Website being hacked! Some one is deleting all posts!

[runnerjp]

Hey guys,

 

I logged on to edit my website today to find that most of my forum posts have been deleted!

 

I have no idea how they have done this....

 

I have made sure all $_gets and $_posts have mysql real escaped and i just cant find out how they are doing it.

 

Can any one offer me guidence to find the errors ....

 

i can provide access to the site to find the error itself.

 

Anything to prevent my hard work being destroyed.

[Deoctor]

can u provide access to this and let us see it ..

[runnerjp]

The login screen is

 

www.runningprofiles.com

 

Username:Demo

Password:Demo

 

 

they could be acesssing my Admin account through the login but im not sure.

 

I have added "PhP freaks please help me" just to show its my login screen!

[Deoctor]

havent u made any kind of logs in ur code..

can u provide me with the code details

[conker87]

Are you sure someone didn't just login with the above details?

[runnerjp]

What do you mean by logs??

[runnerjp]

they could have but i dont see how they edited it... iv just chnage permissions on the edit button to delete posts ect so i can try clean it up alittle quikly- usually it has if{$userid = '1'}  so only Admin can edit it.

 

 

for time being i think i might log all logins with date time ip ect....

all errors (how would i create error log so i can record username ip and error made @ time??)

and all deletiong ect made by users.

 

Try track down how and who is doing it

[Deoctor]

they could have but i dont see how they edited it... iv just chnage permissions on the edit button to delete posts ect so i can try clean it up alittle quikly- usually it has if{$userid = '1'}  so only Admin can edit it.

 

 

for time being i think i might log all logins with date time ip ect....

all errors (how would i create error log so i can record username ip and error made @ time??)

and all deletiong ect made by users.

 

Try track down how and who is doing it

if u can provide us ur code then i can surely help u out on hw u can log the details of the guys who are doing in out..

What do you mean by logs??

 

i mean this one onlyy.. whether u are storing any thing when some one is doing something on ur site...

this would slow down ur process but it will surely help u out when something like this happens...

 

[runnerjp]

if u can provide us ur code then i can surely help u out on hw u can log the details of the guys who are doing in out..

Ok well usernames are stored as $username; 

the page they are on is stored as $url;

time is $time;

 

any other part of code u want?

 

mean this one onlyy.. whether u are storing any thing when some one is doing something on ur site...

this would slow down ur process but it will surely help u out when something like this happens... 

 

and no i dont sadly, but i think i best lol

 

[Deoctor]

so u are using the admin login only to delete the posts right, so what u can do is check  the http referrer from which they are using to access the pages of deletion. if any script is doing it out then obviously  u can restrict that..

 

check with these server variables and add the ones  which ever u need most

 

http://php.net/manual/en/reserved.variables.server.php

[runnerjp]

I have had alook at the page and it does not make sence to me

 

Also do you know how to log errors??

 

so far i have-

 

 

/* we will do our own error handling. */
error_reporting(0); // Turns off all error reporting.

/* user defined error handling function. */
function userErrorHandler($errno, $errmsg, $filename, $linenum, $vars)
{
    // timestamp for the error entry.
    $dt = date('Y-m-d H:i:s (T)');

    // define an assoc array of error string
    // in reality the only entries we should
    // consider are E_WARNING, E_NOTICE, E_USER_ERROR,
    // E_USER_WARNING and E_USER_NOTICE.
    $errortype = array (
                E_ERROR => 'Error',
                E_WARNING => 'Warning',
                E_PARSE => 'Parsing Error',
                E_NOTICE => 'Notice',
                E_CORE_ERROR => 'Core Error',
                E_CORE_WARNING => 'Core Warning',
                E_COMPILE_ERROR => 'Compile Error',
                E_COMPILE_WARNING => 'Compile Warning',
                E_USER_ERROR => 'User Error',
                E_USER_WARNING => 'User Warning',
                E_USER_NOTICE => 'User Notice',
                E_STRICT => 'Runtime Notice'
                );
    // set of errors for which a var trace will be saved.
    $user_errors = array(E_USER_ERROR, E_USER_WARNING, E_USER_NOTICE);

    $err = "<errorentry>\n";
    $err .= "\t<datetime>" .$dt. "</datetime>\n";
    $err .= "\t<errornum>" .$errno. "</errornum>\n";
    $err .= "\t<errortype>" .$errortype[$errno]. "</errortype>\n";
    $err .= "\t<errormsg>" .$errmsg. "</errormsg>\n";
    $err .= "\t<scriptname>" .$filename. "</scriptname>\n";
    $err .= "\t<scriptlinenum>" .$linenum. "</scriptlinenum>\n";

    if (in_array($errno, $user_errors)) {
        $err .= "\t<vartrace>" .wddx_serialize_value($vars, 'Variables'). "</vartrace>\n";
    }
    $err .= "</errorentry>\n\n";

    // save to the error log file, and e-mail me if there is a critical user error.
    error_log($err, 3, '../error_log.log');
    if ($errno == E_USER_ERROR) {
        mail('bgates@gmail.com', 'Critical User Error', $err);
    }
}
$old_error_handler = set_error_handler('userErrorHandler');

 

if i was to chnage it so i added it to db with username and page ect would this help?

