[Resolved] A site is being hacked...need to learn something here

vaaaska

Hello, I have a little script that is somehow being hacked - honestly, I'm not sure what's going on (obviously).

Could somebody please tell me how a hacker could insert data into the table - and here's the kicker - without the form appearing on the page. There's no submit button on the page either. ???

I'm assuming they must be going via the URL...

I've reduced this down so only the pertinent things are here...

if (isset($_POST['new'])) {

insertComment();
}


function insertComment()
{
	// these are internal...not from the url...
	global $id,$ip,$now,$conn,$config;

// there is some validation here...
// we are $_POST...not $value to get data

mysql_query("insert into comments (comm_id,etc...) values (NULL,etc')");
header("Location:#Comments");

}

paulnaj

They could build their own form on their own server, with all the correct details, and set the method to POST, and the action to your 'insert' page.

Do you check that the user of the page is authorised as part of your validation?

Paul.

vaaaska

Originally posted by paulnaj
Do you check that the user of the page is authorised as part of your validation?

Paul.

It's basically a blog, how would I check if they were 'authorized'. Unless you mean something different.

That's really crazy that somebody would do that. I'm trying to think of how I could protect against that. Perhaps an internal $secret_word that comes from another script/page?

Huh...

paulnaj

Ok, what I mean is, how do you know who is inserting comments into your blog?

Are they all registered users or can anyone post a comment? If it's the latter, then you may not have as much control as you would like ... as I said someone could 'imitate' your form, and even automate the process and stick thousands of entries into your blog.

So this really begs the question, what do you mean by hacking?

Paul 🙂

vaaaska

Originally posted by paulnaj
So this really begs the question, what do you mean by hacking?

Yep, you are right. Not hacking...more like hijacking.

As it is a blog (it's a business blog thing) users are allowed to speak freely. Perhaps we will have to go with approving posts first. I can't find any record of injection via the urls...so I bet this is what is happening.

This really kind of sucks... ;(

Thanks for you help Paul...

id10t

If you don't want someone using a form on their site/server/machine to point to your form processing script, your script should check the http referer and see if it is coming from someplace that is "allowed" to send data...

vaaaska

Originally posted by id10t
If you don't want someone using a form on their site/server/machine to point to your form processing script, your script should check the http referer and see if it is coming from someplace that is "allowed" to send data...

I'm pretty sure that's more than easy to spoof...

mrhappiness

work with sessions and either check the session-id for existance or google for "captcha" (http://en.wikipedia.org/wiki/Captcha for example)

laserlight

It's basically a blog, how would I check if they were 'authorized'.

Setup a user system and require them to login.
It could be as simple as checking for a secret password that everyone who is allowed write-access to the blog knows, or it could use access control lists etc.

vaaaska

Ah a session...icky...but sweet.

Thanks happy mr...this will do the trick.

😉

vaaaska

Originally posted by laserlight
Setup a user system and require them to login.
It could be as simple as checking for a secret password that everyone who is allowed write-access to the blog knows, or it could use access control lists etc.

We've thought about it...but it's not really a feasible solution. Sure, we could tap into the whole TypeKey system but I don't much like anything MT.

vaaaska

I'll mark it resolved...I would guess that a $_SESSION will do the trick. It certainly wouldn't prevent a person from marching up directly to the site and entering in their spam, but I don't think they will send 20 in a day that way.

Fingers crossed...

Thanks...

RossC0

Hi,

What I imagine is they are link farming (or Spam-dexing) your site - to improve the google rank of their site...

This is often an automated process and 1000's of urls are searched and spammed - so its no one specifically targetting your site - the b*stardos are targetting any site they can exploit. Happens alot on wikis

You need to introduce some validation to the comments block - i.e. get them to tell you the numbers in an image. This should fool the program and cut down the spamming. Also get the IP and if it is a person - stop the IP from making comments.

vaaaska

What I imagine is they are link farming (or Spam-dexing) your site - to improve the google rank of their site...

Yep...jerks...we sure need more gambling in this world don't we?

This is often an automated process and 1000's of urls are searched and spammed - so its no one specifically targetting your site - the b*stardos are targetting any site they can exploit. Happens alot on wikis

That's why the $_SESSIONS solution makes sense. They have to actually visit the page to post. Thus, it would have to be a human I believe. We'll see...

You need to introduce some validation to the comments block - i.e. get them to tell you the numbers in an image. This should fool the program and cut down the spamming. Also get the IP and if it is a person - stop the IP from making comments.

I'm not ready for CAPTCHA's. But I think it's the next level. We have IP's...lots of them...they are all over the place. Accordingly, we could ban referrers with htaccess but those too are easy to spoof.

In the end, I bet we use all of these methods, but I want to take it one at a time since I've never dealt with it at this level before.

😉

laserlight

We've thought about it...but it's not really a feasible solution.

It is - the use of sessions is just an example that's between a secret password and some complex user management system.

vaaaska

Actually, this particular spammer is all over the place right now - I've been reading up on them. Virulent and aggressive.

I might post this in the Code Critique at a later time but I'm posting the concept here.

Because I don't want to go to a formal authentication system I've come up with a soft-authentication idea. I'm still using the $_SESSIONS approach but I'm still not really sure if it's helping (but I haven't had any more comment spam since I put it in there).

There is a really popular blacklist file out there created by Jay Allen (just Google for it). I'm using this list. When a person submits their information we check their referrer info, message and link against the blacklist. If they are tagged as untrustworthy their note will need approval before showing on the site. If their note is tagged as trustworthy it will automatically appear in the comments. Both options can be reviewed later via the system. We'll probably send a message when an untrusted note appears to somebody.

It's basically an authentication system that attempts to validate a persons trustworthiness. I believe that $_SESSIONS help to make sure a real person is submitting the form as it is set only when they visit the page. I haven't seen anybody else quite do it this way so I thought I would post this for posterity.

We were getting a few per hour and as of earlier today, knock on wood, we've had zero. Plus, I can see in the stats that they are still knocking on the door.