this site keeps getting hacked

[geeks]

Please help, this site keeps getting hacked, I have escaped all my sql input, as well as applying intval() to almost all input variable, I have hit a brick wall, I can always use PDO, but that would be a monumental task, and it may be something simple that I am missing.

 

link to my verifying txt file : http://www.apdec.org.za/phpfreaks.txt

 

link to the site : http://www.apdec.org.za/

 

specifically I have been hacked on the branch names and page content.

 

 

I have a full backup of code as well as the database.

 

I would really appreciate any help.

 

thanks

Craig

 

 

[ManiacDan]

If you're saying that your SVN was hacked, it's not a problem with your code, it's the server itself.

[geeks]

Thanks, how do I check if it's code or server, I am on a shared hosting server.

[ManiacDan]

What is the actual problem?  What are the symptoms?  How far down does the hack go?  Are files on the filesystem being modified? 

[geeks]

Strictly database hacks, nothing serious, the hacker keeps putting a "fix your security fail" message on the home page, and changing branch names.

 

all that information is stored in the database, so it would appear to be an sql attack of some sort.

 

 

Thanks for the help so far, it is much appreciated

 

[ManiacDan]

You keep saying "branch names" like we know what that term means. 

 

If he's changing the home page, he has access to the code as well, unless the string he's inserting comes from a database table.

[geeks]

You keep saying "branch names" like we know what that term means. 

 

basically it is a non-profit organisation and they have different branches, these branches are stored in a database.

 

sorry my bad, everything being edited by the hacker is stored in the database.

 

code seems to stay in place.

 

Thanks again, I am not a hacker or a security specialist, and this was my first project (the code is not the best).

 

 

 

 

 

[gizmola]

Well it looks likely that you have a sql injection exploit.

 

Did you use mysql_real_escape_string() to escape all the strings you are accepting via inserts, updates and deletes?  I'm guessing no.  Start there.

[geeks]

Did you use mysql_real_escape_string() to escape all the strings you are accepting via inserts, updates and deletes?

 

I think so, I am going to double check them all again to be sure.

 

[darkfreaks]

seems like as mentioned secure against SQL exploits either using PDO or mysql_real_escape_string

 

http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

 

also if you have server access to your VPN or SVN might look into getting and installing some freesource anti DDOS software.

 

 

 

 

 

[darkfreaks]

Vulnerability description

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

 

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

This vulnerability affects /events.php,searchresults.php

Discovered by: Scripting (XSS_in_URI.script).

The impact of this vulnerability

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

 

Attack details

URI was set to 'onmouseover=prompt(914554)>

The input is reflected inside a tag element between single quotes.

 

URL encoded GET input Searchterms was set to 1<ScRiPt >prompt(957795)</ScRiPt>

The input is reflected inside <title> tag.

The input is reflected inside a text element.

The input is reflected inside a tag element between double quotes.

 

 

[The Little Guy]

I searched a hacking forum, and found this link:

 

http://www.apdec.org.za/news.php?branch=2'&article=58'

 

Could this be what is causing your problem?

 

when you query is expecting numbers, force the value to a number like this:

 

$branch_id = (int)$_GET['branch'];
$query = "select * from branches where branch_id = $branch_id";

[ignace]

TLG can you provide the link to the hacking forum thread. There might be more useful info for the OP.

[The Little Guy]

Here are the search results:

http://www.hackforums.net/search.php?action=results&sid=b6617ba1b2b97559ccb77d02b8969b98&sortby=lastpost&order=desc

 

You may need an account to view them.

[flynismo]

It's your search box in the top right corner.

 

Use htmlspecialchars() and/or strip_tags() to clean user input.

 

And avoid using $_GET method

[Stefany93]

^^ I usually do like that when I have to get a numerical value from a query string:

 

$category = filter_input(INPUT_GET, 'category', FILTER_SANITIZE_NUMBER_INT);

 

Filter_input is an awesome function for security.

Edited November 15, 2012 by Stefany93