. Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038222 Share on other sites More sharing options...
runnerjp Posted April 7, 2010 Author Share Posted April 7, 2010 The login screen is www.runningprofiles.com Username:Demo Password:Demo they could be acesssing my Admin account through the login but im not sure. I have added "PhP freaks please help me" just to show its my login screen! Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038224 Share on other sites More sharing options...
Deoctor Posted April 7, 2010 Share Posted April 7, 2010 havent u made any kind of logs in ur code.. can u provide me with the code details Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038230 Share on other sites More sharing options...
conker87 Posted April 7, 2010 Share Posted April 7, 2010 Are you sure someone didn't just login with the above details? Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038232 Share on other sites More sharing options...
runnerjp Posted April 7, 2010 Author Share Posted April 7, 2010 What do you mean by logs?? Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038234 Share on other sites More sharing options...
runnerjp Posted April 7, 2010 Author Share Posted April 7, 2010 they could have but i dont see how they edited it... iv just chnage permissions on the edit button to delete posts ect so i can try clean it up alittle quikly- usually it has if{$userid = '1'} so only Admin can edit it. for time being i think i might log all logins with date time ip ect.... all errors (how would i create error log so i can record username ip and error made @ time??) and all deletiong ect made by users. Try track down how and who is doing it Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038235 Share on other sites More sharing options...
Deoctor Posted April 7, 2010 Share Posted April 7, 2010 they could have but i dont see how they edited it... iv just chnage permissions on the edit button to delete posts ect so i can try clean it up alittle quikly- usually it has if{$userid = '1'} so only Admin can edit it. for time being i think i might log all logins with date time ip ect.... all errors (how would i create error log so i can record username ip and error made @ time??) and all deletiong ect made by users. Try track down how and who is doing it if u can provide us ur code then i can surely help u out on hw u can log the details of the guys who are doing in out.. What do you mean by logs?? i mean this one onlyy.. whether u are storing any thing when some one is doing something on ur site... this would slow down ur process but it will surely help u out when something like this happens... Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038238 Share on other sites More sharing options...
runnerjp Posted April 7, 2010 Author Share Posted April 7, 2010 if u can provide us ur code then i can surely help u out on hw u can log the details of the guys who are doing in out.. Ok well usernames are stored as $username; the page they are on is stored as $url; time is $time; any other part of code u want? mean this one onlyy.. whether u are storing any thing when some one is doing something on ur site... this would slow down ur process but it will surely help u out when something like this happens... and no i dont sadly, but i think i best lol Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038242 Share on other sites More sharing options...
Deoctor Posted April 7, 2010 Share Posted April 7, 2010 so u are using the admin login only to delete the posts right, so what u can do is check the http referrer from which they are using to access the pages of deletion. if any script is doing it out then obviously u can restrict that.. check with these server variables and add the ones which ever u need most http://php.net/manual/en/reserved.variables.server.php Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038248 Share on other sites More sharing options...
runnerjp Posted April 7, 2010 Author Share Posted April 7, 2010 I have had alook at the page and it does not make sence to me Also do you know how to log errors?? so far i have- /* we will do our own error handling. */ error_reporting(0); // Turns off all error reporting. /* user defined error handling function. */ function userErrorHandler($errno, $errmsg, $filename, $linenum, $vars) { // timestamp for the error entry. $dt = date('Y-m-d H:i:s (T)'); // define an assoc array of error string // in reality the only entries we should // consider are E_WARNING, E_NOTICE, E_USER_ERROR, // E_USER_WARNING and E_USER_NOTICE. $errortype = array ( E_ERROR => 'Error', E_WARNING => 'Warning', E_PARSE => 'Parsing Error', E_NOTICE => 'Notice', E_CORE_ERROR => 'Core Error', E_CORE_WARNING => 'Core Warning', E_COMPILE_ERROR => 'Compile Error', E_COMPILE_WARNING => 'Compile Warning', E_USER_ERROR => 'User Error', E_USER_WARNING => 'User Warning', E_USER_NOTICE => 'User Notice', E_STRICT => 'Runtime Notice' ); // set of errors for which a var trace will be saved. $user_errors = array(E_USER_ERROR, E_USER_WARNING, E_USER_NOTICE); $err = "<errorentry>\n"; $err .= "\t<datetime>" .$dt. "</datetime>\n"; $err .= "\t<errornum>" .$errno. "</errornum>\n"; $err .= "\t<errortype>" .$errortype[$errno]. "</errortype>\n"; $err .= "\t<errormsg>" .$errmsg. "</errormsg>\n"; $err .= "\t<scriptname>" .$filename. "</scriptname>\n"; $err .= "\t<scriptlinenum>" .$linenum. "</scriptlinenum>\n"; if (in_array($errno, $user_errors)) { $err .= "\t<vartrace>" .wddx_serialize_value($vars, 'Variables'). "</vartrace>\n"; } $err .= "</errorentry>\n\n"; // save to the error log file, and e-mail me if there is a critical user error. error_log($err, 3, '../error_log.log'); if ($errno == E_USER_ERROR) { mail('bgates@gmail.com', 'Critical User Error', $err); } } $old_error_handler = set_error_handler('userErrorHandler'); if i was to chnage it so i added it to db with username and page ect would this help? Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038254 Share on other sites More sharing options...
