redbullmarky Posted December 9, 2006 Share Posted December 9, 2006 [quote author=thorpe link=topic=117906.msg481441#msg481441 date=1165624238]That laste person had a point though. There is no [i]e[/i] on the end of secret.[/quote]unless you WANT porn ads ;) Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-137812 Share on other sites More sharing options...
obsidian Posted December 9, 2006 Share Posted December 9, 2006 [quote author=businessman332211 link=topic=117906.msg481375#msg481375 date=1165614971]Ah, I didn't realize that, I will do some more research on it, I am on the phone with the legal department for his interet (and luckily) cellphone service provider, they are putting me through to there legal department.[/quote]I say, old chap, that is jolly awful! I hate it when people screw with stuff that isn't theirs in the first place, and then when they continue to lay on a personal attack like that, I only wish I could put words to what a rotter he is. However, I wouldn't waste my time with trying to track down and take action against an individual like that unless you are getting some sort of personal threat, but rather you should focus your efforts into doing just what your title suggests: [i]avoid future occurrences[/i] by learning from your (and his) mistakes ;) Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-137813 Share on other sites More sharing options...
redbullmarky Posted December 9, 2006 Share Posted December 9, 2006 with all due respect lad, if you'da taken off your site when i first suggested, rather than questioning why, then maybe i wouldnt now be staring at the PROPER meaning of 'secrete' ;Dyour clients sites should not be public until money has exchanged hands and the site is ready. if youre gonna keep it on a public server, at least lock it down with a password or two....still...hopefully you still have the power. take it down. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-137821 Share on other sites More sharing options...
Daniel0 Posted December 9, 2006 Share Posted December 9, 2006 Perhaps you should start with removing the redirect... Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-137826 Share on other sites More sharing options...
trq Posted December 9, 2006 Share Posted December 9, 2006 Ive just edited and removed the link to the site in question from your original post as it now links to porn. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-137830 Share on other sites More sharing options...
roopurt18 Posted December 9, 2006 Share Posted December 9, 2006 Have you gone through and looked at the contents of the directory where you were moving uploaded files? Chances are the attackers uploaded a multitude of PHP scripts and are only now starting to execute them through their browser.As far as filtering data is concerned, there is one rule to follow: Always, always, always. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-137905 Share on other sites More sharing options...
Ninjakreborn Posted December 9, 2006 Author Share Posted December 9, 2006 Ok I got the ideas, I got the opinions.Now I will implement everything you have said, I couldn't move the domain, but for some reason the owner thinks it's funny anyway.He was actually laughing about it, so I will go ahead and get organized. I will start up a function to take care of javascript script tags, html, any possible php programming. I will take care of that. I will make sure my file's are secure, and I will put some programming in there to screen cusswords out, and block people from posting them. I will make sure I learn from it, and take care of it. I will learn from my mistakes here, and make functions that will help me for every project, not just this one. I know the power of hackers, so now I have to learn how to fight it.I will post back here in a couple of day's, on monday, and see how it went. I know people will still post rude shit, but then he can just ban them as he wants, that's the nature, and destiny of this type of site, with a lot of spammers as well. He thinks it's funny so it's fine with me.As for making people register, that would be a good idea, but he wanted to avoid that if he could. He said no about that, so that's all I know.Thanks for all the advice. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-138051 Share on other sites More sharing options...
AndyB Posted December 9, 2006 Share Posted December 9, 2006 [quote author=businessman332211 link=topic=117906.msg481691#msg481691 date=1165676603]I will start up a function to take care of javascript script tags, html, any possible php programming. I will take care of that. [/quote]Start with strip_tags - http://ca.php.net/manual/en/function.strip-tags.php - and read the user notes. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-138056 Share on other sites More sharing options...
Ninjakreborn Posted December 9, 2006 Author Share Posted December 9, 2006 thanks andy, will do Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-138077 Share on other sites More sharing options...
akitchin Posted December 11, 2006 Share Posted December 11, 2006 i'm going to go out and suggest that this might not even have been illegal. it's easily argued as negligence on the developer's part, whether foul-play is the cause or not. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-138716 Share on other sites More sharing options...
Ninjakreborn Posted December 11, 2006 Author Share Posted December 11, 2006 That's true, it was my fault, I learnt from it. I am fixing this up today.I will learn as I go. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-138972 Share on other sites More sharing options...
