Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Page 1 of 2 1 2 LastLast
Results 1 to 10 of 17
Like Tree5Likes

Thread: Keep getting hacked, any ideas?

  1. #1
    Senior Member medlington's Avatar
    Join Date
    Nov 2005
    Location
    Sheffield, UK
    Posts
    377
    Member #
    11968
    Liked
    4 times

    Keep getting hacked, any ideas?

    Hi,

    1 of my sites was hacked about a month ago, they managed to write over most of the database and upload several images.

    Im not sure how they managed to do this.

    In the admin area of the site every page is secured with a PHP session variable. So that before the page loads PHP checks the value of this variable and if it is not correct it redirects the user to the login page, if the value is correct it displays the page content.

    Can these variables be spoofed in any way?

    Another of my sites has also been hacked a few days ago, this site was almost identical to the other one and hosted on the same server.

    Any ideas as how I can stop this?

    Whenever the scripts write to the database all the variables are escaped too.

  2.  

  3. #2
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,483
    Member #
    425
    Liked
    2783 times
    I'm not sure about PHP specifically, but in general I never leave anything easy to figure out and that ties to user data in a session variable or a cookie. I won't even do that with a user ID. At the very least, I'll encrypt the session variable using a two-way encryption algorithm if I'm not overly concerned about security; something along the lines of PHP's mcrypt function with a custom key and IV pair. There are security experts out there who will say that something like this can be compromised, and it can...but since the key and IV are unique to every site and I use it on sites that don't contain "classified" information, the payload's low enough that hackers don't bother.

    I'll also make sure that whatever I'm using for a session or a cookie, if it's something that's an identifier, is somewhat obscurely named while still being easy enough for me to understand. For example, if I'm working on Bob's Website and Bob's Website has a table with an autogenerated login ID, I might use B_W_L for the session or cookie. Obscure enough that a hacker isn't going to guess at it immediately, but easy enough for me to remember when I'm looking at server-side code.

    That's the general idea, and a pretty low-level approach. It's definitely not the most "secure" approach, although it's passed PCI compliance testing, so that's something. The reason I go this route is because it allows for the use of encryption without sacrificing much in terms of site performance (every time you encrypt something, there's a performance hit...just something to think about).
    medlington likes this.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  4. #3
    Senior Member medlington's Avatar
    Join Date
    Nov 2005
    Location
    Sheffield, UK
    Posts
    377
    Member #
    11968
    Liked
    4 times
    Thanks for the info.

    So it is possible for the hacker to create their own session variables on my server? or are they stored in the browser?

    I get the feeling that this isnt directly targeting my site as they are such low level sites with such small audiences it would be very unlikely to attract the attentions of a hacker I think its just some autoscript that has detected a vulnerability in my sites and is exploiting it.

  5. #4
    Senior Member Webzarus's Avatar
    Join Date
    May 2011
    Location
    South Carolina Coast
    Posts
    3,322
    Member #
    27709
    Liked
    770 times
    I'm assuming you've not looked at your log files ?

    youd see the offending IP's and their "post" commands... And the variables they are using...

    unless you or your hosting provider has set the "sessions" setting to allow for "unlimited time"... Sessions generally don't just go on forever, kinda thinking that this has nothing to do with sessions and more to do with a rogue SQL injection script ...

    I use server response codes to validat if a user is submitting a form from a specific page on the site ... Hackers don't use a browser, they use a shell script that calls the page... Analyzes the "form filed" entries... Rewrite the whole page with their "code to be submitted"... And unless the "form processing page" is set to only allow from the http_referrer that matches what you tell it, it ignores it ( basically just making sure that the data being submitted is coming from "your" page and not one they created )...

    when I took over a client site, I kept getting bogus form submissions ... Took me a while to figure out, that even though I move physical servers, the script that was on my clients old site was still in use on another site ( a subsidiary of the company ), so they were posting data to the old form that was no longer at the old location ...

    the point is, unless you specifically tell page A to process data from page B, there no telling what can happen.

    in this instance log file are your friend.

  6. #5
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,483
    Member #
    425
    Liked
    2783 times
    It is theoretically possible, but then you're talking about something that I've found is very rare and since most of what I'm doing doesn't even make use of sessions, I've never bothered to look into it all that closely. I've even had people test stuff for XSS injection for PCI compliance before I even knew what XSS injection was (I'd never heard of it at the time), had them trip over an email validation measure I had put in place, and send a report claiming PCI compliance failed because I "allowed" the injection (even though the validator clearly failed).

    Like WZ said, it's more likely that you're a victim of injection than anything. If, as you say, you're using a common script, it's far more likely that a hacker knows of the exploit and is trying it across several different sites. That's traditionally how it works...hackers target common scripts (W*rdPr*ss, YaBB, etc.) And if you're looking for things such as referrers, obvious hack attempts (e.g. <script> / XSS injections), and things like that a session can be "hijacked" all it wants...it's not going to have much impact.
    medlington likes this.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  7. #6
    WDF Staff mlseim's Avatar
    Join Date
    Apr 2004
    Location
    Cottage Grove, Minnesota
    Posts
    7,716
    Member #
    5580
    Liked
    718 times
    Are you using a shared webhost account?


  8. #7
    Senior Member medlington's Avatar
    Join Date
    Nov 2005
    Location
    Sheffield, UK
    Posts
    377
    Member #
    11968
    Liked
    4 times
    Hi,

    Yes a shared hosting account and no havent looked at the log files until now and am quite shocked at what Ive found in them. It looks like the recent attack was from an Iraq IP and has been hitting all my websites every few seconds so probably quite lucky only 2 have been got.

    I had a proxy setup on the same space and that was getting abused for all kinds of things so thats now been deleted too.

    I've emailed my hosts and asked them to block the abusive IP from my server, is it possible to block entire counties IP addresses? as I really dont care if anyone in China, Iraq or any other "dodgy" country sees my sites as they arnt relevant to them so would like to just kick them all out.

    I made these scripts quite a few years ago now and had just about figured out to do it your way webzaurus but hadn't started to implement it yet. Obviously I will from now on.

    Thanks alot for the info its really helped!

  9. #8
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,483
    Member #
    425
    Liked
    2783 times
    Since it's PHP, you can do it from an .htaccess file. You can add any offending IPs in there.

    Comprehensive guide to .htaccess- Deny users by IP

    If you want to do something a little more advanced, you can write a honeypot script that will log the IPs of the "users" that hit the honeypot and add them to .htaccess that way. I've done that before and it worked well, albeit not perfectly (clumsy-*** Bingbot kept stumbling upon the honeypot despite the presence of the nofollow attribute on the link and​ a rule in robots.txt disallowing it). If you do this, you'll need to spend some time on it.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  10. #9
    Senior Member medlington's Avatar
    Join Date
    Nov 2005
    Location
    Sheffield, UK
    Posts
    377
    Member #
    11968
    Liked
    4 times
    Cheers,

    In the example given in the htaccess it says:



    order allow,deny
    deny from 123.45.6.7
    deny from 012.34.5.
    allow from all

    Do I need the 'allow from all' on the bottom?

    Thanks

  11. #10
    Senior Member Webzarus's Avatar
    Join Date
    May 2011
    Location
    South Carolina Coast
    Posts
    3,322
    Member #
    27709
    Liked
    770 times
    Be careful blocking by IP blocks.. Rarely does an IP indicate a country or even a single entity ... Before I so mke an entry for a complete IP BLOCK 0-255, I make sure the entire block is managed by the same individual / entity.

    and even then... IP's can be spoofed... Or coming through an anonymous proxy ... ( many third world countries are now seeing a proliferated of proxy servers, so traffic from those being censored over govt. controlled networks can get to resources the govt. doesn't want them to ), but sometimes those same proxy servers setup for "good purposes" get abused.


Page 1 of 2 1 2 LastLast

Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 02:31 AM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com