hacked (avoidance)

[redbullmarky]

[quote author=thorpe link=topic=117906.msg481441#msg481441 date=1165624238]
That laste person had a point though. There is no [i]e[/i] on the end of secret.
[/quote]

unless you WANT porn ads ;)

[obsidian]

[quote author=businessman332211 link=topic=117906.msg481375#msg481375 date=1165614971]
Ah, I didn't realize that, I will do some more research on it, I am on the phone with the legal department for his interet (and luckily) cellphone service provider, they are putting me through to there legal department.
[/quote]

I say, old chap, that is jolly awful! I hate it when people screw with stuff that isn't theirs in the first place, and then when they continue to lay on a personal attack like that, I only wish I could put words to what a rotter he is. However, I wouldn't waste my time with trying to track down and take action against an individual like that unless you are getting some sort of personal threat, but rather you should focus your efforts into doing just what your title suggests: [i]avoid future occurrences[/i] by learning from your (and his) mistakes ;)

[redbullmarky]

with all due respect lad, if you'da taken off your site when i first suggested, rather than questioning why, then maybe i wouldnt now be staring at the PROPER meaning of 'secrete' ;D

your clients sites should not be public until money has exchanged hands and the site is ready. if youre gonna keep it on a public server, at least lock it down with a password or two....

still...hopefully you still have the power. take it down.

[Daniel0]

Perhaps you should start with removing the redirect...

[trq]

Ive just edited and removed the link to the site in question from your original post as it now links to porn.

[roopurt18]

Have you gone through and looked at the contents of the directory where you were moving uploaded files?  Chances are the attackers uploaded a multitude of PHP scripts and are only now starting to execute them through their browser.

As far as filtering data is concerned, there is one rule to follow: Always, always, always.

[Ninjakreborn]

Ok I got the ideas, I got the opinions.
Now I will implement everything you have said, I couldn't move the domain, but for some reason the owner thinks it's funny anyway.
He was actually laughing about it, so I will go ahead and get organized.  I will start up a function to take care of javascript script tags, html, any possible php programming.  I will take care of that.  I will make sure my file's are secure, and I will put some programming in there to screen cusswords out, and block people from posting them.  I will make sure I learn from it, and take care of it.  I will learn from my mistakes here, and make functions that will help me for every project, not just this one.  I know the power of hackers, so now I have to learn how to fight it.

I will post back here in a couple of day's, on monday, and see how it went.  I know people will still post rude shit, but then he can just ban them as he wants, that's the nature, and destiny of this type of site, with a lot of spammers as well.  He thinks it's funny so it's fine with me.

As for making people register, that would be a good idea, but he wanted to avoid that if he could.  He said no about that, so that's all I know.
Thanks for all the advice.

[AndyB]

[quote author=businessman332211 link=topic=117906.msg481691#msg481691 date=1165676603]I will start up a function to take care of javascript script tags, html, any possible php programming.  I will take care of that. 
[/quote]

Start with strip_tags - http://ca.php.net/manual/en/function.strip-tags.php - and read the user notes.

[Ninjakreborn]

thanks andy, will do

[akitchin]

i'm going to go out and suggest that this might not even have been illegal.  it's easily argued as negligence on the developer's part, whether foul-play is the cause or not.

[Ninjakreborn]

That's true, it was my fault, I learnt from it.  I am fixing this up today.
I will learn as I go.

[Ninjakreborn]

[code]<?php
function deepclean($varinfo) {
global $varinfo;
$varinfo = htmlspecialchars($varinfo);
$varinfo = htmlentities($varinfo);
        $varinfo = strip_tags($varinfo);
$varinfo = mysql_real_escape_string($varinfo);

}
?>[/code]
How is this, I spent most of the morning doing research.  THose 3 won't take care of all problem's, but they will take care of the majority of them, from there if I encounter problem's, I can slowly modify the function, to take care of each problems.  I am going to try it, and see if it works well.  I mostly want to stop a few specific tag's, to stop the redirects, or other problems.  Later I can build onto it, to make it more secure.  I think I learnt some valuable stuff from this project.
I just added strip_tags as well.

