Website Hacked - Advice Please

condoug

We have inherited a website (built in PHP/MySQL) which has been hacked a few times over the last month. The hosting company have indicated there must be issues within the source code of the site.

The site is built using dynamic URL's (e.g. productlist.php?pid=1) and all SELECT AND INSERT queries use the passed arguments to display/store product data.

The same too goes for the admin system which is bolted on to the back end.

The hackers have so far managed to do the following:

1) Upload files and folders inside and outside of web root
2) upload a CGI script which basically buggers up the entire site and background
3) Changed content within the mysQL database
4) Deleted the contents of a product table
5) created a folder which I can't even delete via FTP

The admin system does not allow products to be deleted so I suspect they have managed to find the database username and password details (which are stored outside of web root in a dbcon.php script) and connect directly to the database in order to delete the data.

My question is basically, what would be the most common way for the attackers to get into the system and do what they have done?

Is there a method I need to apply to the scripts to prevent this kind of outside attack?

Any advice would be greatly appreciated.

laserlight

condoug wrote:
1) Upload files and folders inside and outside of web root
2) upload a CGI script which basically buggers up the entire site and background

This sounds like your site authentication credentials have been compromised. Changing the password would be a start, but that begs the question of how did it happen in the first place. Alternatively, there could be some file upload feature that was abused to upload a script from which other exploits would be done.

condoug wrote:
3) Changed content within the mysQL database
4) Deleted the contents of a product table

If they did not just get the database login credentials, then this could be by SQL injection. You will need to fix the script, e.g., to use prepared statements where possible.

condoug wrote:
5) created a folder which I can't even delete via FTP

What are the permissions and ownership of the folder?

sneakyimp

If they were able to create a folder, this implies that they have acquired the username and password of at least one user authorized to access your file system. If you can log in via SSH, you could list this folder thusly:

ls -l /path/to/folder

where path/to/folder is of course replaced with the actual path to the evil folder in question. Knowing what permissions are on this folder would be a good start.

It may be that this folder belongs to user www-data or apache or nobody in which case they might have created it through an existing script you have that either evaluates user-submitted data (possibly through a very convoluted include process or something similar) or that copies uploaded files to the web root.

It may be that they used SQL injection to look through your database and they found some user credentials there and then used these to login via SSH or FTP and create these folders.

Locating the source of this kind of problem can be a real chore, depending on how complex your code is.

cybereclipse

A sample code to prevent sql injection

function escape_data($data){
global $dbc;
if (ini_get('magic_quotes_gpc')) { \if magic quotes is turned on your server
$data = stripslashes($data);
}

return mysql_real_escape_string(trim($data), $dbc);

}

I would go online and do some research on preg_match. I am also doing a database project and security is my top priority. I want to ask everyone's opinion if I should use https: on my entire site and any other methods of security. Books would be great, thanks!

Weedpacket

Another code sample showing SQL injection prevention (though it's plenty dodgy in other respects):

$insertion = $db_connection
    ->prepare('INSERT into sometable (name,address) VALUES(:name, :address)')
    ->execute($_POST);

spufi

cybereclipse;10999760Books would be great, thanks![/QUOTE wrote:
Essential PHP Security by Chris Shiflett

Pro PHP Security by Chris Snyder

I personally use PDO for dealing with DB interaction.