SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Member
    Join Date
    Dec 2004
    Location
    Buenos Aires - Argentina
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Hacker getting database login info

    I work on a site where a hacker has been accessing from time to time. It is a php site. This hacker is somehow getting the database user and password, which are in a .php script. I have been analyzing the Apache logs and I do not find exactly how he is getting those variables values. I noticed many HEAD requests from a given IP address, and blocked that IP. But I do not see any parameters in the url of the HEAD requests, they end in php with no ?querystring, so I don't know if that's how he is doing this.

    Are there any known issues that could cause a hacker gaining access to the variables on the page? Or viewing source code for a php script? I've rechecked the pages many times by now...

    Thanks for any help with this.

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)
    Are you certain all DB calls are injection-proof?
    Have you tried changing the connection info?
    Are all files containing the cnx info outside of the root?

  3. #3
    SitePoint Member
    Join Date
    Dec 2004
    Location
    Buenos Aires - Argentina
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for your reply.

    I am as certain as I can be about the SQL commands. I use mysql_real_escape_string, I use a function to filter user input.
    I have reviewed the scripts to see if I missed something at one spot, but there are many php pages, so I have reviewed but it is possible that I missed the one spot...

    I changed the connection info some time ago and hacker came back after that.

    I will try moving the script that has the connection info outside of the web root.

    Thanks.

  4. #4
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What tells you that there has been a hacker?

  5. #5
    SitePoint Member
    Join Date
    Dec 2004
    Location
    Buenos Aires - Argentina
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I know it is a hacker because he connects to the database to change texts in one table so unappropriate texts then show in the website. The website management pages save logs whenever an item is edited, and I know the item was not edited using those pages, because no log was saved. I looked in the mysql general logs then, and found the hacker connections. Apparently he manages to connect to the database, run some sql commands, and then quit. When he connects to the database, he connects using a single connect command "Connect user@localhost on dbname" instead of connecting and then selecting db as I do in my code. So somehow, he is getting the database user and password, and using them to open his own connection.

  6. #6
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)
    They may have been able to create another "master" user account. Or maybe the "privileges" aren't set correctly.

  7. #7
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,653
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Is there any upload functionality? What about urlfopen? If they can find a way to upload or otherwise inject their code into your app they could easily get at anything stored in a PHP script or other file?

    Another angle to check is if your config file is being "covered" by php. In most scenarios, if you call the config, say, config.include, the server will serve it as a plain text file. Add a .php to the end and you should be much safer.

  8. #8
    SitePoint Zealot jimmy85's Avatar
    Join Date
    Aug 2009
    Posts
    174
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Is there any way that a server account might have been compromised? And that's how he has been able to constantly connect even if you changed things. That's another angle too.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •