attacked by hacker

itworks

Hi people !

yesterday i was visiting a site i developed for a client (e-commerce site with admin area) and i had a note "THE WEBMASTER OF THIS SITE PLEASE CLICK HERE" somewhere on the page, i clicked and then it went to the news section and in a news created by the hacker he explained that he entered the admin area with no problems and he could do anything like deleting all products, etc... well he didn't because as he said he was in a good mood and he suggested i would check my permissions.

the admin area uses sessions with a login/password, after this incident i have put an .htaccess username and password too but i feel that this isn't enough.

please what should i do to protect this site?! ask anything...

kevinsequeira

well i guess this answer would be a double-edged sword, cause how he was able to get into the admin section depends on how the code was written and how it behaves when people try to login or access it.
but if u post the url of the site , then more people may try to break in ??

reg
kevin

itworks

i guess you're right, not that i don't trust people from this forum but i don't think i need to post the url because i can answer all questions you need to help me.

come on people i need a crash course on security!

laserlight

Well, it could be anything.
The authentication could have a loophole.
The transmission of sensitive data (e.g. cookie containing session) could have been intercepted.
Your password may be weak.
Your webserver could be insecure.

There are many possible reasons.

I suggest trying to break your system.
Look at your logic. Is there any case where it does not work?
If you're using some SQL DB, could there be SQL injection?

kevinsequeira

or could be someone at your clients place has done this, someone with access to the database, webserver or pwds !!

like laserlight said it could be anything.

reg
kevin

itworks

well, i'm using MySQL to store the administrator login information, i'm using session variables but with no cookies (register_globals is on) and yes the password might be weak, i keep telling them to change it to a custom one but they just don't care. about the server well i'm not an expert so i don't know if the problem is there.

thanks for the replies i know that you don't have much to base your help but please just ask anything and i'll try to give you all the information you need to help me🙁

kevinsequeira

this bit THE WEBMASTER OF THIS SITE PLEASE CLICK HERE

did it involve changing the html on the page and ftping it or could it be done through the admin panel.

cause if it invloved hardcoding the link then he has access to FTP to your server.

reg
kevin

itworks

this online store sells computer hardware and all the products categories are customized through the admin panel . in the main site there's a box on the top left corner with those categories in the admin panel the administrator can insert the category name and value for the query but the code that is used for the link in the categories box is this

while ($registo=mysql_fetch_array($resultado)) {
			$categ = $registo["categoria"];
			$nome = $registo["nome"];
			$link = $registo["link"];
			echo "<div align=\"center\"><a href=\"index.php?pagina=produtos&categoria=$categ&titulo=$nome\">$link</a></div>";
        }

this sends the user to the "products page" with the variable $categ being the one that the admin can insert for the link.

the message that the hacker left was an entrie in the categories table in the database among with the other categories but it didn't send me to the products page it sent me to the news page with the variable for that specific message.

i hope i was clear although it's hard to explain, please forgive me if i didn't explain well.

thanks a lot for the effort you're puting into helping me.

kevinsequeira

well, im not sure what else i can think of , but i hate to say this - its difficult to pinpoint the problem unless i take a look at the site
You could try ways to break into it and since u designed it you could think of ways in which the hacker could do what he did and back-track from there

reg
kevin

itworks

i've sent you an email, please check it 🙂

bastien

one option might be to place all admin type functions and pages into a secured dir or access only thru ssl to make it more difficult to crack the passwords...also consider that you can easily change the security to look for more things like checking the IP of the user or leaving a cookie at the users site to with some unique var and see if the cookie is present

another idea is to change the db permissions to not allow any deletes (simply include another boolean field and change the sql to only accept records without this field being set)

but if the hacker has ftp or telnet access to the server, then the clients admin needs to look at the issues and fix them..

itworks

those are all good options. the SSL is a little out of the question because it costs money and client is not willing to pay for that:rolleyes: the cookie thing is a great idea, but unfortunatly i'm very unexperient at php and i never did nothing with cookies (would it be possible if you could put me on the right track about this?) the database is the only suggestion i didn't quite understand, is it hard to do?

it seems that from all your replies that if he has access via ftp or telnet i have a real problem, what can i do if that's the case?

thanks in advance!

kevinsequeira

well first of all change the ftp password, check if any new users have been created, change the root pwd of ure server.
also u might want to take a look at your webservers log files to help u track down the path the hacker took

reg
kevin

itworks

I KNOW HOW HE GOT IN !!!!! :mad:

in the login he used % for username and % for login and login is successful 😕

how can this be?! how can i fix it ?! can this happen with other symbols?!

Weedpacket

Yup; SQL injection. You're putting the submitted password straight into the SQL statement. In goes "%", "%" in a SQL query is a wildcard meaning "anything", and anything matches.

Be paranoid. Don't think "how can I stop them doing X?" which is what you just asked, because then people will just try Y. Think "What can I allow them to do in the first place?" Require any and all input from the outside to conform to something known to be safe, and strike down anything that comes in which doesn't.

Say, only allow certain characters in passwords (such as a-z, A-Z, 0-9, underscore, space, etc.); if there are any other characters in the submitted password, strip them out or return an error before putting it in the database query.
See also http://www.owasp.org/

kevinsequeira

post the code snippet you are using to validate the user login

reg
kevin

dalecosp

Didn't someone, like the O.P., say the reg_globals is ON?

Didn't the lords of PHP start shipping it default OFF to avoid this kind of thing?

At any rate, some checking of variables sounds like it's in order, if not a shift in the globals setting....

itworks

this is the login script that calls the function to verify:

<?php
include("BDMySQL.class.php");										// script que faz a ligação á base de dados
include("IEUtilizador.class.php");									// script com as funções
?>
<table width="100%" border="0">
  <tr>
    <td valign="top">
<h1>RESULTADO DO LOGIN</h1></td>
    <td align="right"><img src="imagens/graficos/login.gif" width="70" height="50"></td>
  </tr>
</table>
<p>
<?php
if($action == "pedir") {																					// mostra que o utilizador não está logged
echo "Para adicionar o item ao carrinho, por favor faça o Login. <br><br>";									// pede para fazer o login
echo "Se for um novo utilizador pode criar uma conta na nossa loja e fazer compras online. <br>";		// informa que para comprar pode-se registar para fazer compras
}
?>
<?php
if($action == "logout") {											// verifica de o utilizador fez o logout
session_start();													// inicia nova sessão
session_unset();													// determina que a sessão não está definida
session_destroy();													// destroi a sessão
echo "Logout efectuado com sucesso. <br>";							// mostra que o logout foi realizado
}
?>
<?php
if($action == "login") {											// verifica de o utilizador fez o login
$utilizador = new IEUtilizador();									// chama a função que inicia a ligação á base de dados
if($utilizador->verificarUtilizador($login, $password)==true) {		// chama a função que verifica se o login está correcto
	echo "Login efectuado com sucesso...<br>";						// mostra que o login foi realizado
	$login_status = 1;												// define na variável que o utilizador está logged
	$login_utilizador = "$login";									// define que a variável login_utilizador é igual ao username do utilizador
} else {
	echo "<img src=\"administ/img/error.gif\"><font color=\"#FF0000\">Dados errados ou Utilizador não registado!</font>";							// mostra que o login não foi realizado
}
$utilizador->endIEUtilizador();										// chama a função que fecha a ligação á base de dados
}
?>
</p>

this is the function to verify the username and password:


<?php
// ficheiro com as configurações da ligação á base de dados
require("config.inc.php");

// define a classe como extensão de ligação á base de dados e define a variavel dessa ligação
class IEUtilizador extends BDMySQL {
        var $bd;

// chama a função de ligação á base de dados
        function IEUtilizador() {
				global $NOME_BD, $USER, $PASSWORD, $NOME_SERVIDOR;
                $this->bd = new BDMySQL();
                $this->bd->ligarBD($NOME_BD, $USER, $PASSWORD, $NOME_SERVIDOR);
        }

// função que verifica os dados introduzidos para o login		
		function verificarUtilizador($login, $password) {
			$sql = "SELECT * FROM utilizador WHERE email LIKE '$login' AND password LIKE '$password'";
			if(($rs=$this->bd->executarSQL($sql))){
				if(mysql_fetch_row($rs)==false) {
					return false;
				} else {
					return true;
				}
			}
			else {
				return false;
			}
		}

// função que fecha a ligação á base de dados
		function endIEUtilizador() {
                $this->bd->fecharBD();
        }
}

although dalecosp as a point, this is not a case of register_globals=on, as i said before i know how he got in and it was using % for the username and password.

thanks you all for helping me with this so far and if you could just help me a little more correcting this i would be very grateful.

Natty_Dreadlock

check out this:
http://de.php.net/manual/en/function.mysql-escape-string.php
callin this function will remove all dangerous chars from your query string, preventin mysql injection via ; etc. However, I don't know whether it remove (or escapes) %, so maybe add this code before u use $login and $password in verificarUtilizador($login, $password):

$login = mysql_escape_string($login);
$password = mysql_escape_string($password);

// Not sure if this is necessary:
$login = str_replace("%", "", $login);
$password = str_replace("%", "", $password);

hth

stolzyboy

don't use LIKE, use =, cuz you don't want anything LIKE anything, you always want it exactly as it is