Jump to content

I've been hacked - what to do?

gkh01

By gkh01
in PHP Coding Help

 Share

Recommended Posts

gkh01 Newbie

gkh01

Posted
Posted

Someone has hacked into my site and managed to change (at the very least) my main index page.

My host says they've found a vunerability in a php page and used it to modify the index page, but they can't/won't offer any more help or info.  Their suggestion is to remove all php pages from my site, but that simply isn't feasible.  Many of my pages use php to generate content from a database.  I also use Gallery (v2).

 

Reloading the index page does no good.  The hack modifications are instantly restored.

 

How can I locate the source of the problem and fix it?

 

What needs to be done to make php pages secure from such attacks?  Can someone point me to a tutorial, cite a book, etc?

 

My site is http:\\www.hrsms.org

 

Thanks,

 

Greg

Link to comment
https://forums.phpfreaks.com/topic/46380-ive-been-hacked-what-to-do/
Share on other sites
btherl Member

btherl

Posted
Posted

Upgrading to the latest versions of your software may help.  Reinstalling them would also be a good idea.

 

In the meantime, you may want to add password authentication to your entire site while you mop up.

 

As for the hack modifications being instantly restored, you might try the simple approach of renaming your index page until you can find out what's going on.

gkh01 Newbie

gkh01

Posted
  • Author
Posted

Out of curiosity do you know if they did it by way of a form? Also are you using some type of CMS like PHP-Nuke?

 

I have only two simple forms:

 

http://www.hrsms.org/resources/resources.php

http://www.hrsms.org/mystery/mystery.shtml

 

and to my limited understanding, there is no way for someone to pass a script through them.

 

Gallery (http://www.hrsms.org/gallery/main.php) has some forms, but to submit anything I imagine you have to be registered first, and we have no untrusted users.  Though, perhaps someone has found a hack through the Gallery code.

 

I am not using a CMS.

 

Thanks for your reply.

 

Greg

  • 1 month later...
gkh01 Newbie

gkh01

Posted
  • Author
Posted

I posted a question about Gallery security on their website (http://gallery.menalto.com/node/64884).  They have no known issues that would allow a "script insertion" hack.  They further claimed that if I am on a shared server (which I am) that a vulnerability on another site on the same server could somehow be affecting my own site.  Is that possible?

 

I have temporarily changed all of my own php pages (except one that is in a password protected folder) so that they have nothing but straight html in them.  Yet these script insertion attacks continue to plague me.  I now get virus warnings when I visit my own site.

 

Since I've deleted all my own php scripts, I don't see what I can do other than

1) drop the Gallery page - not a preferred option

2) find a new host - also not a preferred option, and only if it is truly possible that another site is on the shared server is somehow affecting my own.

 

I welcome your comments.

 

Thanks,

 

Greg

taith Regular Member

taith

Posted
Posted

theres two sure fire ways of stopping any injection, which is a HUGE security risk...

1) addslashes(strip_tags($string));

2) htmlentities($string,ENT_QUOTES);

 

putting either of them onto any/every form variable... ALWAYS...

 

i repear... always always always protect $_POST/$_GET variables!

gkh01 Newbie

gkh01

Posted
  • Author
Posted

i repear... always always always protect $_POST/$_GET variables!

 

I appreciate your fast reply.  Honestly, I really do.  But as I said, I no longer have any forms on my own pages.  They have been removed.   Gallery has forms, but I have to take it as a matter of faith that their code has been secured, or drop the Gallery area all together.   It's simply not practical for me to review and modify all their code.  And I imagine that dozens, if not hundreds, of other (much better) programmers are doing that already.

 

Here is an example of the php pages I have temporarily "disabled".

http://www.hrsms.org/resources/resources.php

 

Someone could navigate to

http://www.hrsms.org/resources/resources.php?"some hacker code"

 

But since I do not use anything after the '?' there is no danger, correct?

 

Even the original code did not use it directly in a SQL command.  It would do something like

if $metals = 'on' // $metals populated from $GET variable

{

$myString = "SELECT * FROM 'resources' AS r LEFT JOIN 'metals' AS m WHERE r.id = m.id

}

 

Isn't this safe?

 

What about the question of being on a shared server?  Can someone else's bad php code really allow my own index page to be altered?

Thanks again,

 

Greg

gkh01 Newbie

gkh01

Posted
  • Author
Posted

Shared servers are very very insecure. Chances are it was someone on your shared server who go in using a script on their site. Shared servers are teh devil!

 

So that really is possible?

 

Weird thing is that I just switched from one web host to another (both shared servers).  I was with the first host for almost 4 years with no such problems.  But the mailman server was so horribly unreliable that I had to leave (my site is for a ship model club, and the most-used feature is the mailing list, for communication).  Now mailman is no problem, but I have these horrible hacks to the index page that I've never had in (as I said) four years!

 

So if not a shared server, what is a small non-profit club like mine to do?  We can't afford to pay anywhere near the prices I am seeing for dedicated servers.

per1os Member

per1os

Posted
Posted

You just need to get a reliable shared host. But I am not sure, if you google shared hosting exploits you may find some information that can help you beef up your security on shared hosting.

 

That and also follow the sql injection guidelines etc. Always know what is being passed into your scripts.

 

 

EDIT:

 

Probably the first listing on google is a great resource

 

http://shiflett.org/articles/shared-hosting

 

Very good reading.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.