...

View Full Version : Website being hacked



runnerjp
02-08-2010, 03:06 PM
Hey guys,

My forum on my website seems to have been hacked. The hacker has been able to delete all my posts. and add their own under my admin account quoting

--------------------------------------------------------------------------------

Charlie Chaplin once said something to the effect of:

'Humour is an act of defiance; that we must laugh at our helplessness against the forces of nature, or go insane.'

And where is he now? Dead.



Are you guys able to help me atall with this??

i have set up a demo account
www.runningprofiles.com

username:demo
Password: demo

If i need to verify the websites mine i can in any way. please help

Jarratt

JAY6390
02-08-2010, 03:20 PM
What forum/cms are you running?

runnerjp
02-08-2010, 03:34 PM
What forum/cms are you running?

Home made saldy, thats why i belive that the security flaws are there.

JAY6390
02-08-2010, 03:36 PM
I see. In that case, I would take some time to read the securing php articles by Dave Child over at added bytes (http://www.addedbytes.com/writing-secure-php/) and see if there's anything you've missed. It might be that you're not filtering your data properly, weak passwords, or a lot of things really, so reading up on security is my advice since suggestions can be thrown around for days on this

runnerjp
02-08-2010, 03:39 PM
Ok but in mean time while i read this i would still love some assistance on this.

If it help i dont think they can login to the account but using corss scripting or something like that as they haven access anything else on the site.

MattF
02-08-2010, 03:56 PM
There's not really much that can be said in the way of specific advice. The list of possibilities could be as long as ones arm, and the only way to know which are applicable is to work through all possibilities. Research is pretty much your only option. The one thing that could be external to your scripts, security wise, is a poor quality shared host?

runnerjp
02-08-2010, 04:43 PM
Ok i have worked throuh the website posted above and i do belive they are secure. They are somehow accessing my db so how would they do that??

slappyjaw
02-08-2010, 11:04 PM
MYSQL INJECTION is what it sounds like. Make sure that you are useing the
mysql_real_escape_string(); for all of your variables etc. that are going to be inserted into a database.

MattF
02-08-2010, 11:16 PM
Ok i have worked throuh the website posted above and i do belive they are secure. They are somehow accessing my db so how would they do that??

By any number of means. You have insecure code, you're on a shared host with lax security, there's outdated and vulnerable software on the server etc. The list goes on and on. We have no idea what your code in general looks like, as you've not shown us any, so you'll have to wing it and appraise the situation yourself.

mlseim
02-08-2010, 11:18 PM
Expanding on Slappyjaw's post .... which is probably where your problems are from ...

For example,

Don't using ANY variables in your queries that are not sanitized.
Say you are looking for a username ...

You might have this line,
$username = $_POST['user'];

Do this to it, and all others ...

$username = mysql_real_escape_string($username);

That's what Slappyjaw was talking about.

cyrus709
02-09-2010, 03:54 AM
I believe your error is in the URL, now im no sql injection genius or anything but you have "page=", and when you type ' (single quote) after "page=" you get a mysql error.


You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'demo',`user_id`='31'' at line 1

perhaps the issue is that he is replacing demo with admin, and user id to 1? or something to that effect, also your html is very buggy, and i can only imagine what your php looks like :eek:

runnerjp
02-09-2010, 09:10 AM
Thanks guys,,, im going through each page one by one tidying it and tightining security..

cyrus709@ i have tried the whole http://www.runningprofiles.com/members/index.php?page=' but all i get is my home page :S if this is the problem does any 1 know how to fix this?

runnerjp
02-09-2010, 11:05 AM
Ah yes i see what cyrus709 means (not just the pants php/html layout, but im onto that as we speak) but the adding of ' brings up the error message.

Now i was trying to look up what was up but with myself being at work atm i cant bring up with websites telling me abotu how it works for obv reasons, so i was wondering if someone could tell me what happens/how they do it and/or how i solve it!

mlseim
02-09-2010, 01:33 PM
Please bring-up the websites you found for how it works.

There are probably others here who would like to see your code and other sites,
for educating themselves on how to secure a MySQL website. You have an opportunity
here to get a lot of ideas and "do's and dont's". Take advantage of it for your sake
and others who are watching this post, but not participating.

runnerjp
02-10-2010, 04:20 PM
Sorry about this but on this page can any 1 tell me what i need to chnage to prevent the erro message 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Admin',`user_id`='1'' at line 1' appearing? as i cant seem to find the area involved/

cut down code as much as possible


<link rel="stylesheet" type="text/css" href="http://www.runningprofiles.com/css/login.css"> <link rel="stylesheet" type="text/css" href="http://www.runningprofiles.com/members/include/style.css"> <?php//look to see if the forum is currently locked $sQry = "SELECT `locked` FROM forum_lock LIMIT 1"; $obQry = mysql_query($sQry) or die(sprintf("Could not query forums (%d): %s",mysql_errno(),mysql_error())); $record = mysql_fetch_array($obQry); if (isset($record['locked']) && $record['locked']) { die("Sorry, the forums are currently locked."); //error message } else {//Here we count the number of results $data = mysql_query("Select * from forumtutorial_posts where parentid='0' AND forum = '$forum' ORDER BY important, lastrepliedto")or die("Could not get users"); $rows = mysql_num_rows($data); $page_rows = 25; //This is the number of results displayed per page $pagenum = $_GET['pagenum']; //This sets the range to display in our query if ($pagenum === "last") { $query = "Select COUNT(*) as C from forumtutorial_posts where parentid='$id'"; $result = mysql_query($query); $data = mysql_fetch_array($result); $pagenum = ceil($data['C'] / $page_rows); } $pagenum = (is_numeric($pagenum) && $pagenum >= 1) ? (int)$pagenum : 1; $max = 'limit ' . ($pagenum - 1) * $page_rows . ',' . $page_rows; {/* gets users online */ $getusersonline = "SELECT user_id,user FROM useronline WHERE file = 'http://www.runningprofiles.com/members/index.php?page=forum&forum=$forum' AND timestamp > " . (time() - 900); //grab from sql users on in last 15 minutes $getusersonline2 = mysql_query($getusersonline) or die("Could not get users"); $num = mysql_num_rows($getusersonline2); $getthreads = "Select * from forumtutorial_posts where parentid='0' and forum = '$forum' ORDER BY important ASC, lastrepliedto DESC $max";$getthreads2 = mysql_query($getthreads) or die("Could not get threads");while ($getthreads3 = mysql_fetch_array($getthreads2)) { $important = $getthreads3['important']; $query1 = mysql_query("SELECT COUNT(postid) FROM forumtutorial_posts WHERE( postid= '$getthreads3[postid]' OR parentid = '$getthreads3[postid]' ) AND author='$username'");$count = mysql_result($query1, 0, 0); echo ($count != 0) ? '<img src="/images/posted.jpg" />' : '<img src="/images/posted2.jpg" />'; ?>



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum