Ninjakreborn Posted December 8, 2006 Share Posted December 8, 2006 [code]<?phpecho "da"$myFile = "/homepages/14/d186083260/htdocs/client/secretefeedback/index.php";$fh = fopen($myFile, 'w') or die("can't open file");$stringData = "Here's a secret...";fwrite($fh, $stringData);$stringData = "...your silly stupid fucking site was HACKED!";fwrite($fh, $stringData);fclose($fh);?>[/code]someone inserted a file into the ssytem of a site I was buildingthe first time they deleted the index filewhat can I do to prevent htis stuff.Here is my processing code, I didn't think I would need to go any further for a site this small?:S[code]<?php require_once("./master/config/config.php"); ?><?phpif (isset($_POST['submit'])) { $errorhandler = ""; if ($_POST['secret'] == "") { $errorhandler .= "Secret was left blank.<br />"; } if ($errorhandler != "") { echo "<span style=\"color:red\">"; echo $errorhandler; echo "</span>"; } if ($errorhandler == "") { $secret = mysql_real_escape_string($_POST['secret']); $date = date("m/d/y"); if (!empty($_FILES['file1'])) { $file1 = $_FILES['file1']; $name = $_FILES['file1']['name']; $tmp_name1 = $file1['tmp_name']; $target = $docroot . "/userfiles/"; // prepare target url $target1 = $target . $name; if (file_exists($target1)) { $no = "no"; }else { if (move_uploaded_file($tmp_name1, $target1)) { $name = $_FILES['file1']['name']; }else { $name = "none"; } } } $ip = $_SERVER["REMOTE_ADDR"]; $insert = "INSERT INTO secrets (secret, entrydate, imagename, ip) VALUES ('$secret', '$date', '$name', '$ip');"; if (mysql_query($insert)) { header("location: index.php"); // example, I redirect here exit; }else { echo "There was a problem entering the secret.<br />"; echo "<a href=\"index.php\" title=\"Return\">Return Home</a>"; } }}?>[/code] Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/ Share on other sites More sharing options...
roopurt18 Posted December 8, 2006 Share Posted December 8, 2006 It looks to me like they uploaded a PHP script with malicious code and then visited the file with their browser.(EDIT) It also looks like they know something of your file structure, which would indicate they've seen text dumps of PHP scripts from your server (unlikely) or that they've seen the code you post on these forums (likely). Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137703 Share on other sites More sharing options...
SharkBait Posted December 8, 2006 Share Posted December 8, 2006 One thing I see is that you don't check to see if secret is correct so I could enter anything I want.As for the file uploading not sure but they managed to upload or replace one of your files didnt they? Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137704 Share on other sites More sharing options...
gijew Posted December 8, 2006 Share Posted December 8, 2006 My guess would be to find the extension of the file being uploaded (before it's uploaded) to check if it's a server side enabled script. If it is, don't allow it. I'm guilty of forgetting this one time and time again but I finally started to implement it...because of morons like that! Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137705 Share on other sites More sharing options...
gijew Posted December 8, 2006 Share Posted December 8, 2006 I've never tried this either but perhaps moving the uploaded files to a non-web accessible folder so anything uploaded cannot be executed by the server. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137708 Share on other sites More sharing options...
Ninjakreborn Posted December 8, 2006 Author Share Posted December 8, 2006 Ok, so it was probably someone on the forums.I have an ip banning system I had built into it in about 15 minutes, just about 5 minutes before it happenedso they got banned, now I trace the ip, find out what host it's with, what network it's on, and try to get an address, so I can press charges:DIn the meantime I guess I need to beef up security for the downloads. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137709 Share on other sites More sharing options...
roopurt18 Posted December 8, 2006 Share Posted December 8, 2006 One thing you can do, instead of giving people direct links to files that have been uploaded is create a ViewUploadedFile.php script. This script would take a parameter, possibly the ID of which file to display, modify the headers to contain the mime content of the file, and use fopen to pass directly the contents of the file.This can get complicated, but it lessens the likelihood of someone uploaded a script and then pointing their browser at it. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137711 Share on other sites More sharing options...
Ninjakreborn Posted December 8, 2006 Author Share Posted December 8, 2006 I beefed security, it only accepts bmp, gif, and jpgGot his ip, traced it and got htisWhat can I do, to mess this person up for hacking me.Can someone make sense of this information, so I can track down his isp, and report hiim?[quote] Search results for: 75.210.43.78 OrgName: Cellco Partnership DBA Verizon Wireless OrgID: CLLC Address: 180 Washington Valley Road City: Bedminster StateProv: NJ PostalCode: 07039 Country: US NetRange: 75.192.0.0 - 75.247.255.255 CIDR: 75.192.0.0/11, 75.224.0.0/12, 75.240.0.0/13 NetName: WIRELESSDATANEWORK NetHandle: NET-75-192-0-0-1 Parent: NET-75-0-0-0-0 NetType: Direct Allocation NameServer: CARKDNS.VZWDOMAIN.COM NameServer: NJBRDNS.VZWDOMAIN.COM Comment: RegDate: 2006-01-18 Updated: 2006-10-30 OrgAbuseHandle: ABUSE716-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-908-306-7000 OrgAbuseEmail: abuse@verizonwireless.com OrgTechHandle: MGE16-ARIN OrgTechName: George, Matt OrgTechPhone: +1-908-306-7000 OrgTechEmail: abuse@verizonwireless.com # ARIN WHOIS database, last updated 2006-12-07 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. [/quote] Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137727 Share on other sites More sharing options...
kenrbnsn Posted December 8, 2006 Share Posted December 8, 2006 Send the ip address to abuse@verizonwireless.netMost likely the person came in via a Verizon Wireless broadband card.Ken Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137732 Share on other sites More sharing options...
roopurt18 Posted December 8, 2006 Share Posted December 8, 2006 How are you determining the type of the file? You can use the file extension from the name or from the $_FILES array, but that information is unreliable. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137733 Share on other sites More sharing options...
Ninjakreborn Posted December 8, 2006 Author Share Posted December 8, 2006 [code]<?phpif (!empty($_FILES['file1']['name'])) {$_accepted_extensions = array('.jpg', '.bmp', '.gif'); $tmp = pathinfo($_FILES['file1']['name']);if (!in_array('.' . $tmp['extension'], $_accepted_extensions)) { exit("Improper File Types. accepted: jpg, bmp, and gif");} $file1 = $_FILES['file1']; $name = $_FILES['file1']['name']; $tmp_name1 = $file1['tmp_name']; $target = $docroot . "/userfiles/"; // prepare target url $target1 = $target . $name; if (file_exists($target1)) { $no = "no"; }else { if (move_uploaded_file($tmp_name1, $target1)) { $name = $_FILES['file1']['name']; }else { $name = "none"; } } }?>[/code]This is what I changed the programming too, it seemed to work alright. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137738 Share on other sites More sharing options...
roopurt18 Posted December 8, 2006 Share Posted December 8, 2006 Well, that's a quick fix but allows for unintended use. You could rename a .doc file to a .jpg and upload it like that, even though it's not a real jpg. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137744 Share on other sites More sharing options...
Ninjakreborn Posted December 8, 2006 Author Share Posted December 8, 2006 Ah, I didn't realize that, I will do some more research on it, I am on the phone with the legal department for his interet (and luckily) cellphone service provider, they are putting me through to there legal department. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137745 Share on other sites More sharing options...
AndyB Posted December 8, 2006 Share Posted December 8, 2006 You can always check that a file is a genuine image by using the getimagesize() function - it fails on non-images regardless of their file names. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137757 Share on other sites More sharing options...
redbullmarky Posted December 8, 2006 Share Posted December 8, 2006 very true.in my experience, there isnt a 100% reliable way (so far) to make sure every last thing is covered as far as uploads go, but a mixture of everything doesnt hurt.1, check the extension of the file. also check the 'mime' type. $_FILES['myfile']['type']2, keep uploads OUTSIDE of the web root. this way, they cant be accessed directly - so if it IS a script, then it cant be accessed.3, as AndyB said - getimagesize works a treat.BM - dont take this the wrong way or anything, but I need to point something out to you, before you call in the Army, Navy and SAS to bomb this dudes house: what he did was technically illegal, but IMO the fact that he wiped out just your index file - count yourself lucky. now means you're looking at ways to lock your scripts down - meaning that in the future, when you get to grips with entire databases of customer details or paid-for downloads/subscriptions, you're not gonna get stung. or at least you'll be more concious. if this guy never hacked your site, you'd still be coding sites with more security holes than a tramps socks.just a thought.... Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137761 Share on other sites More sharing options...