Deoctor Posted April 7, 2010 Share Posted April 7, 2010 it is not regarding the errors that i am asking about.. what i am trying to say here is that suppose if an user logs into ur site then these are the following details u can fetch from that SERVER_ADDR REQUEST_METHOD REQUEST_TIME QUERY_STRING HTTP_REFERER--used to find whether he is coming from a valid url... REMOTE_ADDR SCRIPT_FILENAME and so on...... these are quite helpfull for you to trace the things while u are working on.. also have a check whether some one is directly accessing ur database and deleting the things change ur mysql password and also the access levels for the user id... Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038265 Share on other sites More sharing options...
PFMaBiSmAd Posted April 7, 2010 Share Posted April 7, 2010 It's highly likely that your form processing code where you actually delete posts (and perhaps on all of your admin functions) is either not checking if the current visitor is logged in as an admin or the code you are using to check that can be bypassed. The code we really need to see would be for the delete function and the login security you are using on that page. Just an FYI: HTTP_REFERER is a header that comes with the HTTP request. It can easily be set to anything and in fact most of the web proxy scripts set it to be the same as the domain being requested so that requests that come through such a proxy look like they are from someone who is actually browsing on your site. HTTP_REFERER cannot really be trusted or used for anything more than informational purposes. Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038275 Share on other sites More sharing options...
Deoctor Posted April 7, 2010 Share Posted April 7, 2010 Just an FYI: HTTP_REFERER is a header that comes with the HTTP request. It can easily be set to anything and in fact most of the web proxy scripts set it to be the same as the domain being requested so that requests that come through such a proxy look like they are from someone who is actually browsing on your site. HTTP_REFERER cannot really be trusted or used for anything more than informational purposes. can u provide me with a sample of how to set that ?? Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038278 Share on other sites More sharing options...
runnerjp Posted April 7, 2010 Author Share Posted April 7, 2010 Ok the login system is http://evolt.org/node/60384 - which im 100% sure its secure. The delete posts is if (isset($_POST['edit']) && $username = 'Admin') { if(isset($_POST['forumlock'])) { $forumlock=1; }else { $forumlock=0; } $threadid = mysql_real_escape_string( $_POST['id']); if ($_POST['deletepost'] == 'deletepost'){ mysql_query("DELETE FROM forumtutorial_posts WHERE postid='$threadid'") or die(mysql_error()); $updatep = "UPDATE `users` SET `post_count`=`post_count`-'1' WHERE `Username`='$username'"; mysql_query ($updatep) or die("Could not update post"); mysql_query("DELETE FROM forumtutorial_posts WHERE parentid='$threadid'") or die(mysql_error()); header( "refresh: 0; url=http://www.runningprofiles.com/members/index.php?page=forum&forum=$forum"); } if(isset($_POST['important'])) { $important=1; } else { $important=2; } $title = $_POST['title']; $query = "UPDATE forumtutorial_posts SET forumlock = '$forumlock', important = '$important', title = '$title' WHERE postid='$threadid' "; mysql_query($query) or die('Error, query failed'); header( "refresh: 0; url=http://www.runningprofiles.com/members/index.php?page=forum&forum=$forum"); } else { // $threadid = mysql_real_escape_string( $_POST['id']); $threadid = $CONT_ID; $check = ''; $forumlock=0;// default value if it's not set $checkimpor = ''; $important=0;// default value if it's not set ?> <script src="../../css/SpryCollapsiblePanel.js" type="text/javascript"></script> <div id="CollapsiblePanel<?php echo $threadid; ?>" class="CollapsiblePanel"> <div class="CollapsiblePanelTab" > Edit</div> <div class="CollapsiblePanelContent"> <form name='input' action='index.php?page=forum&forum=<? echo $forum ?>' method='post'> <div align="center"> <p>Title: <input class='inputinbox' name='title' type='text' value='<? echo $getthreads3[title];?>' /> <br/> <?php if($getthreads3['forumlock']==1) { echo "<input type='checkbox' name='forumlock' checked='checked' />"; } else { echo "<input type='checkbox' name='forumlock' />"; } ?> Lock a Room<br/> <?php if($getthreads3['important']==1) { echo "<input type='checkbox' name='important' checked='checked' />"; } else { echo "<input type='checkbox' name='important' />"; } ?> Important <br/> <input type="checkbox" name="deletepost" value="deletepost" /> Delete post</p> <input type="hidden" name="id" value="<?php echo $getthreads3[postid] ?>" /> <input type='submit' name='edit' class="submit-btn" value='' /> </div> </form> <? } ?></div> </div> <script type="text/javascript"> <!-- var CollapsiblePanel1 = new Spry.Widget.CollapsiblePanel("CollapsiblePanel<?php echo $threadid; ?>", {contentIsOpen:false}); //--> </script> Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038289 Share on other sites More sharing options...
