View Full Version : Website being hacked

02-08-2010, 03:06 PM
Hey guys,

My forum on my website seems to have been hacked. The hacker has been able to delete all my posts. and add their own under my admin account quoting


Charlie Chaplin once said something to the effect of:

'Humour is an act of defiance; that we must laugh at our helplessness against the forces of nature, or go insane.'

And where is he now? Dead.

Are you guys able to help me atall with this??

i have set up a demo account

Password: demo

If i need to verify the websites mine i can in any way. please help


02-08-2010, 03:20 PM
What forum/cms are you running?

02-08-2010, 03:34 PM
What forum/cms are you running?

Home made saldy, thats why i belive that the security flaws are there.

02-08-2010, 03:36 PM
I see. In that case, I would take some time to read the securing php articles by Dave Child over at added bytes (http://www.addedbytes.com/writing-secure-php/) and see if there's anything you've missed. It might be that you're not filtering your data properly, weak passwords, or a lot of things really, so reading up on security is my advice since suggestions can be thrown around for days on this

02-08-2010, 03:39 PM
Ok but in mean time while i read this i would still love some assistance on this.

If it help i dont think they can login to the account but using corss scripting or something like that as they haven access anything else on the site.

02-08-2010, 03:56 PM
There's not really much that can be said in the way of specific advice. The list of possibilities could be as long as ones arm, and the only way to know which are applicable is to work through all possibilities. Research is pretty much your only option. The one thing that could be external to your scripts, security wise, is a poor quality shared host?

02-08-2010, 04:43 PM
Ok i have worked throuh the website posted above and i do belive they are secure. They are somehow accessing my db so how would they do that??

02-08-2010, 11:04 PM
MYSQL INJECTION is what it sounds like. Make sure that you are useing the
mysql_real_escape_string(); for all of your variables etc. that are going to be inserted into a database.

02-08-2010, 11:16 PM
Ok i have worked throuh the website posted above and i do belive they are secure. They are somehow accessing my db so how would they do that??

By any number of means. You have insecure code, you're on a shared host with lax security, there's outdated and vulnerable software on the server etc. The list goes on and on. We have no idea what your code in general looks like, as you've not shown us any, so you'll have to wing it and appraise the situation yourself.

02-08-2010, 11:18 PM
Expanding on Slappyjaw's post .... which is probably where your problems are from ...

For example,

Don't using ANY variables in your queries that are not sanitized.
Say you are looking for a username ...

You might have this line,
$username = $_POST['user'];

Do this to it, and all others ...

$username = mysql_real_escape_string($username);

That's what Slappyjaw was talking about.

02-09-2010, 03:54 AM
I believe your error is in the URL, now im no sql injection genius or anything but you have "page=", and when you type ' (single quote) after "page=" you get a mysql error.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'demo',`user_id`='31'' at line 1

perhaps the issue is that he is replacing demo with admin, and user id to 1? or something to that effect, also your html is very buggy, and i can only imagine what your php looks like :eek:

02-09-2010, 09:10 AM
Thanks guys,,, im going through each page one by one tidying it and tightining security..

cyrus709@ i have tried the whole http://www.runningprofiles.com/members/index.php?page=' but all i get is my home page :S if this is the problem does any 1 know how to fix this?

02-09-2010, 11:05 AM
Ah yes i see what cyrus709 means (not just the pants php/html layout, but im onto that as we speak) but the adding of ' brings up the error message.

Now i was trying to look up what was up but with myself being at work atm i cant bring up with websites telling me abotu how it works for obv reasons, so i was wondering if someone could tell me what happens/how they do it and/or how i solve it!

02-09-2010, 01:33 PM
Please bring-up the websites you found for how it works.

There are probably others here who would like to see your code and other sites,
for educating themselves on how to secure a MySQL website. You have an opportunity
here to get a lot of ideas and "do's and dont's". Take advantage of it for your sake
and others who are watching this post, but not participating.

02-10-2010, 04:20 PM
Sorry about this but on this page can any 1 tell me what i need to chnage to prevent the erro message 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Admin',`user_id`='1'' at line 1' appearing? as i cant seem to find the area involved/

cut down code as much as possible

<link rel="stylesheet" type="text/css" href="http://www.runningprofiles.com/css/login.css"> <link rel="stylesheet" type="text/css" href="http://www.runningprofiles.com/members/include/style.css"> <?php//look to see if the forum is currently locked $sQry = "SELECT `locked` FROM forum_lock LIMIT 1"; $obQry = mysql_query($sQry) or die(sprintf("Could not query forums (%d): %s",mysql_errno(),mysql_error())); $record = mysql_fetch_array($obQry); if (isset($record['locked']) && $record['locked']) { die("Sorry, the forums are currently locked."); //error message } else {//Here we count the number of results $data = mysql_query("Select * from forumtutorial_posts where parentid='0' AND forum = '$forum' ORDER BY important, lastrepliedto")or die("Could not get users"); $rows = mysql_num_rows($data); $page_rows = 25; //This is the number of results displayed per page $pagenum = $_GET['pagenum']; //This sets the range to display in our query if ($pagenum === "last") { $query = "Select COUNT(*) as C from forumtutorial_posts where parentid='$id'"; $result = mysql_query($query); $data = mysql_fetch_array($result); $pagenum = ceil($data['C'] / $page_rows); } $pagenum = (is_numeric($pagenum) && $pagenum >= 1) ? (int)$pagenum : 1; $max = 'limit ' . ($pagenum - 1) * $page_rows . ',' . $page_rows; {/* gets users online */ $getusersonline = "SELECT user_id,user FROM useronline WHERE file = 'http://www.runningprofiles.com/members/index.php?page=forum&forum=$forum' AND timestamp > " . (time() - 900); //grab from sql users on in last 15 minutes $getusersonline2 = mysql_query($getusersonline) or die("Could not get users"); $num = mysql_num_rows($getusersonline2); $getthreads = "Select * from forumtutorial_posts where parentid='0' and forum = '$forum' ORDER BY important ASC, lastrepliedto DESC $max";$getthreads2 = mysql_query($getthreads) or die("Could not get threads");while ($getthreads3 = mysql_fetch_array($getthreads2)) { $important = $getthreads3['important']; $query1 = mysql_query("SELECT COUNT(postid) FROM forumtutorial_posts WHERE( postid= '$getthreads3[postid]' OR parentid = '$getthreads3[postid]' ) AND author='$username'");$count = mysql_result($query1, 0, 0); echo ($count != 0) ? '<img src="/images/posted.jpg" />' : '<img src="/images/posted2.jpg" />'; ?>