Being hacked? Unknown person posting gibberish in forms

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
anivad
Forum Commoner
Posts: 80
Joined: Thu Apr 09, 2009 11:16 pm

Being hacked? Unknown person posting gibberish in forms

Post by anivad »

Recently someone named '2005' has been leaving signed comments on my site; the latest went:

Code: Select all

E85v3j <a href="http://eafymxuiivls.com/">eafymxuiivls</a>, http://fzqbzkdpuqvg.com/]fzqbzkdpuqvg[/url], [link=http://qtgjorhunkih.com/]qtgjorhunkih[/link], http://ynafpdstzjgl.com/
with the subject of "pmRIPcpMXWQyeZThPJ"

This is the second time it's happened, and I don't know how whoever it was is able to do that; there is no account in my MySQL database with the username '2005', and by right non-signed in members are automatically allocated the name of 'Guest'.

Is there something wrong with my code that's allowing this to happen?

($scheck) = not logged in =

session_start();
$scheck = (!(isset($_SESSION['login']) && $_SESSION['login'] != ''));

Comments code:

Code: Select all

<?
 
if($scheck) {
$cname = "Guest";
}
else {
$cname = $uname;
}
 
include '../db.php';
include '../common.php';
$page = $_SERVER['REQUEST_URI'];
 
$sql = "SELECT * FROM comments WHERE page='$page' ORDER BY postdate ASC"; 
$result = mysql_query($sql);
if(!$result) die(mysql_error());
$num_rows = mysql_num_rows($result);
 
if ($result) {
    if ($num_rows > 0) {
    
print "<b>Comments</b>";
print "<p><table border='1' bordercolor='black'>";
 
while($info = mysql_fetch_object($result)) {
print "<tr><td class='sm' colspan='2' width='800'>" .stripslashes($info->subject). " (" .stripslashes($info->postdate). ")</td>"; 
print "</td></tr><tr><td class='c' width='150'><b>" .stripslashes($info->cname). "</b>";
 
if($info->cname != 'Guest') {
if($info->cname !='') {
$scname = $info->cname;
$sql = "SELECT * FROM comments WHERE cname='$scname'";
$presult = mysql_query($sql);
if(!$presult) die(mysql_error());
 
$num_rows = mysql_num_rows($presult);
    $postcount = $num_rows;
    
print "<br>Posts: " . $postcount . "</td>";
}
}
 
print "<td valign='top' class='c'>" .stripslashes(nl2br($info->comment));
 
if($info->cname != 'Guest') {
    if($info->cname == $uname) {
 
$page = $_SERVER['REQUEST_URI'];
 
print "<form name='edit' method='post' action='editcomments.php'>";
print "<input type='hidden' name='page' value='$page'>";
print "<input type='hidden' name='comment' value='$info->comment'>";
print "<input type='hidden' name='commentid' value='$info->commentid'>";
print "<input type='image' src='../pictures/edit.png' name='ec'>";
print "</form>";
}
}
print "</td></tr>";
}
print "</table>";
print "<hr>";
}
}
 
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
 
$comment = $_POST['comment'];
$comment = mysql_real_escape_string($comment);
$comment = htmlspecialchars($comment);
 
$comment = eregi_replace('(\\\')', ''', $comment);
$comment = eregi_replace('(\[b\])', '<b>', $comment);
$comment = eregi_replace('(\[/b\])', '</b>', $comment);
$comment = eregi_replace('(\[i\])', '<i>', $comment);
$comment = eregi_replace('(\[/i\])', '</i>', $comment);
$comment = eregi_replace('(\[u\])', '<u>', $comment);
$comment = eregi_replace('(\[/u\])', '</u>', $comment);
 
$subject = $_POST['subject'];
$subject = mysql_real_escape_string($subject);
$page = $_POST['page'];
$date = $_POST['date'];
$cname = $_POST['cname'];
 
if ($comment == '') { 
       error('Comment field left empty. Please fill it in and try again.'); 
}
 
else {
$sql = "INSERT INTO comments SET page='$page', cname='$cname', postdate='$date', subject='$subject', comment='$comment'";
$result = mysql_query($sql) or die(mysql_error());
    if (!result) {
    error('Error connecting to database');
    }
    else {
    header('Location: http://' . $_SERVER['HTTP_HOST'] . $_POST['page'] . "#comments"); 
 
 
    }
}
 
}
 
?>
Thanks!
Last edited by anivad on Tue Apr 28, 2009 11:04 pm, edited 3 times in total.
miro_igov
Forum Contributor
Posts: 485
Joined: Fri Mar 31, 2006 5:06 am
Location: Bulgaria

Re: Being hacked? Unknown person posting gibberish in forms

Post by miro_igov »

what is the value of your register_globals? Maybe login procedure contains injection vulnerability?
anivad
Forum Commoner
Posts: 80
Joined: Thu Apr 09, 2009 11:16 pm

Re: Being hacked? Unknown person posting gibberish in forms

Post by anivad »

Didn't know anything about register_globals until now - I'm new to PHP. What exactly does it do? Google isn't helping much.

