gkh01 Posted April 10, 2007 Share Posted April 10, 2007 Someone has hacked into my site and managed to change (at the very least) my main index page. My host says they've found a vunerability in a php page and used it to modify the index page, but they can't/won't offer any more help or info. Their suggestion is to remove all php pages from my site, but that simply isn't feasible. Many of my pages use php to generate content from a database. I also use Gallery (v2). Reloading the index page does no good. The hack modifications are instantly restored. How can I locate the source of the problem and fix it? What needs to be done to make php pages secure from such attacks? Can someone point me to a tutorial, cite a book, etc? My site is http:\\www.hrsms.org Thanks, Greg Quote Link to comment Share on other sites More sharing options...
fert Posted April 10, 2007 Share Posted April 10, 2007 mysql_real_escape_string addslashes strip_tags Quote Link to comment Share on other sites More sharing options...
suttercain Posted April 10, 2007 Share Posted April 10, 2007 Out of curiosity do you know if they did it by way of a form? Also are you using some type of CMS like PHP-Nuke? Quote Link to comment Share on other sites More sharing options...
btherl Posted April 10, 2007 Share Posted April 10, 2007 Upgrading to the latest versions of your software may help. Reinstalling them would also be a good idea. In the meantime, you may want to add password authentication to your entire site while you mop up. As for the hack modifications being instantly restored, you might try the simple approach of renaming your index page until you can find out what's going on. Quote Link to comment Share on other sites More sharing options...
gkh01 Posted April 10, 2007 Author Share Posted April 10, 2007 Out of curiosity do you know if they did it by way of a form? Also are you using some type of CMS like PHP-Nuke? I have only two simple forms: http://www.hrsms.org/resources/resources.php http://www.hrsms.org/mystery/mystery.shtml and to my limited understanding, there is no way for someone to pass a script through them. Gallery (http://www.hrsms.org/gallery/main.php) has some forms, but to submit anything I imagine you have to be registered first, and we have no untrusted users. Though, perhaps someone has found a hack through the Gallery code. I am not using a CMS. Thanks for your reply. Greg Quote Link to comment Share on other sites More sharing options...
gkh01 Posted May 25, 2007 Author Share Posted May 25, 2007 I posted a question about Gallery security on their website (http://gallery.menalto.com/node/64884). They have no known issues that would allow a "script insertion" hack. They further claimed that if I am on a shared server (which I am) that a vulnerability on another site on the same server could somehow be affecting my own site. Is that possible? I have temporarily changed all of my own php pages (except one that is in a password protected folder) so that they have nothing but straight html in them. Yet these script insertion attacks continue to plague me. I now get virus warnings when I visit my own site. Since I've deleted all my own php scripts, I don't see what I can do other than 1) drop the Gallery page - not a preferred option 2) find a new host - also not a preferred option, and only if it is truly possible that another site is on the shared server is somehow affecting my own. I welcome your comments. Thanks, Greg Quote Link to comment Share on other sites More sharing options...
taith Posted May 25, 2007 Share Posted May 25, 2007 theres two sure fire ways of stopping any injection, which is a HUGE security risk... 1) addslashes(strip_tags($string)); 2) htmlentities($string,ENT_QUOTES); putting either of them onto any/every form variable... ALWAYS... i repear... always always always protect $_POST/$_GET variables! Quote Link to comment Share on other sites More sharing options...
per1os Posted May 25, 2007 Share Posted May 25, 2007 Shared servers are very very insecure. Chances are it was someone on your shared server who go in using a script on their site. Shared servers are teh devil! Quote Link to comment Share on other sites More sharing options...
gkh01 Posted May 25, 2007 Author Share Posted May 25, 2007 i repear... always always always protect $_POST/$_GET variables! I appreciate your fast reply. Honestly, I really do. But as I said, I no longer have any forms on my own pages. They have been removed. Gallery has forms, but I have to take it as a matter of faith that their code has been secured, or drop the Gallery area all together. It's simply not practical for me to review and modify all their code. And I imagine that dozens, if not hundreds, of other (much better) programmers are doing that already. Here is an example of the php pages I have temporarily "disabled". http://www.hrsms.org/resources/resources.php Someone could navigate to http://www.hrsms.org/resources/resources.php?"some hacker code" But since I do not use anything after the '?' there is no danger, correct? Even the original code did not use it directly in a SQL command. It would do something like if $metals = 'on' // $metals populated from $GET variable { $myString = "SELECT * FROM 'resources' AS r LEFT JOIN 'metals' AS m WHERE r.id = m.id } Isn't this safe? What about the question of being on a shared server? Can someone else's bad php code really allow my own index page to be altered? Thanks again, Greg Quote Link to comment Share on other sites More sharing options...
corbin Posted May 25, 2007 Share Posted May 25, 2007 Yes, it definitely can. Worse yet, if your host has the file permissions configured wrong (which is very common on shared hosting), people could easily access your directories and modify things >.<. Quote Link to comment Share on other sites More sharing options...
gkh01 Posted May 25, 2007 Author Share Posted May 25, 2007 Shared servers are very very insecure. Chances are it was someone on your shared server who go in using a script on their site. Shared servers are teh devil! So that really is possible? Weird thing is that I just switched from one web host to another (both shared servers). I was with the first host for almost 4 years with no such problems. But the mailman server was so horribly unreliable that I had to leave (my site is for a ship model club, and the most-used feature is the mailing list, for communication). Now mailman is no problem, but I have these horrible hacks to the index page that I've never had in (as I said) four years! So if not a shared server, what is a small non-profit club like mine to do? We can't afford to pay anywhere near the prices I am seeing for dedicated servers. Quote Link to comment Share on other sites More sharing options...
per1os Posted May 25, 2007 Share Posted May 25, 2007 You just need to get a reliable shared host. But I am not sure, if you google shared hosting exploits you may find some information that can help you beef up your security on shared hosting. That and also follow the sql injection guidelines etc. Always know what is being passed into your scripts. EDIT: Probably the first listing on google is a great resource http://shiflett.org/articles/shared-hosting Very good reading. Quote Link to comment Share on other sites More sharing options...
jamina1 Posted May 25, 2007 Share Posted May 25, 2007 I've had great luck with Dreamhost, personally. Check them out. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.