[Deoctor]

it is not regarding the errors that i am asking about..

what i am trying to say here is that

suppose if an user logs into ur site

then these are the following details u can fetch from that

SERVER_ADDR

REQUEST_METHOD

REQUEST_TIME

QUERY_STRING

HTTP_REFERER--used to find whether he is coming from a valid url...

REMOTE_ADDR

SCRIPT_FILENAME

 

and so on......

 

these are quite helpfull for you to trace the things while u are working on..

also have a check whether some one is directly accessing ur database and deleting the things

 

change ur mysql password and also the access levels for the user id...

 

 

[PFMaBiSmAd]

It's highly likely that your form processing code where you actually delete posts (and perhaps on all of your admin functions) is either not checking if the current visitor is logged in as an admin or the code you are using to check that can be bypassed.

 

The code we really need to see would be for the delete function and the login security you are using on that page.

 

Just an FYI: HTTP_REFERER is a header that comes with the HTTP request. It can easily be set to anything and in fact most of the web proxy scripts set it to be the same as the domain being requested so that requests that come through such a proxy look like they are from someone who is actually browsing on your site. HTTP_REFERER cannot really be trusted or used for anything more than informational purposes.

[Deoctor]

Just an FYI: HTTP_REFERER is a header that comes with the HTTP request. It can easily be set to anything and in fact most of the web proxy scripts set it to be the same as the domain being requested so that requests that come through such a proxy look like they are from someone who is actually browsing on your site. HTTP_REFERER cannot really be trusted or used for anything more than informational purposes.

 

can u provide me with a sample of how to set that ??

[runnerjp]

Ok the login system is http://evolt.org/node/60384  - which im 100% sure its secure.

 

The delete posts is

 

   
if (isset($_POST['edit']) && $username = 'Admin') 
{
if(isset($_POST['forumlock']))
{
	$forumlock=1;
}else
{
	$forumlock=0;
}
	$threadid =  mysql_real_escape_string( $_POST['id']);
if ($_POST['deletepost'] == 'deletepost'){ 
     mysql_query("DELETE FROM forumtutorial_posts WHERE postid='$threadid'")  
		or die(mysql_error()); 
$updatep = "UPDATE `users` SET `post_count`=`post_count`-'1' WHERE `Username`='$username'";
            mysql_query ($updatep) or die("Could not update post");

		 mysql_query("DELETE FROM forumtutorial_posts WHERE parentid='$threadid'")  
		or die(mysql_error()); 					
		header( "refresh: 0; url=http://www.runningprofiles.com/members/index.php?page=forum&forum=$forum");
		}
      if(isset($_POST['important']))
	{
	         $important=1;
      }
	else
	{
	          $important=2;
	}

$title = $_POST['title'];
$query = "UPDATE forumtutorial_posts SET forumlock = '$forumlock', important = '$important', title = '$title' WHERE postid='$threadid' ";
mysql_query($query) or die('Error, query failed');
header( "refresh: 0; url=http://www.runningprofiles.com/members/index.php?page=forum&forum=$forum"); 
}
else
{
//	$threadid =  mysql_real_escape_string( $_POST['id']);
$threadid =  $CONT_ID;

$check = '';

$forumlock=0;// default value if it's not set
$checkimpor = '';

$important=0;// default value if it's not set

?>
<script src="../../css/SpryCollapsiblePanel.js" type="text/javascript"></script>
   
      <div id="CollapsiblePanel<?php echo $threadid; ?>" class="CollapsiblePanel">
  <div class="CollapsiblePanelTab"  > Edit</div>
  <div class="CollapsiblePanelContent">
<form name='input' action='index.php?page=forum&forum=<? echo $forum ?>' method='post'>

<div align="center">
  <p>Title:
    <input class='inputinbox' name='title' type='text' value='<? echo $getthreads3[title];?>' />
      <br/>

