runnerjp Posted April 7, 2010 Author Share Posted April 7, 2010 Ok i have exited it and followed all the above advice... but some how the user is STILL deleting my posts... i know they are doing this from the demo account as im tracing any chnages but i dont know HOW they are doign it Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/page/2/#findComment-1038374 Share on other sites More sharing options...
Deoctor Posted April 7, 2010 Share Posted April 7, 2010 have u checked with ur mysql settings.. i think the user is directly accessing ur mysql through the root user id or else might have created an other mysql user try changing the mysql user pass for all the user... Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/page/2/#findComment-1038378 Share on other sites More sharing options...
KevinM1 Posted April 7, 2010 Share Posted April 7, 2010 I don't know if this will help your troubleshooting, but I just logged in as demo, and I can delete the post written by the admin account by clicking the little pencil icon, then (presumably, as I didn't actually do it) clicking on the checkbox that appears, but not the one written by your name, as there's no pencil icon there. Your user permissions are screwed up. EDIT: could also be something to do with non-OP messages, as the pencil icon appears on the admin post in the test thread, which is the second post of the thread, but not in the tew thread, as it's the OP. Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/page/2/#findComment-1038382 Share on other sites More sharing options...
PFMaBiSmAd Posted April 7, 2010 Share Posted April 7, 2010 LOL, everything I wrote above has to do with the security of the login system. It has nothing to do with if your delete code allows any logged in visitor to delete anything they want. You must both check when you display the links/check-boxes if the current user has permission to have those things output for any record and you must checking in your form processing code if the current user has permission (or ownership) to actually affect the row(s) in the database tables. Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/page/2/#findComment-1038389 Share on other sites More sharing options...
sspoke Posted April 7, 2010 Share Posted April 7, 2010 Site has horribly to much errors Notice: Use of undefined constant title - assumed 'title' in /home/runningp/public_html/members/include/forumstats.php on line 55 Notice: Use of undefined constant title - assumed 'title' in /home/runningp/public_html/members/include/forumstats.php on line 55 Notice: Use of undefined constant title - assumed 'title' in /home/runningp/public_html/members/include/forumstats.php on line 55 Notice: Use of undefined constant title - assumed 'title' in /home/runningp/public_html/members/include/forumstats.php on line 55 Notice: Use of undefined constant title - assumed 'title' in /home/runningp/public_html/members/include/forumstats.php on line 55 Notice: Undefined variable: id in /home/runningp/public_html/members/index.php on line 91 Notice: Undefined index: page in /home/runningp/public_html/members/index.php on line 109 Notice: Undefined index: HTTPS in /home/runningp/public_html/getuser.php on line 10 Notice: Undefined variable: username in /home/runningp/public_html/getuser.php on line 24 Notice: Undefined variable: errMsgSubject in /home/runningp/public_html/members/include/message.php on line 557 Notice: Undefined variable: errMsgflood in /home/runningp/public_html/members/include/message.php on line 557 Notice: Undefined variable: errMsgPost in /home/runningp/public_html/members/include/message.php on line 558 Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/page/2/#findComment-1038396 Share on other sites More sharing options...
hackalive Posted April 7, 2010 Share Posted April 7, 2010 there (and I think I speak for most people who have posted so far) seems to be a lot of problems with the script and coding behind your progarm. Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/page/2/#findComment-1038407 Share on other sites More sharing options...
sspoke Posted April 7, 2010 Share Posted April 7, 2010 Logging into a demo account I believe I can delete any post.. create a few and let me try and problem is because I have a pencil tool which i can click and edit any post.. and if i edit them to blank.. same as deleting em Found your problem.. I am demo user.. but for some reason when I post! I post as Admin! Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/page/2/#findComment-1038409 Share on other sites More sharing options...
JonnoTheDev Posted April 7, 2010 Share Posted April 7, 2010 Here is the most obvious error in your code. I haven't read through the rest of the thread but I spotted this straight away. if (isset($_POST['edit']) && $username = 'Admin') You are setting $username to Admin rather than testing a condition. The comparison operator is == This means that anyone can edit any post. Change to if (isset($_POST['edit']) && $username == 'Admin') Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/page/2/#findComment-1038416 Share on other sites More sharing options...
runnerjp Posted April 7, 2010 Author Share Posted April 7, 2010 I don't know if this will help your troubleshooting, but I just logged in as demo, and I can delete the post written by the admin account by clicking the little pencil icon, then (presumably, as I didn't actually do it) clicking on the checkbox that appears, but not the one written by your name, as there's no pencil icon there. Your user permissions are screwed up. EDIT: could also be something to do with non-OP messages, as the pencil icon appears on the admin post in the test thread, which is the second post of the thread, but not in the tew thread, as it's the OP. @sspoke - how do i solve them errors.... i didnt think they where causing an issue with the hacking?!?! Thats only like that as im testing the script...making sure only the user can edit it who created the post... i just took the if() statement off so i could try it out, but thanks for looking. The other issue is its the opening thread thats getting deleted ( i assume thats this OP messages) @PFMaBiSmAd - my code allready had the exit(); on the error log , i think i have allready been told about that error earlyer on. Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/page/2/#findComment-1038425 Share on other sites More sharing options...