[Jenk]

Chances are they have hacked your host server and not your script. Inform your host ASAP if you haven't already, and ask them to investigate. Prepare yourself for an ear bashing if it is your script at fault.

Handling attachment files - do not leave them in a web-accessible folder. Ever.

Use php to fetch the files from a below document root directory and server as you see fit. If they are image files, use getimagesize() to determine if it is an image (as already mentioned)

For anything else, use readfile() and the header "Content-Dispostion: attachment" to serve the file(s) as a download.

[Ninjakreborn]

Ok, I can rework the file downloads.  It is the scripts, I have been checking on what they are doing, for the file downloads, they were sending php files then visiting those files in the browser to delete the homepage, and things like that.
For the other problem, they were just putting stuff in the database to make it redirect.  Both simply things, that I should have paid attention to in the beginning, I just needed a good run-in with it, to be able to know what was going on and how to fix it.  I found a problem, and learnt from it, if I get another opprotunity with this to learn even more then so be it.

[Ninjakreborn]

What the heck.

[code]<?php
function deepclean($varinfo) {
global $varinfo;
$varinfo = htmlspecialchars($varinfo);
$varinfo = htmlentities($varinfo);
$varinfo = strip_tags($varinfo);
$varinfo = mysql_real_escape_string($varinfo);

}
?>[/code]
That code above, didn't even use mysql_real_escape_string.
it doesn't do anything, I can still pass script tag's, and it doesn't even use escape strings.

[Ninjakreborn]

Nevermind, it works, I was doing it wrong.  I am going to test it awhile, look for problems in using all of these together, look for possible problems in posting, try to find more security loopholes, or maybe the crackheads can find some more, so I can learn from them.  I am going to do some more, see what I can do, follow some of your advice roopert on the downloads, adn see what else security wise (functions for later use), I can come up with, see if I can make this deep cleaning even deeper.

[Ninjakreborn]

[code]<?php
function deepclean($varinfo) {
$varinfo = strip_tags($varinfo);
$varinfo = htmlspecialchars($varinfo, ENT_NOQUOTES);
$varinfo = htmlentities($varinfo);
$varinfo = mysql_real_escape_string($varinfo);
return $varinfo; // Added this line

}
?>[/code]
Credit = "Thanks huggie for fixing my problem, with the return
so
* It strips out whatever tags it can
* if it misses any there is sstill the 2 below it to encode them
* It runs it through escape string
it's ready to go
been tested
it removes script tags, meta tags, php tags
normal html tags, and leaves quotes uncoded, for mysql_real_escape_string
hopefully this can help someone in my same problem
if someone has advice on how to build onto this, to makeit even better, then great

[Jenk]

It's overkill, and you could end up with more problems than you are fixing, tbh.

If you are inserting to a mysql table, use mysql_real_escape_string() after you have initialised the connection.

If you are displaying the input, use htmlentities()

Don't bother with strip_tags() if you are using the above.

Don't bother with htmlspecialchars() as it does just the same as htmlentities() (when using switch)

Just take a step back.. look at what is actually happening and fix that.

You've said they are uploading a php file, and then navigating to it to execute it. That's fine - change the uploaded directory location to a directory that is inaccessible to the web. They can no longer execute php files.

Let's say your docroot is /var/yourusername/www/public_html/

So set the uploaded files directory to /var/yourusername/www/uploadedfiles

Web users will now no longer be able to access the uploaded files directly.

Now you can use PHP to manage the files, and to treat them with the necessary care.

[code]<?php

$file = 'some filename from user input..';

$dir = realpath('/var/yourusername/www/uploadedfiles' . $file) or die('File not found');

$file = $dir . DIRECTORY_SEPARATOR . $file;
$images = array(
    '.png' => 'image/png',
    '.gif' => 'image/gif',
    '.jpg' => 'image/jpeg',
    '.jpeg' => 'image/jpeg',
    /* etc */
);
$ext = strtolower(strrchr($file, '.'));

if (getimagesize($file) !== false && array_key_exists($ext, $images))
{
    header('Content-Type: ' . $images[$ext]);
}
elseif (is_readable($file))
{
    header('Content-Disposition: attachment; filesize: ' . filesize($file));
    header('Content-Type: application-x/octet-stream');
}
else
{
    die('File cannot be read');
}

readfile($file);

?>[/code]

Untested but is just about the gist of it..

[Ninjakreborn]

Ok, I have been told this a few time's, by multiple people.
So it's time to explain why I have delayed in using it.
When people tell me to put "anything" outside the web accessibly folder.  I don't fully understand.
For instance, I go to a shared host.
I have say
public_html
that is my "Root" folder to what "I" have access to.
I have my domains normally split up in folders (there's really no other way)
So Say I have my site
freelancebusinessman - (folder name)
then 2 clients sites
say
secretfeedback - (folder name)
moondancedesign - (folder name)
these are just some examples
Now the domain names, are what is accessible, I ahve the domains pointed as shown
freelancebusinessman - www.freelancebusinessman.com
moondancedesign - www.moondancedesign.com
secretfeedback - www.secretEfeedback.com
there, that is all set.
Now I want to put something outside the root directory, anything
it would be under
public_html/somefolder(with no domain pointed to it)/file.ext
there, that is a web inaccessible folder, because no domain is pointing to somefolder
so if I have
public_html/freelancebusinessman/portfolio/hello.php
Say I decided I had 3 files
test1.php test2.php and test3.php
I put them here
public_html/test1.php
public_html/test2.php
public_html/test3.php
or
public_html/somefolder/test1.php
public_html/somefolder/test2.php
public_html/somefolder/test3.php
ok, I want to access one or the other from
public_html/freelancebusinessman/portfolio/hello.php
now the public html isn't web accessible
freelancebusinessman is, and everything in it
I don't understand how to access those other files?  And have it work.

[roopurt18]

If your web accessible folder is public_html, then a non-accessible folder is anything outside of that folder.

These are [b]not[/b] web accessible:
./uploadedfiles
./tmp
./hi2u

These [b]are[/b] web accessible:
./public_html/uploadedfiles
./public_html/tmp
./public_html/hi2u

Notice a difference?

[Ninjakreborn]

No
I am very confused now:S

[redbullmarky]

righty then, let us start with a simple question. lets take your secret site as an example. see where its main index.php file is? ie, the homepage? that is just inside your web root. imagine it's your C:\WINDOWS. in this case, anything ELSE on your C: drive (including, for example, C:\ , C:\games, C:\porno etc is NOT accessible to you. only the C:\windows is. BUT - a script inside the C:\windows can have access to these other directories and its contents, just not the actual user.

get it now?

so if you have a public_html, then ANYTHING in there is accessible from the web. anything elsewhere on the server is NOT. scripts WITHIN your public_html can access other places, but the user can't directly. get it?

[Ninjakreborn]

I thought anything not in the line of the url is accesible.
public_html/website
I thought the domain is pointing to website, so public_html can't be reached:S right
if not, then I can't do that, because on most web hosts, I can't go anywhere below the public_html (I don't think I never tried.

[redbullmarky]

dont let the name of 'public_html' decieve you. if you've set it up like:
public_html/website1/index.php (www.website1.com/index.php)
public_html/website2/index.php (www.website2.com/index.php)

then it looks like website1 and website2 have been set up as their own individual document roots, so essentially the public_html is outside of prying eyes. if that is the case, make a directory inside your public_html folder (on the same level as your website1/website2 directories) and you're ready to go.

[SharkBait]

I just read over the posts in this thread.

If they are uploading scripts and being executed what are the permissions on said script?  If they are deleting files via the uploaded script isn't that an issue too?

I hope somehow uploaded files aren't given 0777 access when they are created.