Security issue - need help !

Hi,

First of all im NOT a programmer at all but i do manage a large web site.

Web site is php and mysql.

I have a cms area on the (the address is not published online) web site that allows my staff members (200+) to login and manually upload various stock onto our web site to sell.

Each member has there own personal login and account.

The login is 2 simple form fields that allows the staff member to enter a user id and password and then from this we go off and check the details and let them in or not.
When they enter they can see there own stock and then either add, edit or delete.

Over the past 2 months i have received 1 email saying one member logged into the site and saw someone elses stock ... but has since tried to do it again and it always logs into his own account.

2nd report i had where my own account had 2 items of stock loaded into it that i hadn't added? but since this nothing unusual has happened

3rd (today) a staff member has reported that all of her stock has been deleted?

Now this admin has been running for 9 months and we have only had 3 issues but when i try and recreate them it works fine?

Any ideas ???

It cant be a hacker because they would wipe everything and we also have a ip checker that makes sure the requesting ip address is in our database of allowed ips.

It could be a member of staff being a pain in the ass ... but then how does that explain the 1st email i had?

Only thing i can think of is that 99% of the staff all are on the same ip address? would this cause a problem if 2 people logged in at excatly the same time?

Any advice would be a great help.

 

It's impossible to tell what's wrong without looking at the script you're using.

 

do you think that the fact everyone is on the same ip would have any effect?

 

I'm pretty sure each member has some unique ID so IP should be irrelevant. Of course, I can't be 100% sure cause I don't know how the script works.

 

We used to have problems with some scripts when staff where going through the MS proxy that was set up.

Just out of curiosity, could this apply to your situation?

If so, what happens if they bypass the proxy for that particular server (assuming that's possible)?

 

Do you use EzUpload? If right, contact me

 

I would like to add a couple of points.

Do not focus on the IP address issue. Routers and web servers are able to deal with these issues. Please note that if the web service is inside the LAN, then everyone on that side of the wall will have their own individual IP address.

If you are able to discount hacking, then I would focus on the database and the PHP code used to access it.

Since you are using MySql you should look at issues surrounding locking and concurrency. You need to look through the code controlling the database and look at how reads and writes are being handled and the way in the which the SQL statements, which fetch data, are constructed.

If you have borrowed code from an open source project somewhere, you should not assume it is well written. You need to make sure it is well written.

 

I would check your logs to see if your cms area had been discovered.
You said that you keep allowed ip addresses in the database. That is
too late to make any decision. I would move them to iptables. If your
access is compromised by injection, they can run pretty much whatever
they want, and by pass all your database checks.

Is your staff logging-in using SSL?

Check your web server logs to see if anything
unusual is happening. Look for 404,403,500 type of errors, check the request
strings. Scanning tools are used to scan websites for security holes, they are
harmless on a well secured site.

If I had to guess, your cms had been discovered and traffic was monitored or
connections were hijacked. If your site stores valuable information, it would
be a worthwhile target for more sophisticated attacks.

If you run open source php code, my recommendation is: don't.
It is a mickey-mouse game, can you close the holes as soon as they are
discovered? At least follow the recommendations of software publishers
to upgrade to the latest versions and fix all known holes.

The less code you run the better.

 

Wow. So just out of curiosity, does this 'mickey-mouse' game apply only to open source PHP, or all open source? Anyway...

I just want to restate that we had the same problem (people somehow ending up with another user's login). This was going on for months. As soon as our users opted to bypass the MS Proxy when accessing this site, all of the issues went away (instantly). We never experienced that problem again (and that was about 2 years ago). Now, your users might be using a transparent proxy, but maybe your network admin can set the clients up to bypass it for this one site?

 

I say, you have to be vigilant about patching not only PHP, but everything
below it as well. The holes are usually published within days of being discovered.
How long websites are running and being hacked because holes have not been discovered YET? Nobody knows.

When you run open source, all interested parties can study the implementation,
look at the code from different angles, usually not the same as the writer of the code, and they find their way around.

Why PHP is an easy target? Because it is very popular and most installations
are "out-of-the-box" put by people who just want to make a quick buck.
What happens to the web site afterwards, who cares, it is the owner's
headache.

BTW, most websites run unpatched software that can be broken into
by any amateur "me-to" cracker.

 

And yet, there's security holes found in closed source applications all the time...

Not to flame, and I know I don't want to get in to this entire conversation, but I was under the impression that the whole "anyone can look at it therefore it's really insecure" argument was trounced over years ago. "Security by obscurity" is a joke, too, and so I think we end up with: everything can be insecure and the way it's developed has nothing to do with it.

Plus, if that were the case, wouldn't Linux be a lot more insecure than Windows, for example?

Anyway, this isn't really the thread to discuss this in, I would guess...

 

Don't get me started
If you use open source you have to plug the holes as soon as you can.
Open source applications are scrutinized more and if webmasters are
lazy, the holes are there for the taking.

Of course Linux (out of the box) is more secure than anything out there.
Windows can be made secure, but it is much harder to do.

I did not mean that "security by obscurity" is the answer. Quite the opposite.
The only secure systems or algorithms are those that have their source code
out in the open and still remain secure.

My beef with open source is that for an average webmaster, it is very hard
to keep track of all the holes in the software that they have on their systems.

I was just trying to help the guy track his "break-in" problem.
I don't recommend open source, unless you really know what you are
installing and you know how to make it secure and keep it secure.

The security of any system depends largely on the skill of its administrator.
So be careful out there.