SitePoint Sponsor

User Tag List

Results 1 to 25 of 25
  1. #1
    SitePoint Zealot
    Join Date
    Apr 2005
    Posts
    100
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    CMS site was hacked! How do I keep the hacker out?

    A CMS site I created for a politician was hacked (he has many enemies!) and I'm trying to figure out how to keep the hacker from getting in, or at least make it harder for him. The changes made to the site were done inside the database (MySQL), so I'm guessing the hacker was able to somehow get to the mysql_connect page and get the database password. I know it's more secure to place this page outside the web directory, but being on a GoDaddy shared hosting plan this isn't possible. Does anyone know of ways I can make this file more secure and harder to get to? I changed the permissions on the file to 600, but I don't know if that will help or not.
    Thanks!

  2. #2
    SitePoint Enthusiast
    Join Date
    Feb 2007
    Posts
    28
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I guess he didn't connect to the database directly because he needs to install some files first on the server to manage to connect toy our database , .. he might be able to inject your database within the browser within a vulnerability in your application (the CMS) ..

    it could be also within a CSRF ..

  3. #3
    SitePoint Enthusiast Jmz's Avatar
    Join Date
    Jun 2005
    Posts
    93
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Are you sure that is how they got in? You could make a function to connect to the db that has the login details inside. That way it would be impossible to read the details outside of the function.

    I would also check all of your user input fields and anywhere you request a value from a query string as this is the most common way sites are hacked (in my experience anyway).

  4. #4
    SitePoint Zealot
    Join Date
    Apr 2005
    Posts
    100
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by almasry View Post
    I guess he didn't connect to the database directly because he needs to install some files first on the server to manage to connect toy our database , .. he might be able to inject your database within the browser within a vulnerability in your application (the CMS) ..

    it could be also within a CSRF ..
    Quote Originally Posted by Jmz View Post
    Are you sure that is how they got in? You could make a function to connect to the db that has the login details inside. That way it would be impossible to read the details outside of the function.

    I would also check all of your user input fields and anywhere you request a value from a query string as this is the most common way sites are hacked (in my experience anyway).
    Actually, now that you mention it he could very well have infiltrated the admin login and gained entry somehow that way. I tried some of the examples in that Wikipedia article on SQL injection but none of them gained access. Anyone know of any other ways I can test my login page to see where it might be vulnerable? I am using PHP and sessions to log the person in.

  5. #5
    SitePoint Enthusiast
    Join Date
    Feb 2007
    Posts
    28
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Anyone know of any other ways I can test my login page to see where it might be vulnerable?
    Instead of looking for the vulnerability and where is the backdoor that enabled him hacking your site, make sure you are validating all the inputs on the server side, the variables you get from the header or within submitted forms (get & post) and escape the data before inserting it in the database , also make sure you are not using the register globals if your PHP version is <5..

  6. #6
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Maybe he keeps his password on a post-it note on his monitor like I do.

  7. #7
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Ok, first of all did you escape all of the input from a form? All kinds of havoc could be created if you didn't.

    Secondly, you really should find some way of storing the db_connect without it being accessed. A .htaccess reroute would be good enough. It's possible that the server failed to run PHP, so the contents could be seen. It's happened alot before.

    Thirdly, if the site's security is vital, you should try and get it on a dedicated server, especially if it gets alot of traffic. Shared hosting can sometimes lead to gaining access to the server.

    What ever you do, log access to the admin section. IP addresses, hosts - in fact you might as well dump the whole $_SERVER array into a file.

    If it turns out it's someone in charge of the server who has a grudge (which you could prove with an IP Address and times), a nice hefty lawsuit would be on the hosting company's hands.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  8. #8
    SitePoint Guru risoknop's Avatar
    Join Date
    Feb 2008
    Location
    end($world)
    Posts
    834
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If there is only one admin of the site, check the server logs and find out if someone from different IP was trying to log into admin area very often.

  9. #9
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I assume you are storing your database connection info in a .php file, and not .inc or something?

  10. #10
    SitePoint Zealot
    Join Date
    Apr 2005
    Posts
    100
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by arkinstall View Post
    What ever you do, log access to the admin section. IP addresses, hosts - in fact you might as well dump the whole $_SERVER array into a file.
    Thanks for this info. How would I go about doing this?

  11. #11
    SitePoint Enthusiast VideoWhisper's Avatar
    Join Date
    Dec 2008
    Posts
    93
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You could try preventing insertion of code, sql, external urls within queries with a .htaccess like this:


    Code:
    IndexIgnore *
    rewriteEngine on
    rewriteCond %{QUERY_STRING} DECLARE|CHAR|SET|CAST|EXEC|INSERT|UPDATE|SELECT|DELETE|HTTP|WWW
    rewriteRule . - [F]

  12. #12
    SitePoint Evangelist
    Join Date
    Jan 2006
    Location
    UK
    Posts
    537
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    As arkinstall has already mentioned, anything that needs high security shouldn't really be on shared hosting. At the very least use a vps so their's a reasonable amount of separation between user accounts on the server. On shared hosting there is the possibility that session files may be visible to other users from the php temp directory (write sessions to a database instead), and files may be maliciously written to directories if permissions are set incorrectly.
    In the interim while you lock it down you might want to consider adding .htaccess access to any admin functionality and perhaps limit access to necessary ip's.

