hacked (avoidance)

[Ninjakreborn]

[code]<?php
echo "da"

$myFile = "/homepages/14/d186083260/htdocs/client/secretefeedback/index.php";

$fh = fopen($myFile, 'w') or die("can't open file");
$stringData = "Here's a secret...";
fwrite($fh, $stringData);
$stringData = "...your silly stupid fucking site was HACKED!";
fwrite($fh, $stringData);
fclose($fh);
?>[/code]
someone inserted a file into the ssytem of a site I was building
the first time they deleted the index file
what can I do to prevent htis stuff.


Here is my processing code, I didn't think I would need to go any further for a site this small?:S
[code]<?php require_once("./master/config/config.php"); ?>
<?php
if (isset($_POST['submit'])) {
$errorhandler = "";
if ($_POST['secret'] == "") {
$errorhandler .= "Secret was left blank.<br />";
}
if ($errorhandler != "") {
echo "<span style=\"color:red\">";
echo $errorhandler;
echo "</span>";
}

if ($errorhandler == "") {
$secret = mysql_real_escape_string($_POST['secret']);
$date = date("m/d/y");
if (!empty($_FILES['file1'])) {
$file1 = $_FILES['file1'];
$name = $_FILES['file1']['name'];
$tmp_name1 = $file1['tmp_name'];
$target = $docroot . "/userfiles/"; // prepare target url
$target1 = $target . $name;
if (file_exists($target1)) {
$no = "no";
}else {
if (move_uploaded_file($tmp_name1, $target1)) {
$name = $_FILES['file1']['name'];
}else {
$name = "none";
}
}
}
$ip = $_SERVER["REMOTE_ADDR"];
$insert = "INSERT INTO secrets (secret, entrydate, imagename, ip) VALUES ('$secret', '$date', '$name', '$ip');";
if (mysql_query($insert)) {
header("location: index.php"); // example, I redirect here
      exit;
}else {
echo "There was a problem entering the secret.<br />";
echo "<a href=\"index.php\" title=\"Return\">Return Home</a>";
}

}

}
?>[/code]

[roopurt18]

It looks to me like they uploaded a PHP script with malicious code and then visited the file with their browser.

(EDIT) It also looks like they know something of your file structure, which would indicate they've seen text dumps of PHP scripts from your server (unlikely) or that they've seen the code you post on these forums (likely).

[SharkBait]

One thing I see is that you don't check to see if secret is correct so I could enter anything I want.

As for the file uploading not sure but they managed to upload or replace one of your files didnt they?

[gijew]

My guess would be to find the extension of the file being uploaded (before it's uploaded) to check if it's a server side enabled script.  If it is, don't allow it.  I'm guilty of forgetting this one time and time again but I finally started to implement it...because of morons like that!

[gijew]

I've never tried this either but perhaps moving the uploaded files to a non-web accessible folder so anything uploaded cannot be executed by the server.

[Ninjakreborn]

Ok, so it was probably someone on the forums.
I have an ip banning system I had built into it in about 15 minutes, just about 5 minutes before it happened
so they got banned, now I trace the ip, find out what host it's with, what network it's on, and try to get an address, so I can press charges:D
In the meantime I guess I need to beef up security for the downloads.

[roopurt18]

One thing you can do, instead of giving people direct links to files that have been uploaded is create a ViewUploadedFile.php script.  This script would take a parameter, possibly the ID of which file to display, modify the headers to contain the mime content of the file, and use fopen to pass directly the contents of the file.

This can get complicated, but it lessens the likelihood of someone uploaded a script and then pointing their browser at it.

[Ninjakreborn]

I beefed security, it only accepts bmp, gif, and jpg
Got his ip, traced it and got htis
What can I do, to mess this person up for hacking me.
Can someone make sense of this information, so I can track down his isp, and report hiim?
[quote]  Search results for: 75.210.43.78


    OrgName:    Cellco Partnership DBA Verizon Wireless
    OrgID:      CLLC
    Address:    180 Washington Valley Road
    City:      Bedminster
    StateProv:  NJ
    PostalCode: 07039
    Country:    US

    NetRange:  75.192.0.0 - 75.247.255.255
    CIDR:      75.192.0.0/11, 75.224.0.0/12, 75.240.0.0/13
    NetName:    WIRELESSDATANEWORK
    NetHandle:  NET-75-192-0-0-1
    Parent:    NET-75-0-0-0-0
    NetType:    Direct Allocation
    NameServer: CARKDNS.VZWDOMAIN.COM
    NameServer: NJBRDNS.VZWDOMAIN.COM
    Comment:   
    RegDate:    2006-01-18
    Updated:    2006-10-30

    OrgAbuseHandle: ABUSE716-ARIN
    OrgAbuseName:  Abuse
    OrgAbusePhone:  +1-908-306-7000
    OrgAbuseEmail:  abuse@verizonwireless.com

    OrgTechHandle: MGE16-ARIN
    OrgTechName:  George, Matt
    OrgTechPhone:  +1-908-306-7000
    OrgTechEmail:  abuse@verizonwireless.com

    # ARIN WHOIS database, last updated 2006-12-07 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.

               

[/quote]

[kenrbnsn]

Send the ip address to abuse@verizonwireless.net

Most likely the person came in via a Verizon Wireless broadband card.

Ken

[roopurt18]

How are you determining the type of the file?  You can use the file extension from the name or from the $_FILES array, but that information is unreliable.

[Ninjakreborn]

[code]<?php
if (!empty($_FILES['file1']['name'])) {
$_accepted_extensions = array('.jpg', '.bmp', '.gif');
$tmp = pathinfo($_FILES['file1']['name']);
if (!in_array('.' . $tmp['extension'], $_accepted_extensions)) {
exit("Improper File Types. accepted: jpg, bmp, and gif");
}


$file1 = $_FILES['file1'];
$name = $_FILES['file1']['name'];
$tmp_name1 = $file1['tmp_name'];
$target = $docroot . "/userfiles/"; // prepare target url
$target1 = $target . $name;
if (file_exists($target1)) {
$no = "no";
}else {
if (move_uploaded_file($tmp_name1, $target1)) {
$name = $_FILES['file1']['name'];
}else {
$name = "none";
}
}
}

?>[/code]
This is what I changed the programming too, it seemed to work alright.

[roopurt18]

Well, that's a quick fix but allows for unintended use.  You could rename a .doc file to a .jpg and upload it like that, even though it's not a real jpg.

[Ninjakreborn]

Ah, I didn't realize that, I will do some more research on it, I am on the phone with the legal department for his interet (and luckily) cellphone service provider, they are putting me through to there legal department.

[AndyB]

You can always check that a file is a genuine image by using the getimagesize() function - it fails on non-images regardless of their file names.

[redbullmarky]

very true.
in my experience, there isnt a 100% reliable way (so far) to make sure every last thing is covered as far as uploads go, but a mixture of everything doesnt hurt.

1, check the extension of the file. also check the 'mime' type. $_FILES['myfile']['type']
2, keep uploads OUTSIDE of the web root. this way, they cant be accessed directly - so if it IS a script, then it cant be accessed.
3, as AndyB said - getimagesize works a treat.


BM - dont take this the wrong way or anything, but I need to point something out to you, before you call in the Army, Navy and SAS to bomb this dudes house: what he did was technically illegal, but IMO the fact that he wiped out just your index file - count yourself lucky. now means you're looking at ways to lock your scripts down - meaning that in the future, when you get to grips with entire databases of customer details or paid-for downloads/subscriptions, you're not gonna get stung. or at least you'll be more concious. if this guy never hacked your site, you'd still be coding sites with more security holes than a tramps socks.

just a thought....

[Ninjakreborn]

Well I fixed file problem, now they hit it with sql injections.
Javascript redirects, xhtml header redirects, to porn sites.
Plus messed up the whole layout first.
I need some advice, I thought mysql_real_escape_string would stop that, now what?

[redbullmarky]

erm - shut the site down before they REALLY go to town?

mysql_(real_)escape_string will help, but it always pays to be paranoid about user input. i had a problem the other day where i was using an old script that dealt with addslashes on user input automatically - only when i ran that through mysql_(real_)escape_string too (without realising that my code was doubling up like this), the results were pretty unpredictable. you really need to take a closer look on what sort of thing you want to accept.
as you've already realised - not checking user input causes ALOT more problems than just some muppet displaying 'hello you got pwnd' on your homepage or posting adverts to stiffy-pills.
with the code you posted at the start, it could be easily adapted to take out some important stuff, especially considering the amount of code you've posted on here that could give paths, etc, away.

[Ninjakreborn]

Ok what do you suggest.
Now I have someone trying to pop in javascript redirects, and php redirects, and html header redirects to porn sites.
Now posting messages all over the page saying stuff like stop logging what you think is our ip, and all this other stuff.

This is going to make me permanently lose this client, I guess on monday, I am gogin to go through and lockodwn security on the site, I will check for, and bloxk anything with javacript, html, php, I didn't know I had to bring out the bomb squad for every variable passed through the database.  If this is true, then it's probably best for me to go ahead and create a massive function monday, that strips out all html, checks for script tags, or anythign related to javascript starting tags, checks for php tags, or anything that could start php tags.
WIll that take care of atleast them doing things to the design, and doing things like redirecting me.

[Ninjakreborn]

It never happened before until this one site, it means they will start hittin gmy other sites.
Red, whoever else, what can I do to lock everything down.
Guarantee this won't happen again, with file downloads, I saw youra dvice, I wills tudy over that monday, but what about sql injection, I thought I had everything covered.  Everything.

[redbullmarky]

[quote author=businessman332211 link=topic=117906.msg481430#msg481430 date=1165623220]
Ok what do you suggest.
[/quote]

[quote author=redbullmarky]
erm - shut the site down before they REALLY go to town?
[/quote]

although i do feel that if the person who's doing it is a viewer of this forum, then the responses you're giving are kinda fueling the fire a little bit....

[Ninjakreborn]

erm - shut the site down before they REALLY go to town?

How can I shut it down, it's for a client, if I don't get a way to fix this, I could lose the project.
I know I have so far done a bit more with the file's, now it's the sql injection.
Is there something I can do to stop them, is your suggestion just to shut down the website completely, and drop the project?

[redbullmarky]

ok, leave the site up then and let them slowly take your entire career to pieces.

alternatively - do as i say. then - pop a setup of LAMP on your local computer, and work on it locally. when you know its all cool, upload it.

[Ninjakreborn]

So I should go ahead and pull it off the internet
for now, under a different url
test it out, make sure everything works right, make sure there is no security issues
THen pull it live again.
What can I do to make it more secure while it's off on another url
Like what
check for I know javascript, check for php, and html
but what about people putting on bad comments or are there limits to what you can do.

[redbullmarky]

right - i just added a comment in your feedback box. you can see what it does. if i had the patience, i could do a lot more - yet javascript is my weak point. so what happens when someone comes along with a bit of experience?

look up strip_tags (for getting rid of HTML inserts, etc) and htmlspecialchars for turning potentially unwanted input into safe-for-display output.

[trq]

If you want to stop people making bad comments you'd be best to make them have to sign up. This would stop timewasters posting crap for no reason.

That last person had a point though. There is no [i]e[/i] on the end of secret.