i think i have been hacked but not sure....

phpjaco

hello

someone got into my cms and erased all my online shop info?! im trying to work out how this happened there was a problem with one of my sessions which did allow a user to go back to the shop and edit stuff.

im not sure how this happened and is it possible for someone to see my code? cause my code

if ($row['user'] == $_POST['user'] && $row['pwd'] == $_POST['pwd']) {
   // goes to one section
} else if ($_POST['user'] == "notrealname" && $_POST['pwd'] == "notrealpassword") {
   // part where they went in, is it possible to see this code?

}

is there away to trace this person? i have already requested that from my isp by giving them timestamps (on the server)?

if i protect my site with ssl will this make a huge difference? what else can i do? - lost quite a bit of information here?

anyway thanx in advance....

toplay

I can't really tell unless I see more of the code, but yes, having SSL will help.

It's a good idea to use constants instead of literals of the username and password. Once a constant is defined it can't be changed or deleted. It's best to have a flag in the table to designate if this username/password is an administrator or regular user.

Always encrypt passwords or use hash functions (sha1() or md5()).

There's basically lots to PHP security. I recommend getting and reading this book (available for download):
http://www.phparch.com/shop_product.php?itemid=98

hth.

phpjaco

getting the ssl tomorrow and changing the literals to variables. is it possible to trace a hacker with an ip address?

cause i just built that in so that when you delete a item your ip address gets recorded aswell as a timestamp?

like i said think it was a problem with that specific page, it did not redirect so they probably deleted all my pages. damn what a stupid mistake!

anyway thanks

toplay

Well recording an IP address is a bit of a tricky thing and this opens up a big topic.

If the user is coming through a proxy or a gateway their IP address might be in the $SERVER['HTTP_X_FORWARDED_FOR'] variable. If the proxies bothered to fill it in. When coming through a proxy the $SERVER['REMOTE_ADDR'] will contain the IP address of the proxy server and not the user's IP address. Also, the user may have gone through several proxies, so the $_SERVER['HTTP_X_FORWARDED_FOR'] variable could contain several IP addresses separated by commas. The last one should be the users. All this can be faked.

Even if they're not going through a proxy, user's using ISP like AOL will come through different IP addresses per HTTP request. They can jump around across full networks - i.e. one request could come from 1.2.3.4 and the next could be 5.6.7.8 (as opposed to 1.2.x.x something).

Capturing the IP is still important though and can then allow you to do a whois lookup. Also, you can resolve the address within PHP by using the gethostbyaddr() function. Run trace routing on it too.

You can build in a feature to block certain IP addresses within your code including using cookies to ban. If you're using Apache server, then you can block an IP using a .htaccess file.

FYI: Please note that the header() with location command does not redirect right there and then when it's executed. It actually redirects when your script ends or an exit is reached. So, to ensure no logic flow problems in your script, you should have an exit right after every header() with location to force redirection to occur immediately.

hth.