  13. #13
    SitePoint Guru
    Join Date
    Jan 2005
    Location
    heaven
    Posts
    953
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by VideoWhisper View Post
    You could try preventing insertion of code, sql, external urls within queries with a .htaccess like this:


    Code:
    IndexIgnore *
    rewriteEngine on
    rewriteCond %{QUERY_STRING} DECLARE|CHAR|SET|CAST|EXEC|INSERT|UPDATE|SELECT|DELETE|HTTP|WWW
    rewriteRule . - [F]
    nice ... ._.
    Creativity knows no other restraint than the
    confines of a small mind.
    - Me
    Geekly Humor
    Oh baby! Check out the design patterns on that framework!

  14. #14
    SitePoint Guru
    Join Date
    Sep 2008
    Location
    Dubai
    Posts
    971
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here's a tip.

    Try to hack your site before some one can hack it.

  15. #15
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The problem is most people aren't aware of the vulnerabilities they have created, otherwise they wouldn't have created them

  16. #16
    SitePoint Zealot
    Join Date
    Apr 2005
    Posts
    100
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by runrunforest View Post
    Here's a tip.

    Try to hack your site before some one can hack it.
    That's what I've been trying to do, but unfortunately I'm no hacker and am obviously missing something. I've tried every SQL injection attack I could find online but the site keeps all of them out. I'm going to look into some of the things that have been suggested here, so thanks everyone.

    Quote Originally Posted by stevewebdev2005 View Post
    In the interim while you lock it down you might want to consider adding .htaccess access to any admin functionality and perhaps limit access to necessary ip's.
    Thanks, I'm in the process of doing that now. I've suggested to them that they move to a dedicated server as well, but they don't want to spend that much money on their website.

  17. #17
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    IMO, a dedicated server is something you should have yourself, and then you can offer more secure options to (all) your clients.

    I think it looks more professional too.

  18. #18
    SitePoint Zealot
    Join Date
    Apr 2005
    Posts
    100
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Cups View Post
    IMO, a dedicated server is something you should have yourself, and then you can offer more secure options to (all) your clients.

    I think it looks more professional too.
    That's definitely true! That's something I've been working on...

  19. #19
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,514
    Mentioned
    37 Post(s)
    Tagged
    1 Thread(s)
    A VPS would provide better security plus has many of the advantages of a dedicated at a fraction of a cost of a dedicated server.

  20. #20
    SitePoint Guru risoknop's Avatar
    Join Date
    Feb 2008
    Location
    end($world)
    Posts
    834
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, dedicated server is not needed if you are just starting up and don't have too many websites ot sites with large traffic. VPS should be ok for start, then you can upgrade to dedicated server once you will start approaching limits of the VPS.

  21. #21
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by risoknop View Post
    Well, dedicated server is not needed if you are just starting up and don't have too many websites ot sites with large traffic.
    If you are charging for your services I disagree, I used that excuse when starting out because costs were so high, but its no longer true.

    If you are representing politicians on the web, and not protecting them or their interests you are simply doing them a disservice.

  22. #22
    SitePoint Guru risoknop's Avatar
    Join Date
    Feb 2008
    Location
    end($world)
    Posts
    834
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Cups View Post
    If you are charging for your services I disagree, I used that excuse when starting out because costs were so high, but its no longer true.

    If you are representing politicians on the web, and not protecting them or their interests you are simply doing them a disservice.
    Well, currently I'm just beginning to earn some money from PHP (and frankly I don't have that much time for it because of college) and most of my clients have their own VPS or servers. So I just test the website on my VPS and then when everything works like supposed I move it to their server.

  23. #23
    SitePoint Zealot codythebest's Avatar
    Join Date
    Jul 2001
    Location
    Fuerteventura
    Posts
    172
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by runrunforest View Post
    Here's a tip.

    Try to hack your site before some one can hack it.
    The majority of people have no clue how to hack...

  24. #24
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by codythebest View Post
    The majority of people have no clue how to hack...
    I like that quote, its ever-so true.

    You have to switch between the dark-side and the light as you work, its no wonder people turn into crackers when you become in turn optimistic and paranoid, especially when you read sites like this, then try it out on your own inputs.

  25. #25
    SitePoint Guru
    Join Date
    Sep 2008
    Location
    Dubai
    Posts
    971
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by codythebest View Post
    The majority of people have no clue how to hack...
    The majority of people who ever wanted to build a website have no clue about html not even mention php.

    So what they did to build ? they learned.

    So what should they do to protect ? ...


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •