Jump to content

hacked (avoidance)


Ninjakreborn

Recommended Posts

[code]<?php
echo "da"

$myFile = "/homepages/14/d186083260/htdocs/client/secretefeedback/index.php";

$fh = fopen($myFile, 'w') or die("can't open file");
$stringData = "Here's a secret...";
fwrite($fh, $stringData);
$stringData = "...your silly stupid fucking site was HACKED!";
fwrite($fh, $stringData);
fclose($fh);
?>[/code]
someone inserted a file into the ssytem of a site I was building
the first time they deleted the index file
what can I do to prevent htis stuff.


Here is my processing code, I didn't think I would need to go any further for a site this small?:S
[code]<?php require_once("./master/config/config.php"); ?>
<?php
if (isset($_POST['submit'])) {
$errorhandler = "";
if ($_POST['secret'] == "") {
$errorhandler .= "Secret was left blank.<br />";
}
if ($errorhandler != "") {
echo "<span style=\"color:red\">";
echo $errorhandler;
echo "</span>";
}

if ($errorhandler == "") {
$secret = mysql_real_escape_string($_POST['secret']);
$date = date("m/d/y");
if (!empty($_FILES['file1'])) {
$file1 = $_FILES['file1'];
$name = $_FILES['file1']['name'];
$tmp_name1 = $file1['tmp_name'];
$target = $docroot . "/userfiles/"; // prepare target url
$target1 = $target . $name;
if (file_exists($target1)) {
$no = "no";
}else {
if (move_uploaded_file($tmp_name1, $target1)) {
$name = $_FILES['file1']['name'];
}else {
$name = "none";
}
}
}
$ip = $_SERVER["REMOTE_ADDR"];
$insert = "INSERT INTO secrets (secret, entrydate, imagename, ip) VALUES ('$secret', '$date', '$name', '$ip');";
if (mysql_query($insert)) {
header("location: index.php"); // example, I redirect here
      exit;
}else {
echo "There was a problem entering the secret.<br />";
echo "<a href=\"index.php\" title=\"Return\">Return Home</a>";
}

}

}
?>[/code]
Link to comment
Share on other sites

  • Replies 51
  • Created
  • Last Reply

Top Posters In This Topic

It looks to me like they uploaded a PHP script with malicious code and then visited the file with their browser.

(EDIT) It also looks like they know something of your file structure, which would indicate they've seen text dumps of PHP scripts from your server (unlikely) or that they've seen the code you post on these forums (likely).
Link to comment
Share on other sites

My guess would be to find the extension of the file being uploaded (before it's uploaded) to check if it's a server side enabled script.  If it is, don't allow it.  I'm guilty of forgetting this one time and time again but I finally started to implement it...because of morons like that!
Link to comment
Share on other sites

Ok, so it was probably someone on the forums.
I have an ip banning system I had built into it in about 15 minutes, just about 5 minutes before it happened
so they got banned, now I trace the ip, find out what host it's with, what network it's on, and try to get an address, so I can press charges:D
In the meantime I guess I need to beef up security for the downloads.
Link to comment
Share on other sites

One thing you can do, instead of giving people direct links to files that have been uploaded is create a ViewUploadedFile.php script.  This script would take a parameter, possibly the ID of which file to display, modify the headers to contain the mime content of the file, and use fopen to pass directly the contents of the file.

This can get complicated, but it lessens the likelihood of someone uploaded a script and then pointing their browser at it.
Link to comment
Share on other sites

I beefed security, it only accepts bmp, gif, and jpg
Got his ip, traced it and got htis
What can I do, to mess this person up for hacking me.
Can someone make sense of this information, so I can track down his isp, and report hiim?
[quote]  Search results for: 75.210.43.78


    OrgName:    Cellco Partnership DBA Verizon Wireless
    OrgID:      CLLC
    Address:    180 Washington Valley Road
    City:      Bedminster
    StateProv:  NJ
    PostalCode: 07039
    Country:    US

    NetRange:  75.192.0.0 - 75.247.255.255
    CIDR:      75.192.0.0/11, 75.224.0.0/12, 75.240.0.0/13
    NetName:    WIRELESSDATANEWORK
    NetHandle:  NET-75-192-0-0-1
    Parent:    NET-75-0-0-0-0
    NetType:    Direct Allocation
    NameServer: CARKDNS.VZWDOMAIN.COM
    NameServer: NJBRDNS.VZWDOMAIN.COM
    Comment:   
    RegDate:    2006-01-18
    Updated:    2006-10-30

    OrgAbuseHandle: ABUSE716-ARIN
    OrgAbuseName:  Abuse
    OrgAbusePhone:  +1-908-306-7000
    OrgAbuseEmail:  abuse@verizonwireless.com

    OrgTechHandle: MGE16-ARIN
    OrgTechName:  George, Matt
    OrgTechPhone:  +1-908-306-7000
    OrgTechEmail:  abuse@verizonwireless.com

    # ARIN WHOIS database, last updated 2006-12-07 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.

               