Ninjakreborn Posted December 8, 2006 Author Share Posted December 8, 2006 Well I fixed file problem, now they hit it with sql injections.Javascript redirects, xhtml header redirects, to porn sites.Plus messed up the whole layout first.I need some advice, I thought mysql_real_escape_string would stop that, now what? Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137797 Share on other sites More sharing options...
redbullmarky Posted December 9, 2006 Share Posted December 9, 2006 erm - shut the site down before they REALLY go to town?mysql_(real_)escape_string will help, but it always pays to be paranoid about user input. i had a problem the other day where i was using an old script that dealt with addslashes on user input automatically - only when i ran that through mysql_(real_)escape_string too (without realising that my code was doubling up like this), the results were pretty unpredictable. you really need to take a closer look on what sort of thing you want to accept.as you've already realised - not checking user input causes ALOT more problems than just some muppet displaying 'hello you got pwnd' on your homepage or posting adverts to stiffy-pills.with the code you posted at the start, it could be easily adapted to take out some important stuff, especially considering the amount of code you've posted on here that could give paths, etc, away. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137798 Share on other sites More sharing options...
Ninjakreborn Posted December 9, 2006 Author Share Posted December 9, 2006 Ok what do you suggest.Now I have someone trying to pop in javascript redirects, and php redirects, and html header redirects to porn sites.Now posting messages all over the page saying stuff like stop logging what you think is our ip, and all this other stuff.This is going to make me permanently lose this client, I guess on monday, I am gogin to go through and lockodwn security on the site, I will check for, and bloxk anything with javacript, html, php, I didn't know I had to bring out the bomb squad for every variable passed through the database. If this is true, then it's probably best for me to go ahead and create a massive function monday, that strips out all html, checks for script tags, or anythign related to javascript starting tags, checks for php tags, or anything that could start php tags.WIll that take care of atleast them doing things to the design, and doing things like redirecting me. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137800 Share on other sites More sharing options...
Ninjakreborn Posted December 9, 2006 Author Share Posted December 9, 2006 It never happened before until this one site, it means they will start hittin gmy other sites.Red, whoever else, what can I do to lock everything down.Guarantee this won't happen again, with file downloads, I saw youra dvice, I wills tudy over that monday, but what about sql injection, I thought I had everything covered. Everything. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137801 Share on other sites More sharing options...
redbullmarky Posted December 9, 2006 Share Posted December 9, 2006 [quote author=businessman332211 link=topic=117906.msg481430#msg481430 date=1165623220]Ok what do you suggest.[/quote][quote author=redbullmarky]erm - shut the site down before they REALLY go to town?[/quote]although i do feel that if the person who's doing it is a viewer of this forum, then the responses you're giving are kinda fueling the fire a little bit.... Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137802 Share on other sites More sharing options...
Ninjakreborn Posted December 9, 2006 Author Share Posted December 9, 2006 erm - shut the site down before they REALLY go to town?How can I shut it down, it's for a client, if I don't get a way to fix this, I could lose the project.I know I have so far done a bit more with the file's, now it's the sql injection.Is there something I can do to stop them, is your suggestion just to shut down the website completely, and drop the project? Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137803 Share on other sites More sharing options...
redbullmarky Posted December 9, 2006 Share Posted December 9, 2006 ok, leave the site up then and let them slowly take your entire career to pieces.alternatively - do as i say. then - pop a setup of LAMP on your local computer, and work on it locally. when you know its all cool, upload it. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137807 Share on other sites More sharing options...
Ninjakreborn Posted December 9, 2006 Author Share Posted December 9, 2006 So I should go ahead and pull it off the internetfor now, under a different urltest it out, make sure everything works right, make sure there is no security issuesTHen pull it live again.What can I do to make it more secure while it's off on another urlLike whatcheck for I know javascript, check for php, and htmlbut what about people putting on bad comments or are there limits to what you can do. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137809 Share on other sites More sharing options...
redbullmarky Posted December 9, 2006 Share Posted December 9, 2006 right - i just added a comment in your feedback box. you can see what it does. if i had the patience, i could do a lot more - yet javascript is my weak point. so what happens when someone comes along with a bit of experience?look up strip_tags (for getting rid of HTML inserts, etc) and htmlspecialchars for turning potentially unwanted input into safe-for-display output. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137810 Share on other sites More sharing options...
trq Posted December 9, 2006 Share Posted December 9, 2006 If you want to stop people making bad comments you'd be best to make them have to sign up. This would stop timewasters posting crap for no reason.That last person had a point though. There is no [i]e[/i] on the end of secret. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/#findComment-137811 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.