Website being hacked! Some one is deleting all posts!

[runnerjp]

Ok i have exited it and followed all the above advice... but some how the user is STILL  deleting my posts... i know they are doing this from the demo account as im tracing any chnages but i dont know HOW they are doign it

[Deoctor]

have u checked with ur mysql settings..

i think the user is directly accessing ur mysql through the root user id or else might have created an other mysql user

 

try changing the mysql user pass for all the user...

 

[KevinM1]

I don't know if this will help your troubleshooting, but I just logged in as demo, and I can delete the post written by the admin account by clicking the little pencil icon, then (presumably, as I didn't actually do it) clicking on the checkbox that appears, but not the one written by your name, as there's no pencil icon there.

 

Your user permissions are screwed up.

 

EDIT: could also be something to do with non-OP messages, as the pencil icon appears on the admin post in the test thread, which is the second post of the thread, but not in the tew thread, as it's the OP.

[PFMaBiSmAd]

LOL, everything I wrote above has to do with the security of the login system. It has nothing to do with if your delete code allows any logged in visitor to delete anything they want.

 

You must both check when you display the links/check-boxes if the current user has permission to have those things output for any record and you must checking in your form processing code if the current user has permission (or ownership) to actually affect the row(s) in the database tables.

[sspoke]

Site has horribly to much errors

 

Notice: Use of undefined constant title - assumed 'title' in /home/runningp/public_html/members/include/forumstats.php on line 55

 

Notice: Use of undefined constant title - assumed 'title' in /home/runningp/public_html/members/include/forumstats.php on line 55

 

Notice: Use of undefined constant title - assumed 'title' in /home/runningp/public_html/members/include/forumstats.php on line 55

 

Notice: Use of undefined constant title - assumed 'title' in /home/runningp/public_html/members/include/forumstats.php on line 55

 

Notice: Use of undefined constant title - assumed 'title' in /home/runningp/public_html/members/include/forumstats.php on line 55

 

Notice: Undefined variable: id in /home/runningp/public_html/members/index.php on line 91

 

Notice: Undefined index: page in /home/runningp/public_html/members/index.php on line 109

 

Notice: Undefined index: HTTPS in /home/runningp/public_html/getuser.php on line 10

 

Notice: Undefined variable: username in /home/runningp/public_html/getuser.php on line 24

 

Notice: Undefined variable: errMsgSubject in /home/runningp/public_html/members/include/message.php on line 557

 

Notice: Undefined variable: errMsgflood in /home/runningp/public_html/members/include/message.php on line 557

 

Notice: Undefined variable: errMsgPost in /home/runningp/public_html/members/include/message.php on line 558

[hackalive]

there (and I think I speak for most people who have posted so far) seems to be a lot of problems with the script and coding behind your progarm.

[sspoke]

Logging into a demo account I believe I can delete any post.. create a few and let me try

 

and problem is because I have a pencil tool which i can click and edit any post.. and if i edit them to blank.. same as deleting em

 

Found your problem..

 

I am demo user.. but for some reason when I post! I post as Admin!

[JonnoTheDev]

Here is the most obvious error in your code. I haven't read through the rest of the thread but I spotted this straight away.

if (isset($_POST['edit']) && $username = 'Admin')

You are setting $username to Admin rather than testing a condition. The comparison operator is ==

This means that anyone can edit any post. Change to

if (isset($_POST['edit']) && $username == 'Admin') 

[runnerjp]

I don't know if this will help your troubleshooting, but I just logged in as demo, and I can delete the post written by the admin account by clicking the little pencil icon, then (presumably, as I didn't actually do it) clicking on the checkbox that appears, but not the one written by your name, as there's no pencil icon there.

 

Your user permissions are screwed up.

 

EDIT: could also be something to do with non-OP messages, as the pencil icon appears on the admin post in the test thread, which is the second post of the thread, but not in the tew thread, as it's the OP.

 

 

@sspoke - how do i solve them errors.... i didnt think they where causing an issue with the hacking?!?!

Thats only like that as im testing the script...making sure only the user can edit it who created the post... i just took the if() statement off so i could try it out, but thanks for looking.

 

The other issue is its the opening thread thats getting deleted ( i assume thats this OP messages)

 

 

@PFMaBiSmAd  - my code allready had the exit(); on the error log , i think i have allready been told about that error earlyer on.

[sspoke]

I've changed all your messages if you see to my message to show it's possible using Google Chrome go check it out. I've also included a <?php tag test to see if it's possible to even hack your computer by posting messages.

 

If i can render my own php code on your page then I can simply take control over your whole computer by uploading php viruses.. like that delete your system files or php uploaders to upload viruses and run them using PHP!

 

Your secure on running raw PHP code don't worry! 

[runnerjp]

I\'ve changed all your posts to show It\'s possible Using Google Chrome! 

 

how did u do that and how can i stop it!!

[sspoke]

I\'ve changed all your posts to show It\'s possible Using Google Chrome! 

 

how did u do that and how can i stop it!!

 

int postID = 0;

for(; {
  outData = chrome.postMethod("http://www.runningprofiles.com/members/index.php?page=message&forum=training&id=659&pagenum=last", "postid=" + postID + "&deletepost=deletepost&message=I've%20changed%20all%20your%20posts%20to%20show%20It's%20possible%20<?php%20phpinfo();%20?>%20Using%20Google%20Chrome!&edit=", chrome.lastPage);
  postID++;
}

 

this is what I used.

[runnerjp]

never come across anything like that!...

 

how do i prevent it?

[sspoke]

IDK.. but it seems that demo = Admin.. thats why i can edit all of Admins post.

to prevent it you have to add a timestamp to all users that they cant most more then 5 posts per 10 seconds for example.. it will prevent the spammers

[hcdarkmage]

Here is the most obvious error in your code. I haven't read through the rest of the thread but I spotted this straight away.

if (isset($_POST['edit']) && $username = 'Admin')

You are setting $username to Admin rather than testing a condition. The comparison operator is ==

This means that anyone can edit any post. Change to

if (isset($_POST['edit']) && $username == 'Admin') 

 

Just trying to point out that neil.johnson may actually have your answer, if you'd look at what he is saying.

[runnerjp]

Sorry i should have noted i  changed the $username == 'Admin';

 

int postID = 0;for(; {  outData = chrome.postMethod("http://www.runningprofiles.com/members/index.php?page=message&forum=training&id=659&pagenum=last", "postid=" + postID + "&deletepost=deletepost&message=I've%20changed%20all%20your%20posts%20to%20show%20It's%20possible%20<?php%20phpinfo();%20?>%20Using%20Google%20Chrome!&edit=", chrome.lastPage);  postID++;}

 

did you just run that in my message??

 

How did you know that would work?

How can i test it to make sure it does not work?

Whats stopping someone adding $username = 'Admin' to that code provided :|

[premiso]

Sometimes, you should just stop. Go buy a book on "Security with PHP" or go read a few tutorials on it. Then come back to your code and really look at it.

 

You are just glazing over it, in my opinion, and are obviously mis-informed about best security practices. Without seeing the full script, given that anyone would want to read through the full script, we cannot actively help you solve this issue. More or less read up on a basic secure "User Registration / Login System" with Sessions and implement that with checks.

[PFMaBiSmAd]

Is the demo user in fact an Admin?

 

Based on the code error in the delete logic that neil.johnson pointed out and the large negative post count for the user Admin, either any visitor or a normal logged in visitor was responsible for the deletion of your posts by iterating through a range of post id's. We cannot tell you specifically which of those actually caused the original problem because you have not shown the whole actual code from the start of the page through to the code that deletes the data.

 

Based on that code error and the other things visible on the site, such as wrong thread/post counts and the problems with the growing number of escape characters (I also notice that in the code you did post that the $title data is not being escaped) that code is not ready for a live site. The functional testing that should have occurred before putting that code on a live site should have found the = vs == problem and if a non-admin (either a guest or a regular logged in member) can delete/edit posts.

 

The only good thing I see is that the php code that sspoke included in the content that he changed the posts to was not executed, so you are at least not using eval() in your code.

 

However, I suspect that injected javascript would execute in a visitor's browser, creating a XSS problem. That in fact just caused a thought to occur, perhaps someone injected some XSS into a post on your site that sent them either your session id cookie or your log in cookie values and they then visited your site as YOU and deleted the posts?