Ninjakreborn Posted December 11, 2006 Author Share Posted December 11, 2006 [code]<?phpfunction deepclean($varinfo) { global $varinfo; $varinfo = htmlspecialchars($varinfo); $varinfo = htmlentities($varinfo); $varinfo = strip_tags($varinfo); $varinfo = mysql_real_escape_string($varinfo);}?>[/code]How is this, I spent most of the morning doing research. THose 3 won't take care of all problem's, but they will take care of the majority of them, from there if I encounter problem's, I can slowly modify the function, to take care of each problems. I am going to try it, and see if it works well. I mostly want to stop a few specific tag's, to stop the redirects, or other problems. Later I can build onto it, to make it more secure. I think I learnt some valuable stuff from this project.I just added strip_tags as well. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-138979 Share on other sites More sharing options...
Jenk Posted December 11, 2006 Share Posted December 11, 2006 Chances are they have hacked your host server and not your script. Inform your host ASAP if you haven't already, and ask them to investigate. Prepare yourself for an ear bashing if it is your script at fault.Handling attachment files - do not leave them in a web-accessible folder. Ever.Use php to fetch the files from a below document root directory and server as you see fit. If they are image files, use getimagesize() to determine if it is an image (as already mentioned)For anything else, use readfile() and the header "Content-Dispostion: attachment" to serve the file(s) as a download. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-138999 Share on other sites More sharing options...
Ninjakreborn Posted December 11, 2006 Author Share Posted December 11, 2006 Ok, I can rework the file downloads. It is the scripts, I have been checking on what they are doing, for the file downloads, they were sending php files then visiting those files in the browser to delete the homepage, and things like that.For the other problem, they were just putting stuff in the database to make it redirect. Both simply things, that I should have paid attention to in the beginning, I just needed a good run-in with it, to be able to know what was going on and how to fix it. I found a problem, and learnt from it, if I get another opprotunity with this to learn even more then so be it. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-139003 Share on other sites More sharing options...
Ninjakreborn Posted December 11, 2006 Author Share Posted December 11, 2006 What the heck.[code]<?phpfunction deepclean($varinfo) { global $varinfo; $varinfo = htmlspecialchars($varinfo); $varinfo = htmlentities($varinfo); $varinfo = strip_tags($varinfo); $varinfo = mysql_real_escape_string($varinfo);}?>[/code]That code above, didn't even use mysql_real_escape_string.it doesn't do anything, I can still pass script tag's, and it doesn't even use escape strings. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-139007 Share on other sites More sharing options...
Ninjakreborn Posted December 11, 2006 Author Share Posted December 11, 2006 Nevermind, it works, I was doing it wrong. I am going to test it awhile, look for problems in using all of these together, look for possible problems in posting, try to find more security loopholes, or maybe the crackheads can find some more, so I can learn from them. I am going to do some more, see what I can do, follow some of your advice roopert on the downloads, adn see what else security wise (functions for later use), I can come up with, see if I can make this deep cleaning even deeper. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-139009 Share on other sites More sharing options...
Ninjakreborn Posted December 11, 2006 Author Share Posted December 11, 2006 [code]<?phpfunction deepclean($varinfo) { $varinfo = strip_tags($varinfo); $varinfo = htmlspecialchars($varinfo, ENT_NOQUOTES); $varinfo = htmlentities($varinfo); $varinfo = mysql_real_escape_string($varinfo); return $varinfo; // Added this line}?>[/code]Credit = "Thanks huggie for fixing my problem, with the returnso * It strips out whatever tags it can* if it misses any there is sstill the 2 below it to encode them* It runs it through escape stringit's ready to gobeen testedit removes script tags, meta tags, php tags normal html tags, and leaves quotes uncoded, for mysql_real_escape_stringhopefully this can help someone in my same problemif someone has advice on how to build onto this, to makeit even better, then great Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-139031 Share on other sites More sharing options...
Jenk Posted December 11, 2006 Share Posted December 11, 2006 It's overkill, and you could end up with more problems than you are fixing, tbh.If you are inserting to a mysql table, use mysql_real_escape_string() after you have initialised the connection.If you are displaying the input, use htmlentities() Don't bother with strip_tags() if you are using the above.Don't bother with htmlspecialchars() as it does just the same as htmlentities() (when using switch)Just take a step back.. look at what is actually happening and fix that.You've said they are uploading a php file, and then navigating to it to execute it. That's fine - change the uploaded directory location to a directory that is inaccessible to the web. They can no longer execute php files.Let's say your docroot is /var/yourusername/www/public_html/So set the uploaded files directory to /var/yourusername/www/uploadedfilesWeb users will now no longer be able to access the uploaded files directly.Now you can use PHP to manage the files, and to treat them with the necessary care. [code]<?php$file = 'some filename from user input..';$dir = realpath('/var/yourusername/www/uploadedfiles' . $file) or die('File not found');$file = $dir . DIRECTORY_SEPARATOR . $file;$images = array( '.png' => 'image/png', '.gif' => 'image/gif', '.jpg' => 'image/jpeg', '.jpeg' => 'image/jpeg', /* etc */);$ext = strtolower(strrchr($file, '.'));if (getimagesize($file) !== false && array_key_exists($ext, $images)){ header('Content-Type: ' . $images[$ext]);}elseif (is_readable($file)){ header('Content-Disposition: attachment; filesize: ' . filesize($file)); header('Content-Type: application-x/octet-stream');}else{ die('File cannot be read');}readfile($file);?>[/code]Untested but is just about the gist of it.. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-139117 Share on other sites More sharing options...
Ninjakreborn Posted December 11, 2006 Author Share Posted December 11, 2006 Ok, I have been told this a few time's, by multiple people.So it's time to explain why I have delayed in using it.When people tell me to put "anything" outside the web accessibly folder. I don't fully understand.For instance, I go to a shared host.I have say public_htmlthat is my "Root" folder to what "I" have access to.I have my domains normally split up in folders (there's really no other way)So Say I have my sitefreelancebusinessman - (folder name)then 2 clients sitessaysecretfeedback - (folder name)moondancedesign - (folder name)these are just some examplesNow the domain names, are what is accessible, I ahve the domains pointed as shownfreelancebusinessman - www.freelancebusinessman.commoondancedesign - www.moondancedesign.comsecretfeedback - www.secretEfeedback.comthere, that is all set.Now I want to put something outside the root directory, anythingit would be under public_html/somefolder(with no domain pointed to it)/file.extthere, that is a web inaccessible folder, because no domain is pointing to somefolderso if I have public_html/freelancebusinessman/portfolio/hello.phpSay I decided I had 3 filestest1.php test2.php and test3.phpI put them herepublic_html/test1.phppublic_html/test2.phppublic_html/test3.phpor public_html/somefolder/test1.phppublic_html/somefolder/test2.phppublic_html/somefolder/test3.phpok, I want to access one or the other frompublic_html/freelancebusinessman/portfolio/hello.phpnow the public html isn't web accessiblefreelancebusinessman is, and everything in itI don't understand how to access those other files? And have it work. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-139126 Share on other sites More sharing options...
roopurt18 Posted December 11, 2006 Share Posted December 11, 2006 If your web accessible folder is public_html, then a non-accessible folder is anything outside of that folder.These are [b]not[/b] web accessible:./uploadedfiles./tmp./hi2uThese [b]are[/b] web accessible:./public_html/uploadedfiles./public_html/tmp./public_html/hi2uNotice a difference? Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-139155 Share on other sites More sharing options...
Ninjakreborn Posted December 11, 2006 Author Share Posted December 11, 2006 NoI am very confused now:S Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-139159 Share on other sites More sharing options...
redbullmarky Posted December 11, 2006 Share Posted December 11, 2006 righty then, let us start with a simple question. lets take your secret site as an example. see where its main index.php file is? ie, the homepage? that is just inside your web root. imagine it's your C:\WINDOWS. in this case, anything ELSE on your C: drive (including, for example, C:\ , C:\games, C:\porno etc is NOT accessible to you. only the C:\windows is. BUT - a script inside the C:\windows can have access to these other directories and its contents, just not the actual user.get it now?so if you have a public_html, then ANYTHING in there is accessible from the web. anything elsewhere on the server is NOT. scripts WITHIN your public_html can access other places, but the user can't directly. get it? Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-139197 Share on other sites More sharing options...
Ninjakreborn Posted December 11, 2006 Author Share Posted December 11, 2006 I thought anything not in the line of the url is accesible.public_html/websiteI thought the domain is pointing to website, so public_html can't be reached:S rightif not, then I can't do that, because on most web hosts, I can't go anywhere below the public_html (I don't think I never tried. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-139199 Share on other sites More sharing options...
redbullmarky Posted December 11, 2006 Share Posted December 11, 2006 dont let the name of 'public_html' decieve you. if you've set it up like:public_html/website1/index.php (www.website1.com/index.php)public_html/website2/index.php (www.website2.com/index.php)then it looks like website1 and website2 have been set up as their own individual document roots, so essentially the public_html is outside of prying eyes. if that is the case, make a directory inside your public_html folder (on the same level as your website1/website2 directories) and you're ready to go. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-139207 Share on other sites More sharing options...
SharkBait Posted December 11, 2006 Share Posted December 11, 2006 I just read over the posts in this thread.If they are uploading scripts and being executed what are the permissions on said script? If they are deleting files via the uploaded script isn't that an issue too?I hope somehow uploaded files aren't given 0777 access when they are created. Quote Link to comment https://forums.phpfreaks.com/topic/29977-hacked-avoidance/page/2/#findComment-139231 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.