Login procedure escapes all input (username + password) with mysql_escape_string; is that enough?
anivad
Forum Commoner
Posts: 80
Joined: Thu Apr 09, 2009 11:16 pm

Re: Being hacked? Unknown person posting gibberish in forms

Post by anivad »

Ok, I turned register_globals off, but it's still happening.

Login code:

Code: Select all

<?PHP
 
include 'common.php';
 
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
    $uname = $_POST['username'];
    $pword = $_POST['password'];
    $cookie = $_POST['setcookie'];
    $time = time();
 
// Database connect
 
$dbuser = "whoaisno_anakin";
$dbpass = "etturn";
$database = "whoaisno_users";
$server = "localhost";
 
$db_handle = mysql_connect($server, $dbuser, $dbpass);
$db_found = mysql_select_db($database, $db_handle);
 
if ($db_found) {
$pword = md5($pword);
$pword = htmlspecialchars($pword);
$uname = htmlspecialchars($uname);
$pword = mysql_real_escape_string($pword);
$uname = mysql_real_escape_string($uname);
 
 
    $SQL = "SELECT * FROM login WHERE uname = '$uname' AND pword = '$pword'";
    $result = mysql_query($SQL) or die (mysql_error());
    $num_rows = mysql_num_rows($result);
 
// result checking
 
    if ($result) {
        if ($num_rows > 0) {
            session_start();
            $_SESSION['login'] = "1";
            $_SESSION['uname'] = "$uname";
            if($cookie) {
            setcookie("winm[uname]", $uname, $time + 2592000);
            setcookie("winm[pword]", $pword, $time + 2592000);
            }
            header ("Location: loginsuccess.htm");
        }
        else {
            session_start();
            $_SESSION['login'] = "";
            error('Login failed. Check that you are registered, and that your username and password are correct.');
        }
    }
 
    mysql_close($db_handle);
 
    }
 
}
 
?>
Last edited by Benjamin on Mon Apr 27, 2009 10:41 pm, edited 1 time in total.
Reason: Changed code type from text to php.
anivad
Forum Commoner
Posts: 80
Joined: Thu Apr 09, 2009 11:16 pm

Re: Being hacked? Unknown person posting gibberish in forms

Post by anivad »

The most relevant question for all of us, who are in their thirties, would probably be How to get rid of those Dark circles under our eyes?
In our hectic day's schedule we have to consider a way that is very useful as well as fast in its action. This is where Dermapril usage can be greatly beneficial for us.


This is one of the best site to help remove dark circles under eyes
http://ezinearticles.com/?Get-Rid-of-Un ... id=2263268The most relevant question for all of us, who are in their thirties, would probably be How to get rid of those Dark circles under our eyes?
In our hectic day's schedule we have to consider a way that is very useful as well as fast in its action. This is where Dermapril usage can be greatly beneficial for us.


This is one of the best site to help remove dark circles under eyes
http://ezinearticles.com/?Get-Rid-of-Under-Eye-Dark-Circles---Three-Part-Process&id=2263268
Nah, more gibberish than that. It's just a bunch of letters, no actual words.
Last edited by anivad on Wed Apr 29, 2009 9:47 am, edited 1 time in total.
anivad
Forum Commoner
Posts: 80
Joined: Thu Apr 09, 2009 11:16 pm

Re: Being hacked? Unknown person posting gibberish in forms

Post by anivad »

Wow. That's... kind of fascinating. But I don't know how they're managing to post that in the first place. :? Adding a captcha wouldn't work, because currently they seem to have a way of bypassing the whole login system.
anivad
Forum Commoner
Posts: 80
Joined: Thu Apr 09, 2009 11:16 pm

Re: Being hacked? Unknown person posting gibberish in forms

Post by anivad »

ARGGGH just happened two more times, and they've given up on the gibberish and started actual spam. Earlier on I had deleted the calling cards as soon as I could, but somehow they still found me. All the advertised links point to subdomains of the website dnip.net.

Other sites have been hit too -> http://www.google.com/search?q=dnip.net ... rt=10&sa=N

This sucks. I just blocked their specific username from leaving comments such that whenever they try to post a comment in future they'll get an error message that says "Screw you. I HOPE YOU AND YOUR CLIENT ROT IN HELL", but I doubt that would hold them off for long.


EDIT: Found a solution. Apparently bots can't find you if you put the submit code in Javascript. Now to see if that works...
Post Reply