KevinM1 Posted April 7, 2010 Share Posted April 7, 2010 1. Where is $username set? 2. Are register globals turned on? Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038291 Share on other sites More sharing options...
runnerjp Posted April 7, 2010 Author Share Posted April 7, 2010 register globals turned off and $username is set in my settings as a sessions with my_real_escape_string set with it... it sets the session on login. Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038298 Share on other sites More sharing options...
PFMaBiSmAd Posted April 7, 2010 Share Posted April 7, 2010 im 100% sure its secure. No, it's not. There are two possible exploits. 1) It does not stop execution of the code on the page when it redirects, so when a login fails, the code on the page is still executed. 2) If you are not stopping the execution of the code on the page after you check if someone is not logged in, your delete code is still being executed. Edit: And I just looked at the 'admin' code that comes with that script. If you copied what it is doing, it is not protecting and preventing the code on your pages from being executed. All a hacker needs to do is ignore the header() redirects (which is the default if someone was using a CURL script to access your pages) and he can get any of your 'protected' code to execute. Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038305 Share on other sites More sharing options...
Mchl Posted April 7, 2010 Share Posted April 7, 2010 can u provide me with a sample of how to set that ?? curl_setopt Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038306 Share on other sites More sharing options...
Deoctor Posted April 7, 2010 Share Posted April 7, 2010 can u provide me with a sample of how to set that ?? curl_setopt hai 10q for that can u show me an example code Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038308 Share on other sites More sharing options...
trq Posted April 7, 2010 Share Posted April 7, 2010 can u provide me with a sample of how to set that ?? curl_setopt hai 10q for that can u show me an example code Did you even look at the link? Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038311 Share on other sites More sharing options...
PFMaBiSmAd Posted April 7, 2010 Share Posted April 7, 2010 I'll second that. If you search for REFERER on that page you will find more than one example. Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038312 Share on other sites More sharing options...
runnerjp Posted April 7, 2010 Author Share Posted April 7, 2010 No, it's not. There are two possible exploits. 1) It does not stop execution of the code on the page when it redirects, so when a login fails, the code on the page is still executed. 2) If you are not stopping the execution of the code on the page after you check if someone is not logged in, your delete code is still being executed. Edit: And I just looked at the 'admin' code that comes with that script. If you copied what it is doing, it is not protecting and preventing the code on your pages from being executed. All a hacker needs to do is ignore the header() redirects (which is the default if someone was using a CURL script to access your pages) and he can get any of your 'protected' code to execute. Wow... ok how would you advise to solve these? Edit: i dont use the admin script im making my own using this function function checkLogin($levels) { global $db; $kt = split(' ', $levels); if (!$_SESSION['logged_in']) { $access = false; if (isset($_COOKIE['cookie_id'])) { //if we have a cookie $query = 'SELECT * FROM ' . DBPREFIX . 'users WHERE ID = ' . $db->qstr($_COOKIE['cookie_id']); if ($db->RecordCount($query) == 1) { //only one user can match that query $row = $db->getRow($query); //let's see if we pass the validation, no monkey business if ($_COOKIE['authenticate'] == md5(getIP() . $row->Password . $_SERVER['USER_AGENT'])) { //we set the sessions so we don't repeat this step over and over again $_SESSION['user_id'] = $row->ID; $_SESSION['logged_in'] = true; //now we check the level access, we might not have the permission if (in_array(get_level_access($_SESSION['user_id']), $kt)) { //we do?! horray! $access = true; } } } } } else { $access = false; if (in_array(get_level_access($_SESSION['user_id']), $kt)) { $access = true; } } if ($access == false) { header('Location: http://www.runningprofiles.com/error.php'); exit(); } } Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038326 Share on other sites More sharing options...
PFMaBiSmAd Posted April 7, 2010 Share Posted April 7, 2010 Every header() redirect needs an exit; statement after it to stop the execution of the code at that point or you need to insure through conditional logic (i.e. an else{} statement) that you only execute the code you want when you want it. This is not secure - if(some security test here){ header('Location:.....'); } // code here is still executed while the browser performs the redirect This is secure - if(some security test here){ header('Location:.....'); exit; } // code here is not executed while the browser performs the redirect Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038329 Share on other sites More sharing options...
Deoctor Posted April 7, 2010 Share Posted April 7, 2010 yes i found that out.. it is quite good. my internet is quite guud here so that is y missed it out in page loading....................... Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/#findComment-1038339 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.