SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    SitePoint Zealot
    Join Date
    Oct 2006
    Location
    Syracuse, NY
    Posts
    118
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Website ever been hacked?

    I'm curious to know if any PHP guys/girls in here have been hacked before. I'm working on a website that will be doing online quoting, commision reports, just diving right into the company database. Security has become a big subject of research recently.

    I would like to hear if its happened to you and how it happened. How'd they get in, what'd they take/destroy? How have you changed your programming since then? etc... etc...

  2. #2
    SitePoint Member
    Join Date
    Dec 2006
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Usually they get in using the so called "SQL injection" or "PHP injection" or any other type of "injection" - that means that they put in an SQL statement or some other command into your query parameters. Usually that happens if you use some of the open-source scripts which have a well-known security issues.

    For example you have URL:
    http:...........search.php?search=something
    and your script executes the statement:
    select * from table where string like '%$_GET['something']%';

    they just replace url with something like:
    http:...........search.php?search=';drop table ....;
    so if you don't check your query inputs for injectionst that drop table would be called which would destroy your database.

    Most of opensource scripts have a GPL or similiar licence which means that you must leave "powered by XXX" on your page. "Hackers" (not really - they are just kids that are working by the tutorials that they read on so called "hacker" forums, they are mostly not the hackers you see in the movies) just make a search for "powered by XXX" on google and they get a list of sites which use the same software that has a security hole.

    Then they put in this SQL injection and that's it - your database or even something else gets "hacked", destroyed, deleted, replaced...

    If you are developing your own software and the source code and SQL structure are not available in the public, you don't have to worry so much. These "hacking kids" won't be able to find out what is your security issue (if there is any) since it isn't posted everywhere on the net. Meanwhile "professional" hackers don't have time to bother with *YOUR* page, they go for something bigger like bank, government or something.

    But that doesn't mean that all open-source software is a security risk - some of the scripts have a really high security and they get updated regular so if you upgrade your script every time a new upgrade is available there is also a smaller chance of getting hacked.
    Most security holes are discovered by the script authors which make a patch or upgrade and when they post on their site "version 1.0.4 has a security hole at line XX in file XX so please upgrade to version 1.0.5" then these "hackers" get the idea and search for "powered by XX v.1.0.4" and they get a list of sites which didn't make an upgrade so they are easy target...

    Hope I made most of the things clear
    ______________________________________________
    igre | video | povezave

  3. #3
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    My first site fell victim to SQL injection, XSS, malicious file upload (uploaded some malicious PHP files), and header injection on the contact form. Seemed to all come from the same source (i.e. one guy hitting me with every trick in the book, and I was wide open to every trick in the book!). Hence my current attitude toward security in web apps, i.e. don't trust anyone (or anything), or, more to the point, assume everyone has ill intent until proven otherwise.

    Damage done in that attack: I had to completely wipe out the entire server, reformat and start again from scratch (he rootkitted and backdoored the thing all to hell!). There was nothing on the server or in the database to take except for a very short list of (unsalted) MD5ed passwords (test accounts, none of them real).

    The problem was that I had written the app with absolutely no knowledge of good security practices. I had Apache running as the apache user, of course, but had elevated the user's permissions (stupid!) because of weird upload issues (this was the hole my attacker needed to gain full root access via an uploaded PHP script). I didn't validate any user input, nor did I escape any data going into the database (the XSS and SQL injection attacks), and most fatally (in this attack at least) I performed absolutely no validation on uploaded files (i.e. make sure they were only images).

    I now run Apache as a limited user in a chroot jail; all user input is validated (I err on the side of paranoia there); all data going to the database, even data generated by my scripts themselves, is escaped and quoted properly; all data being output to the user is validated again (to mitigate the risk of XSS attacks); and of course all file uploads are validated and then renamed (thus preventing a crafty PHP script that could appear to be an image file from being uploaded with the .php extension necessary to run it).

    The short is: Validate, validate, validate!! I spend a lot of time now dreaming up clever ways people could abuse my scripts, then making sure that they are not vulnerable to those attacks; I've even written my own HTTP client (in PHP, naturally) so that I can test any kind of malformed request to my scripts. I regularly check my server logs for suspicious activity (although honestly I've been lapsing on that lately, but mostly because there's nothing active on my servers and I'm preparing to reformat them soon anyway).

    As the song goes: "Once bitten, twice shy"!!
    PHP questions? RTFM
    MySQL questions? RTFM

  4. #4
    SitePoint Zealot
    Join Date
    Oct 2006
    Location
    Syracuse, NY
    Posts
    118
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Wow that sounds like a horror story! I've been reading up on a lot of validation... fun stuff! My worst nightmare is the site being hacked into, data being taken, SSN's taken, peoples lives ruined, husband and wife divorced, kids separated, families destroyed! All because I didn't validate properly!