sspoke Posted April 7, 2010 Share Posted April 7, 2010 I've changed all your messages if you see to my message to show it's possible using Google Chrome go check it out. I've also included a <?php tag test to see if it's possible to even hack your computer by posting messages. If i can render my own php code on your page then I can simply take control over your whole computer by uploading php viruses.. like that delete your system files or php uploaders to upload viruses and run them using PHP! Your secure on running raw PHP code don't worry! Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/page/2/#findComment-1038427 Share on other sites More sharing options...
runnerjp Posted April 7, 2010 Author Share Posted April 7, 2010 I\'ve changed all your posts to show It\'s possible Using Google Chrome! how did u do that and how can i stop it!! Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/page/2/#findComment-1038429 Share on other sites More sharing options...
sspoke Posted April 7, 2010 Share Posted April 7, 2010 I\'ve changed all your posts to show It\'s possible Using Google Chrome! how did u do that and how can i stop it!! int postID = 0; for(; { outData = chrome.postMethod("http://www.runningprofiles.com/members/index.php?page=message&forum=training&id=659&pagenum=last", "postid=" + postID + "&deletepost=deletepost&message=I've%20changed%20all%20your%20posts%20to%20show%20It's%20possible%20<?php%20phpinfo();%20?>%20Using%20Google%20Chrome!&edit=", chrome.lastPage); postID++; } this is what I used. Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/page/2/#findComment-1038430 Share on other sites More sharing options...
runnerjp Posted April 7, 2010 Author Share Posted April 7, 2010 never come across anything like that!... how do i prevent it? Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/page/2/#findComment-1038432 Share on other sites More sharing options...
sspoke Posted April 7, 2010 Share Posted April 7, 2010 IDK.. but it seems that demo = Admin.. thats why i can edit all of Admins post. to prevent it you have to add a timestamp to all users that they cant most more then 5 posts per 10 seconds for example.. it will prevent the spammers Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/page/2/#findComment-1038433 Share on other sites More sharing options...
hcdarkmage Posted April 7, 2010 Share Posted April 7, 2010 Here is the most obvious error in your code. I haven't read through the rest of the thread but I spotted this straight away. if (isset($_POST['edit']) && $username = 'Admin') You are setting $username to Admin rather than testing a condition. The comparison operator is == This means that anyone can edit any post. Change to if (isset($_POST['edit']) && $username == 'Admin') Just trying to point out that neil.johnson may actually have your answer, if you'd look at what he is saying. Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/page/2/#findComment-1038435 Share on other sites More sharing options...
runnerjp Posted April 7, 2010 Author Share Posted April 7, 2010 Sorry i should have noted i changed the $username == 'Admin'; int postID = 0;for(; { outData = chrome.postMethod("http://www.runningprofiles.com/members/index.php?page=message&forum=training&id=659&pagenum=last", "postid=" + postID + "&deletepost=deletepost&message=I've%20changed%20all%20your%20posts%20to%20show%20It's%20possible%20<?php%20phpinfo();%20?>%20Using%20Google%20Chrome!&edit=", chrome.lastPage); postID++;} did you just run that in my message?? How did you know that would work? How can i test it to make sure it does not work? Whats stopping someone adding $username = 'Admin' to that code provided :| Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/page/2/#findComment-1038438 Share on other sites More sharing options...
premiso Posted April 7, 2010 Share Posted April 7, 2010 Sometimes, you should just stop. Go buy a book on "Security with PHP" or go read a few tutorials on it. Then come back to your code and really look at it. You are just glazing over it, in my opinion, and are obviously mis-informed about best security practices. Without seeing the full script, given that anyone would want to read through the full script, we cannot actively help you solve this issue. More or less read up on a basic secure "User Registration / Login System" with Sessions and implement that with checks. Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/page/2/#findComment-1038454 Share on other sites More sharing options...
PFMaBiSmAd Posted April 7, 2010 Share Posted April 7, 2010 Is the demo user in fact an Admin? Based on the code error in the delete logic that neil.johnson pointed out and the large negative post count for the user Admin, either any visitor or a normal logged in visitor was responsible for the deletion of your posts by iterating through a range of post id's. We cannot tell you specifically which of those actually caused the original problem because you have not shown the whole actual code from the start of the page through to the code that deletes the data. Based on that code error and the other things visible on the site, such as wrong thread/post counts and the problems with the growing number of escape characters (I also notice that in the code you did post that the $title data is not being escaped) that code is not ready for a live site. The functional testing that should have occurred before putting that code on a live site should have found the = vs == problem and if a non-admin (either a guest or a regular logged in member) can delete/edit posts. The only good thing I see is that the php code that sspoke included in the content that he changed the posts to was not executed, so you are at least not using eval() in your code. However, I suspect that injected javascript would execute in a visitor's browser, creating a XSS problem. That in fact just caused a thought to occur, perhaps someone injected some XSS into a post on your site that sent them either your session id cookie or your log in cookie values and they then visited your site as YOU and deleted the posts? Quote Link to comment https://forums.phpfreaks.com/topic/197842-website-being-hacked-some-one-is-deleting-all-posts/page/2/#findComment-1038469 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.