Hacked, Please Help with Security

iceiceboom

Hello,

I was somehow hacked today. 🙁

The hacker wasn't attempting to corrupt my files or anything like that because no damage was done.

However, they gained access to 2 of my files which they said was due to a lack of security.

These files are both in .PHP format.

One file, info.php includes 4 variables which define my MySQL information.

The other file, variables.php which gets all of my variables from a MySQL database.

The hacker told me that these were the only 2 files he had to access in order to hack my entire script, but did not tell me the specific holes.

They performed several actions on my entire script which I suspect they did by performing custom MySQL query inserts, and getting the admin password which is defined in variables.php

info.php and variables.php do not print any text, is there some way a person infamiliar with my code could have made variables from these 2 files print out for them to use?

One person I went to suggested password-protecting those 2 files, but I see big scripts out there like vBulletin that don't need to password-protect their variables.

Any help is appreciated, thank you very much.

keith73

show us the code so we can see what is wrong with it.

Obviously, don't show us the actual info int he code, like passwords or anything. Use pseudo-values for sensitive information, like mypassword for password.

Change your password to your FTP and/or shell account on that server too. For all you know they got in that way then just read the files in a text editor.

keith

iceiceboom

Hello,

It is really basic, but the files are extremely long, so I'll give you the short versions (info.php is exactly the same, variables.php is the long one)

info.php:

<?php

$hostname = "localhost";
$username = "username";
$password = "password";
$database = "database";

variables.php:

<?php

require "info.php"

$query = @("SELECT * FROM variables");
$variable1 = @mysql_result($query,0,"variable1");
$variable2 = @mysql_result($query,0,"variable2");
$variable3 = @mysql_result($query,0,"variable3");

Thanks for any help!

keith73

well, I'm at a loss. based on the info you provided, I don't see how it happened. All I can think of is somehow this cracker got into your server account via ftp or ssh and read the php files.

in the code for variables.php that you didn't post, is there anything that outputs information to the browser?

keith

greg252

Where are these 2 file located?
Most hosting accounts I have seen have a structure
/
/public_html
/public_html/cgi_bin

If you place the vars in files outside of the publically viewable directory (in the /), this is the first level of defense and should be done by everyone for all sensitive data. In this case, the only way to access these files directly is to hack your hosting account. Possibly an easy password or poor security by your host.

hermand

With PHP being server side and all, no matter what they'd always get a blank page when grabbing those files. Excluding FTP.

iceiceboom

No, nothing from vars.php outputs to the browser...

However, files in my scripts have require "vars.php"; in them.

They output variables, but none like $adminpass, could these files be manipulated to use vars.php to output variables other than what is in the source to output?

Thanks.

ahundiak

Check your web server logs. There are plenty of scripts out there will try to gain access to the file system through various security holes. When was the last time someone did a serious security audit on your system?

scraff

there is oneway of getting information from php files.
If this hacker took a guess at what the variables were called, in this case $password, which is simple and pritty obvious thing to call the password. he can get the data that is stored there. not gonna let everyone know how to do this tho(and never done this my self)! I had thouight of this and so call my variables different things (eg. instead of $password, try $DbPassWord) this will make it harder to guess and when posting threads on here dont post your exact variables names!

😕

well yeh anyway thats one possability.:p

keith73

Originally posted by scraff
there is oneway of getting information from php files.
If this hacker took a guess at what the variables were called, in this case $password, which is simple and pritty obvious thing to call the password. he can get the data that is stored there. not gonna let everyone know how to do this tho(and never done this my self)! I had thouight of this and so call my variables different things (eg. instead of $password, try $DbPassWord) this will make it harder to guess and when posting threads on here dont post your exact variables names!

😕

well yeh anyway thats one possability.:p

well, I'd like to be able to guard against it so I think it would be beneficial for everyone to know how that could be done. For one reason, if I make a script and offer it for download, anyone would then know what the variable names are and could exploit it on another site that uses the script.

keith

hermand

Scraff, if you're thinking of including the files or something, it won't work. Cos you can't include remote files like local files!

keith73

Originally posted by scraff

and NO keith73 im not going to tell everyone how its done because it wouldnt be very safe!

All you need to know is dont call $password somthing as simple as password!!

ok, so let's say I create a script, and $password is called $abcdef instead of password.
I offer the script to people for download, someone who sees what the variable is called then finds a site that uses my script and tries the exploit you won't describe then that script is vulnerable.

If hacker's have the tools, why shouldn't we as the programmers know what they are so that we can stop the exploits. If you don't want to post it publicly fine, pm me but I want to be able to secure my scripts in some better way than just changing the name of a variable. I want to try and prevent that variable from being read no matter what it's called.

keith

rahulroy

As mentioned those scripts can not be read via http/browser, the hacker must have got ftp/telnet/ssh access to read the contents of those files.

If there is any way, which i don't know, to read the coding of those scirpts through browser, a possible counter security measure could be to place those scirpts with DB connection parameters above the web/public folder and include it is your public script OR include them from non-public folder by giving their local/relative path.

Am I right?

Sxooter

Originally posted by hermand
Scraff, if you're thinking of including the files or something, it won't work. Cos you can't include remote files like local files!

BZZZZZZT! But thanks for playing. From php.net include documentation:

If URL fopen wrappers" are enabled in PHP (which they are in the default configuration), you can specify the file to be included using an URL (via HTTP or other supported wrapper - see Appendix I for a list of protocols) instead of a local pathname. If the target server interprets the target file as PHP code, variables may be passed to the included file using an URL request string as used with HTTP GET. This is not strictly speaking the same thing as including the file and having it inherit the parent file's variable scope; the script is actually being run on the remote server and the result is then being included into the local script.

Sxooter

Are you passing any SQL information in a form somewhere on your box, or a filename or anything?

My guess is you're doing something like:

http://server.com/script?sqlquery=select+*+from+table
or
http://server.com/script?filename=fred.txt

that they're using to hack you.

iceiceboom

Originally posted by scraff
there is oneway of getting information from php files.
If this hacker took a guess at what the variables were called, in this case $password, which is simple and pritty obvious thing to call the password. he can get the data that is stored there. not gonna let everyone know how to do this tho(and never done this my self)! I had thouight of this and so call my variables different things (eg. instead of $password, try $DbPassWord) this will make it harder to guess and when posting threads on here dont post your exact variables names!

😕

well yeh anyway thats one possability.:p

Mr. scraff, do tell. If there IS really such a thing, why try to hide it from all of us and make it easy for hackers who know this to get into our scripts?
If you are trying to state such a thing may be done by Filehandle's, you cannot be more mistaken, whatever you fetch with a Filehandle of any sort is the same as what the script would output to the browser, if it is remote.

I agree entirely with keith37 on this one.

iceiceboom

Originally posted by Sxooter
Are you passing any SQL information in a form somewhere on your box, or a filename or anything?

My guess is you're doing something like:

http://server.com/script?sqlquery=select+*+from+table
or
http://server.com/script?filename=fred.txt

that they're using to hack you.

Negative, I'm not stupid enough to pass queries via forms or URLs. 🙂

acidbox

make sure you chmod 644 that file