  5. #5
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Validation is key. If you expect a number, force it to be a number ($num = (int)$_POST['num']; if you expect a string with only letters, numbers, and spaces, ditch everything else ($name = preg_replace('/[^a-zA-Z0-9 ]/', '', $_POST['name']). And of course, always always ALWAYS escape data before putting it into your database (use mysql_real_escape_string if you're using MySQL); better yet, use only prepared statements and bound arguments (PDO if you can, otherwise mysqli_* can do it as well).
    PHP questions? RTFM
    MySQL questions? RTFM

  6. #6
    SitePoint Wizard Hammer65's Avatar
    Join Date
    Nov 2004
    Location
    Lincoln Nebraska
    Posts
    1,161
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Don't trust any input at all, even from registered users. Keep in mind however, if someone wants to get in bad enough, they will. The key isn't trying to make the site inpenetratable. That isn't really possible. You take the security measures that are appropriate for what you have to protect. You don't need SSL to keep someone from defacing your blog, you do need it if you have your users entering sensitive information. Don't loose sleep over it, back up your site, protect it the best way you know how.

    Hackers rarely break machines for fun anymore, it's done for profit. They at least want to use your machine, if you have something they can sell all the better.

    The movies don't portray anything about computers accurately. Not a very good example.

  7. #7
    SitePoint Addict silentcollision's Avatar
    Join Date
    Jun 2006
    Location
    New Zealand
    Posts
    388
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I had someone take advantage of a relatively uncommon file upload script I was using.

    They contacted me through MSN, and helped me through patching it, and we went about contacting more people using the script.

    Not sure if thats "hacking" in the abusive sense, it was a relatively educational experience.

  8. #8
    SitePoint Guru
    Join Date
    Nov 2004
    Location
    Plano
    Posts
    643
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i had a few emailer scripts jacked and spammers were able to send their spam out through my website.

    basically, know the common holes of the webpage feature you are working with, and learn how to not be succeptible to attack. i.e. if you use forms, validate all user input, if you use emailing (contact us forms, etc.) make sure they don't include binary attachments or send out multiple emails through headers, if you allow uploaded files, double-check the mime-type (NOT thru the submitted mime-type in the form), etc.

    goodluck.

  9. #9
    SitePoint Wizard Hammer65's Avatar
    Join Date
    Nov 2004
    Location
    Lincoln Nebraska
    Posts
    1,161
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've done battle with a few spammers that wanted to use an email form for mail injection. One instance was a third party script, that was wide open. I modified it once and the spammer tried something else, I locked down again. I finally contacted the author of the app, and tried to be diplomatic about my suggestion to lock down the script. I found a lot of copies via Google. I never got a response back.

    I've had to clean up after hackers before on behalf of others, it's not pretty, some attacks were due to various apps that had unpatched vulnerabilities. Some open source PHP apps originated in a time where some of the "convenience" features of PHP had yet to be determined to be insecure. PHPBB for instance has had repeated problems. The newer projects built around frameworks are likely much more secure, but it's important to keep up on patches.

    BTW the GPL license does not require a "powered by" declaration. That may be a requirement or suggestion by an individual developer, but not part of the license.

  10. #10
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    I was lucky enough to get hacked by a white-hat, so he showed me how to fix it.

    I submitted one of my sites to hackthissite.org (I used to be a member, look up the user apple_sauce (me)), and nobody could break it, even when I gave them source code!

    The best way to secure your website is by giving a hacker (who you trust, someone you know) the sourcecode and an URL to the site. That way, at least you know that you're safer.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  11. #11
    SitePoint Enthusiast
    Join Date
    Aug 2007
    Location
    edge of nowhere
    Posts
    74
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by irtom1 View Post
    If you are developing your own software and the source code and SQL structure are not available in the public, you don't have to worry so much. These "hacking kids" won't be able to find out what is your security issue (if there is any) since it isn't posted everywhere on the net.
    That actually isn't such a good advice, because it enocourages people to write bad code and as we've seen from time to time, webservers do crap out and display the code every now and then (Facebook, MS Word code leaked eventually, etc).
    Besides, you never know how popular that thing is going to get and you might be forced to rewrite it.
    Programming boils down to three things: fast, good and cheap.
    Please pick two.

  12. #12
    SitePoint Wizard Hammer65's Avatar
    Join Date
    Nov 2004
    Location
    Lincoln Nebraska
    Posts
    1,161
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I agree. A hacker doesn't need to know anything about the site or the source code. It doesn't take a genius to determine where a database might be used in a site and pound on a page with various techniques till they find a hole. Security through obscurity isn't a worthless concept, but cannot be the only thing you rely on.

  13. #13
    SitePoint Addict
    Join Date
    Oct 2004
    Location
    Ontario Canada
    Posts
    235
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Mine just got hacked recently by some islam group. Unforuntatly I did not figure out how they got in. All I know is I had some folders chmodded 777 (image only upload folders and such) and they somehow got a php script on there. There was one script I rewrote which allowed me to set it to 775 though I still have a few 777's so I'm scared they somehow get in.

    777 or not, the fact they got on the server is what bothers me, and I doubt they have an account on the same host just for the purpose of hacking me. I wiped all my sites and reuploaded as a precaution. I'll be reviewing my security to try to see what ways they could of got in. As a precaution I added some .htaccess files to prevent php from working in forum upload folders even though the script wont allow php files.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •