Keen interest in learning php/mysql led me to book a paid domain and some linux webspace. In no time, ( in a matter of hardly a few weeks, I found that my index.php is no more visible , but some has put a dirty black page int its place, saying " learn to protect your shit site first !!" Can any one suggest the basics ? Chips
There are some pages where I ask for users to register with simle name and password of their own choice. That is all. Next , using that username and the password , the users are supposed to paste ( write ) a few lines about any thing which they want to advertise for free. I have used htmlentities for the text and textarea fields of the html form. So , I suppose, html code can not enter inside. Chips
I dont know much, but I heard that we should not have 777 permissions to any directory. Also, try keeping anonymous ftp off.
if you have an interface to upload files (from users) and files are not verified for their extension and types hackers just uploads .PHP file which execute some UNIX commands ... by which they can mess with your server... so keep some strick check on users files uploads section.... one more hint.. normally PHP developerss use directories like include, inc, which contains all the configuration details details ... and if directory browsing is enabled on serever they can get access to files (.inc or .conf ) are kind of files which can be downloaded with original source codes. though i am not very good at unix i suggest to keep some check on server logs that will give you some idea about the exact reason and how the site was hacked I hope this info will help you
I thank you all for good inputs. I do not have file upload windows on the web pages but, there are text input filelds and Textareas for allowing users to ente texts. These inputs have been passed through htmlentities() before storing on the mysql db. I am now thinking of another possibility. My server administrator tells me that it appears to be password leak and access appears to be through "main door". The PC from where I am trying out various modifications and addions to the pages, has a broadband connection. It is used by my son also. Is it likely that some one has peeped into my php files on the pc and seen the passwords by reading the files ? Chiplonkar
It is always possible your son's friends or other visitors to the location for that PC are the people hacking your site. But, I doubt it. The message seems to be coming from an intruder. Whether or not that is true, you need to get serious about security. It is always possible your computer at home has a trojan or keylogger on it -- though the recipient of the data is unlikely to issue a warning. Even so, download a free trojan scanner and scan it. Add something like A-Squared to your security arsenel. I also like using Active Ports on my windows box to see what programs are connecting to the internet. If you are accessing the web server via SSH, do you control who has access? If so, make sure that it can only be accessed by you and not as root. Change the password immediately to something difficult. It should be a minimum of 8 characters long -- longer is better -- and it should contain letters and/or numbers and/or other keyboard characters. Change the passwords used for any panels used to work on your site's main files -- directadmin, cpanel, webmin etc Remove all user name and password information from your php files. If a file is somehow spewing its contents on the screen of the visitor, then they have been given all your user names and passwords. They are all compromised. Never assume any script you download from the internet -- no matter how professional looking the website or how many positive reviews -- is secure. Make sure you always use the latest version and that you apply all security poatches,. If this sounds like too much work, then you should not be managing websites. Don't forget you have taken on all the tasks associated with offering services on a network, including security and netword guru. I do not think anyone can offer more specific advice. You need to learn more to know what the question is.
Just passing the texts through htmlentities is not enough. You still have to escape certain characters in the strings or texts you wish to insert in the database so that hackers can not make a SQL Injection. For example, if you want to import a name and description , let's assume the name is "John" and description is "Programmer". You would use : $query = mysql_query("INSERT INTO `users` (`name`,`description`) VALUES ('".htmlentities($name)."',".htmlentities($description)."')",$connection); PHP: But let's see what would happen is hacker enters in the description field this: Programmer'); DELETE FROM `users`;-- As htmlentities will leave the query untouched, the query that will be sent to the server will be : INSERT INTO `users` (`name`,`description`) VALUES ('John','Programmer'); DELETE FROM `users`; --') Code (markup): So, he managed to insert a query that deletes all users from the table by writing a nice description. Here's a function and the modified query so this will not happen: /* magic quotes is usually turned off, it should be off by default. In this case, you don't have to use unesc to get the original texts from database. */ function sqlesc($x) { $value = $x; // Stripslashes if (get_magic_quotes_gpc()) $value = stripslashes($value); // Quote if not integer if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value; } function unesc($x) { if (get_magic_quotes_gpc()) return stripslashes($x); return $x; } /* your query */ $query = mysql_query("INSERT INTO `users` (`name`,`description`) VALUES (".sqlesc($name).",".sqlesc($description).")",$connection); PHP: As you see, in the last query I didn't even use htmlentities because from the database's point of view, it doesn't care. You have to use htmlentities when sending text to user in order to disable certain code that you may not want to run on users' computers. As example, html entities converts the < character to < and > to >. If hacker entered a script definition such as <script>alert("hacked");</script> Code (markup): the code will not run on the users' computer because the browser receives this: <script>alert("hacked");</script> Code (markup): The browser converts < and > to < and > at runtime but it doesn't see <script> and </script> anymore, the code will not run on users computer. Hope you understand what I've written, it's very late here and i'm almost asleep.
a solid core script along with an invisible logger jotting down all people accesing your site can help, along with a routinely analysis or the log files to detect any suspicious activity and ban opportunely hackers. Easy to say, but it takes time to get everything running smoothly, but the sooner you implement such measures, the less probably that your site could be hacked. On a side note, if you need to grant access to administators/moderators or any other staff, always create a secondary ftp, admin panel access, not the main, even if those new accounts are granted with the same rights. In extreme case is easier delete or modify admin account than your main one.
If you have time to spare, download WebInspect from SPIDynamics with 15 days evaluation and shoot your web application, and see if you got the vulnerabilities mentioned above (SQL Injection, Cross site scripting...etc) They do provide a nice knowledge base for reference on how to fix it too. Joshua
Search for: A.List.Hacker.Linux.Uncovered.ebook-Spy.chm Its a good ebook if you want to understand hacking (which is the best way to protect yourself!). Peace,
A good explanation of some security measures that can prevent a MySQL injection can be found here: http://us3.php.net/mysql_real_escape_string Look for the quote_smart function. It's very important that you "scrub" all user input before you allow it into your site, either via MySQL or another form. When it comes to security, always have a "trust no one" policy.