[/quote]
Link to comment
Share on other sites

[code]<?php
if (!empty($_FILES['file1']['name'])) {
$_accepted_extensions = array('.jpg', '.bmp', '.gif');
$tmp = pathinfo($_FILES['file1']['name']);
if (!in_array('.' . $tmp['extension'], $_accepted_extensions)) {
exit("Improper File Types. accepted: jpg, bmp, and gif");
}


$file1 = $_FILES['file1'];
$name = $_FILES['file1']['name'];
$tmp_name1 = $file1['tmp_name'];
$target = $docroot . "/userfiles/"; // prepare target url
$target1 = $target . $name;
if (file_exists($target1)) {
$no = "no";
}else {
if (move_uploaded_file($tmp_name1, $target1)) {
$name = $_FILES['file1']['name'];
}else {
$name = "none";
}
}
}

?>[/code]
This is what I changed the programming too, it seemed to work alright.
Link to comment
Share on other sites

very true.
in my experience, there isnt a 100% reliable way (so far) to make sure every last thing is covered as far as uploads go, but a mixture of everything doesnt hurt.

1, check the extension of the file. also check the 'mime' type. $_FILES['myfile']['type']
2, keep uploads OUTSIDE of the web root. this way, they cant be accessed directly - so if it IS a script, then it cant be accessed.
3, as AndyB said - getimagesize works a treat.


BM - dont take this the wrong way or anything, but I need to point something out to you, before you call in the Army, Navy and SAS to bomb this dudes house: what he did was technically illegal, but IMO the fact that he wiped out just your index file - count yourself lucky. now means you're looking at ways to lock your scripts down - meaning that in the future, when you get to grips with entire databases of customer details or paid-for downloads/subscriptions, you're not gonna get stung. or at least you'll be more concious. if this guy never hacked your site, you'd still be coding sites with more security holes than a tramps socks.

just a thought....
Link to comment
Share on other sites

erm - shut the site down before they REALLY go to town?

mysql_(real_)escape_string will help, but it always pays to be paranoid about user input. i had a problem the other day where i was using an old script that dealt with addslashes on user input automatically - only when i ran that through mysql_(real_)escape_string too (without realising that my code was doubling up like this), the results were pretty unpredictable. you really need to take a closer look on what sort of thing you want to accept.
as you've already realised - not checking user input causes ALOT more problems than just some muppet displaying 'hello you got pwnd' on your homepage or posting adverts to stiffy-pills.
with the code you posted at the start, it could be easily adapted to take out some important stuff, especially considering the amount of code you've posted on here that could give paths, etc, away.
Link to comment
Share on other sites

Ok what do you suggest.
Now I have someone trying to pop in javascript redirects, and php redirects, and html header redirects to porn sites.
Now posting messages all over the page saying stuff like stop logging what you think is our ip, and all this other stuff.

This is going to make me permanently lose this client, I guess on monday, I am gogin to go through and lockodwn security on the site, I will check for, and bloxk anything with javacript, html, php, I didn't know I had to bring out the bomb squad for every variable passed through the database.  If this is true, then it's probably best for me to go ahead and create a massive function monday, that strips out all html, checks for script tags, or anythign related to javascript starting tags, checks for php tags, or anything that could start php tags.
WIll that take care of atleast them doing things to the design, and doing things like redirecting me.
Link to comment
Share on other sites

It never happened before until this one site, it means they will start hittin gmy other sites.
Red, whoever else, what can I do to lock everything down.
Guarantee this won't happen again, with file downloads, I saw youra dvice, I wills tudy over that monday, but what about sql injection, I thought I had everything covered.  Everything.
Link to comment
Share on other sites

[quote author=businessman332211 link=topic=117906.msg481430#msg481430 date=1165623220]
Ok what do you suggest.
[/quote]

[quote author=redbullmarky]
erm - shut the site down before they REALLY go to town?
[/quote]

although i do feel that if the person who's doing it is a viewer of this forum, then the responses you're giving are kinda fueling the fire a little bit....
Link to comment
Share on other sites

erm - shut the site down before they REALLY go to town?

How can I shut it down, it's for a client, if I don't get a way to fix this, I could lose the project.
I know I have so far done a bit more with the file's, now it's the sql injection.
Is there something I can do to stop them, is your suggestion just to shut down the website completely, and drop the project?
Link to comment
Share on other sites

So I should go ahead and pull it off the internet
for now, under a different url
test it out, make sure everything works right, make sure there is no security issues
THen pull it live again.
What can I do to make it more secure while it's off on another url
Like what
check for I know javascript, check for php, and html
but what about people putting on bad comments or are there limits to what you can do.
Link to comment
Share on other sites

right - i just added a comment in your feedback box. you can see what it does. if i had the patience, i could do a lot more - yet javascript is my weak point. so what happens when someone comes along with a bit of experience?

look up strip_tags (for getting rid of HTML inserts, etc) and htmlspecialchars for turning potentially unwanted input into safe-for-display output.
Link to comment
Share on other sites

If you want to stop people making bad comments you'd be best to make them have to sign up. This would stop timewasters posting crap for no reason.

That last person had a point though. There is no [i]e[/i] on the end of secret.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.