1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

how do I prevent my site from being hacked ?

Discussion in 'PHP' started by chiplonkar, Jan 18, 2007.

  1. #1
    Keen interest in learning php/mysql led me to book a paid domain and some linux webspace. In no time, ( in a matter of hardly a few weeks, I found that my index.php is no more visible , but some has put a dirty black page int its place, saying " learn to protect your shit site first !!"

    Can any one suggest the basics ?
    Chips
     
    chiplonkar, Jan 18, 2007 IP
  2. koolasia

    koolasia Banned

    Messages:
    1,413
    Likes Received:
    59
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Did u try some scripts or something wch asked u for personal ftp details or stuff
     
    koolasia, Jan 18, 2007 IP
  3. chiplonkar

    chiplonkar Peon

    Messages:
    43
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    There are some pages where I ask for users to register with simle name and password of their own choice. That is all. Next , using that username and the password , the users are supposed to paste ( write ) a few lines about any thing which they want to advertise for free. I have used htmlentities for the text and textarea fields of the html form. So , I suppose, html code can not enter inside.

    Chips
     
    chiplonkar, Jan 18, 2007 IP
  4. Idiot Inside

    Idiot Inside Well-Known Member

    Messages:
    1,300
    Likes Received:
    65
    Best Answers:
    0
    Trophy Points:
    155
    #4
    I dont know much, but I heard that we should not have 777 permissions to any directory. Also, try keeping anonymous ftp off.
     
    Idiot Inside, Jan 18, 2007 IP
  5. rays

    rays Active Member

    Messages:
    563
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    58
    #5
    if you have an interface to upload files (from users) and files are not verified for their extension and types hackers just uploads .PHP file which execute some UNIX commands ... by which they can mess with your server... so keep some strick check on users files uploads section....

    one more hint.. normally PHP developerss use directories like include, inc, which contains all the configuration details details ... and if directory browsing is enabled on serever they can get access to files (.inc or .conf ) are kind of files which can be downloaded with original source codes.

    though i am not very good at unix i suggest to keep some check on server logs that will give you some idea about the exact reason and how the site was hacked

    I hope this info will help you
     
    rays, Jan 18, 2007 IP
  6. chiplonkar

    chiplonkar Peon

    Messages:
    43
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #6
    I thank you all for good inputs. I do not have file upload windows on the web pages but, there are text input filelds and Textareas for allowing users to ente texts. These inputs have been passed through htmlentities() before storing on the mysql db.

    I am now thinking of another possibility. My server administrator tells me that it appears to be password leak and access appears to be through "main door". The PC from where I am trying out various modifications and addions to the pages, has a broadband connection. It is used by my son also. Is it likely that some one has peeped into my php files on the pc and seen the passwords by reading the files ?

    Chiplonkar
     
    chiplonkar, Jan 18, 2007 IP
  7. clancey

    clancey Peon

    Messages:
    1,099
    Likes Received:
    63
    Best Answers:
    0
    Trophy Points:
    0
    #7
    It is always possible your son's friends or other visitors to the location for that PC are the people hacking your site. But, I doubt it. The message seems to be coming from an intruder. Whether or not that is true, you need to get serious about security.

    It is always possible your computer at home has a trojan or keylogger on it -- though the recipient of the data is unlikely to issue a warning. Even so, download a free trojan scanner and scan it. Add something like A-Squared to your security arsenel. I also like using Active Ports on my windows box to see what programs are connecting to the internet.

    If you are accessing the web server via SSH, do you control who has access? If so, make sure that it can only be accessed by you and not as root. Change the password immediately to something difficult. It should be a minimum of 8 characters long -- longer is better -- and it should contain letters and/or numbers and/or other keyboard characters.

    Change the passwords used for any panels used to work on your site's main files -- directadmin, cpanel, webmin etc

    Remove all user name and password information from your php files. If a file is somehow spewing its contents on the screen of the visitor, then they have been given all your user names and passwords. They are all compromised.

    Never assume any script you download from the internet -- no matter how professional looking the website or how many positive reviews -- is secure. Make sure you always use the latest version and that you apply all security poatches,. If this sounds like too much work, then you should not be managing websites. Don't forget you have taken on all the tasks associated with offering services on a network, including security and netword guru.

    I do not think anyone can offer more specific advice. You need to learn more to know what the question is.
     
    clancey, Jan 19, 2007 IP
  8. mariush

    mariush Peon

    Messages:
    562
    Likes Received:
    44
    Best Answers:
    0
    Trophy Points:
    0
    #8
    Just passing the texts through htmlentities is not enough.

    You still have to escape certain characters in the strings or texts you wish to insert in the database so that hackers can not make a SQL Injection.

    For example, if you want to import a name and description , let's assume the name is "John" and description is "Programmer".

    You would use :

    
    $query = mysql_query("INSERT INTO `users` (`name`,`description`) VALUES ('".htmlentities($name)."',".htmlentities($description)."')",$connection);
    
    PHP:
    But let's see what would happen is hacker enters in the description field this:

    Programmer'); DELETE FROM `users`;--

    As htmlentities will leave the query untouched, the query that will be sent to the server will be :

    
    INSERT INTO `users` (`name`,`description`) VALUES ('John','Programmer'); DELETE FROM `users`; --')
    
    Code (markup):
    So, he managed to insert a query that deletes all users from the table by writing a nice description.

    Here's a function and the modified query so this will not happen:

    
    /*
    magic quotes is usually turned off, it should be off by default.
    In this case, you don't have to use unesc to get the original texts from database.
    */
    function sqlesc($x)
    { $value = $x;
      // Stripslashes
       if (get_magic_quotes_gpc()) 
         $value = stripslashes($value);
     // Quote if not integer
       if (!is_numeric($value)) 
       {
           $value = "'" . mysql_real_escape_string($value) . "'";
       }
       return $value;
    }
    
    function unesc($x) {
        if (get_magic_quotes_gpc())
            return stripslashes($x);
        return $x;
    } 
    
    /* your query */
    
    $query = mysql_query("INSERT INTO `users` (`name`,`description`) VALUES (".sqlesc($name).",".sqlesc($description).")",$connection);
    
    PHP:
    As you see, in the last query I didn't even use htmlentities because from the database's point of view, it doesn't care.

    You have to use htmlentities when sending text to user in order to disable certain code that you may not want to run on users' computers.

    As example, html entities converts the < character to &lt; and > to &gt;. If hacker entered a script definition such as
    
    <script>alert("hacked");</script>
    
    Code (markup):
    the code will not run on the users' computer because the browser receives this:
    
    &lt;script&gt;alert("hacked");&lt;/script&gt;
    
    Code (markup):
    The browser converts &lt; and &gt; to < and > at runtime but it doesn't see <script> and </script> anymore, the code will not run on users computer.

    Hope you understand what I've written, it's very late here and i'm almost asleep.
     
    mariush, Jan 19, 2007 IP
    livingearth and phree_radical like this.
  9. Pat Gael

    Pat Gael Banned

    Messages:
    1,331
    Likes Received:
    68
    Best Answers:
    0
    Trophy Points:
    0
    #9
    a solid core script along with an invisible logger jotting down all people accesing your site can help, along with a routinely analysis or the log files to detect any suspicious activity and ban opportunely hackers.

    Easy to say, but it takes time to get everything running smoothly, but the sooner you implement such measures, the less probably that your site could be hacked.

    On a side note, if you need to grant access to administators/moderators or any other staff, always create a secondary ftp, admin panel access, not the main, even if those new accounts are granted with the same rights.

    In extreme case is easier delete or modify admin account than your main one. ;)
     
    Pat Gael, Jan 19, 2007 IP
  10. joshuayip

    joshuayip Member

    Messages:
    21
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    36
    #10
    If you have time to spare, download WebInspect from SPIDynamics with 15 days evaluation and shoot your web application, and see if you got the vulnerabilities mentioned above (SQL Injection, Cross site scripting...etc)
    They do provide a nice knowledge base for reference on how to fix it too.

    Joshua
     
    joshuayip, Jan 21, 2007 IP
  11. sukantab

    sukantab Well-Known Member

    Messages:
    2,075
    Likes Received:
    49
    Best Answers:
    0
    Trophy Points:
    110
    #11
    Encript the php pages. Use Zend
     
    sukantab, Jan 22, 2007 IP
  12. Barti1987

    Barti1987 Well-Known Member

    Messages:
    2,703
    Likes Received:
    115
    Best Answers:
    0
    Trophy Points:
    185
    #12
    Search for: A.List.Hacker.Linux.Uncovered.ebook-Spy.chm

    Its a good ebook if you want to understand hacking (which is the best way to protect yourself!).

    Peace,
     
    Barti1987, Jan 22, 2007 IP
  13. nico_swd

    nico_swd Prominent Member

    Messages:
    4,153
    Likes Received:
    344
    Best Answers:
    18
    Trophy Points:
    375
  14. audax

    audax Peon

    Messages:
    83
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #14
    A good explanation of some security measures that can prevent a MySQL injection can be found here:
    http://us3.php.net/mysql_real_escape_string

    Look for the quote_smart function.

    It's very important that you "scrub" all user input before you allow it into your site, either via MySQL or another form. When it comes to security, always have a "trust no one" policy.
     
    audax, Jan 22, 2007 IP