 <?php   if($getthreads3['forumlock']==1) {

      echo "<input type='checkbox' name='forumlock' checked='checked' />";
}
else 
{
echo "<input type='checkbox' name='forumlock' />";
} ?>
    Lock a Room<br/>
<?php if($getthreads3['important']==1) {   echo "<input type='checkbox' name='important' checked='checked' />";	}
else
{
echo "<input type='checkbox' name='important' />";
}
?>
    Important       <br/>
	    <input type="checkbox" name="deletepost" value="deletepost" />
    Delete post</p>
  <input type="hidden" name="id" value="<?php echo $getthreads3[postid] ?>" />
    <input type='submit' name='edit' class="submit-btn"  value='' />
     
</div>
</form>	  

<?
}
?></div>
</div>


<script type="text/javascript">
<!--
var CollapsiblePanel1 = new Spry.Widget.CollapsiblePanel("CollapsiblePanel<?php echo $threadid; ?>", {contentIsOpen:false});
//-->
      </script>

[KevinM1]

1. Where is $username set?

2. Are register globals turned on?

[runnerjp]

register globals turned off

 

and

 

$username is set in my settings as a sessions with my_real_escape_string set with it... it sets the session on login.

[PFMaBiSmAd]

im 100% sure its secure.

 

No, it's not. There are two possible exploits. 1) It does not stop execution of the code on the page when it redirects, so when a login fails, the code on the page is still executed. 2) If you are not stopping the execution of the code on the page after you check if someone is not logged in, your delete code is still being executed.

 

Edit: And I just looked at the 'admin' code that comes with that script. If you copied what it is doing, it is not protecting and preventing the code on your pages from being executed. All a hacker needs to do is ignore the header() redirects (which is the default if someone was using a CURL script to access your pages) and he can get any of your 'protected' code to execute.

[Mchl]

can u provide me with a sample of how to set that ??

 

curl_setopt

[Deoctor]

can u provide me with a sample of how to set that ??

 

curl_setopt

 

hai 10q for that can u show me an example  code

[trq]

can u provide me with a sample of how to set that ??

curl_setopt

 

hai 10q for that can u show me an example  code

 

Did you even look at the link?

[PFMaBiSmAd]

I'll second that. If you search for REFERER on that page you will find more than one example.

[runnerjp]

 

 

No, it's not. There are two possible exploits. 1) It does not stop execution of the code on the page when it redirects, so when a login fails, the code on the page is still executed.

 

 

 

2) If you are not stopping the execution of the code on the page after you check if someone is not logged in, your delete code is still being executed.

 

Edit: And I just looked at the 'admin' code that comes with that script. If you copied what it is doing, it is not protecting and preventing the code on your pages from being executed. All a hacker needs to do is ignore the header() redirects (which is the default if someone was using a CURL script to access your pages) and he can get any of your 'protected' code to execute.

 

Wow... ok how would you advise to solve these?

 

Edit: i dont use the admin script im making my own using this function

 

function checkLogin($levels)
{

			global $db;
			$kt = split(' ', $levels);

			if (!$_SESSION['logged_in'])
			{

							$access = false;

							if (isset($_COOKIE['cookie_id']))
							{ //if we have a cookie

											$query = 'SELECT * FROM ' . DBPREFIX . 'users WHERE ID = ' . $db->qstr($_COOKIE['cookie_id']);

											if ($db->RecordCount($query) == 1)
											{ //only one user can match that query
															$row = $db->getRow($query);

															//let's see if we pass the validation, no monkey business
															if ($_COOKIE['authenticate'] == md5(getIP() . $row->Password . $_SERVER['USER_AGENT']))
															{
																			//we set the sessions so we don't repeat this step over and over again
																			$_SESSION['user_id'] = $row->ID;
																			$_SESSION['logged_in'] = true;

																			//now we check the level access, we might not have the permission
																			if (in_array(get_level_access($_SESSION['user_id']), $kt))
																			{
																							//we do?! horray!
																							$access = true;
																			}
															}
											}
							}
			}
			else
			{
							$access = false;

							if (in_array(get_level_access($_SESSION['user_id']), $kt))
							{
											$access = true;
							}
			}

			if ($access == false)
			{
							header('Location: http://www.runningprofiles.com/error.php');
							exit();

			}
}
   

[PFMaBiSmAd]

Every header() redirect needs an exit; statement after it to stop the execution of the code at that point or you need to insure through conditional logic (i.e. an else{} statement) that you only execute the code you want when you want it.

 

This is not secure -

if(some security test here){
    header('Location:.....');
}
// code here is still executed while the browser performs the redirect

 

This is secure -

if(some security test here){
    header('Location:.....');
    exit;
}
// code here is not executed while the browser performs the redirect

[Deoctor]

yes i found that out..

it is quite good. 

 

my internet is quite guud here so that is y missed it out in page loading.......................