Page 1 of 1

Being hacked? Unknown person posting gibberish in forms

Posted: Tue Apr 21, 2009 11:08 pm
by anivad
Recently someone named '2005' has been leaving signed comments on my site; the latest went:

Code: Select all

E85v3j <a href="http://eafymxuiivls.com/">eafymxuiivls</a>, http://fzqbzkdpuqvg.com/]fzqbzkdpuqvg[/url], [link=http://qtgjorhunkih.com/]qtgjorhunkih[/link], http://ynafpdstzjgl.com/
with the subject of "pmRIPcpMXWQyeZThPJ"

This is the second time it's happened, and I don't know how whoever it was is able to do that; there is no account in my MySQL database with the username '2005', and by right non-signed in members are automatically allocated the name of 'Guest'.

Is there something wrong with my code that's allowing this to happen?

($scheck) = not logged in =

session_start();
$scheck = (!(isset($_SESSION['login']) && $_SESSION['login'] != ''));

Comments code:

Code: Select all

<?
 
if($scheck) {
$cname = "Guest";
}
else {
$cname = $uname;
}
 
include '../db.php';
include '../common.php';
$page = $_SERVER['REQUEST_URI'];
 
$sql = "SELECT * FROM comments WHERE page='$page' ORDER BY postdate ASC"; 
$result = mysql_query($sql);
if(!$result) die(mysql_error());
$num_rows = mysql_num_rows($result);
 
if ($result) {
    if ($num_rows > 0) {
    
print "<b>Comments</b>";
print "<p><table border='1' bordercolor='black'>";
 
while($info = mysql_fetch_object($result)) {
print "<tr><td class='sm' colspan='2' width='800'>" .stripslashes($info->subject). " (" .stripslashes($info->postdate). ")</td>"; 
print "</td></tr><tr><td class='c' width='150'><b>" .stripslashes($info->cname). "</b>";
 
if($info->cname != 'Guest') {
if($info->cname !='') {
$scname = $info->cname;
$sql = "SELECT * FROM comments WHERE cname='$scname'";
$presult = mysql_query($sql);
if(!$presult) die(mysql_error());
 
$num_rows = mysql_num_rows($presult);
    $postcount = $num_rows;
    
print "<br>Posts: " . $postcount . "</td>";
}
}
 
print "<td valign='top' class='c'>" .stripslashes(nl2br($info->comment));
 
if($info->cname != 'Guest') {
    if($info->cname == $uname) {
 
$page = $_SERVER['REQUEST_URI'];
 
print "<form name='edit' method='post' action='editcomments.php'>";
print "<input type='hidden' name='page' value='$page'>";
print "<input type='hidden' name='comment' value='$info->comment'>";
print "<input type='hidden' name='commentid' value='$info->commentid'>";
print "<input type='image' src='../pictures/edit.png' name='ec'>";
print "</form>";
}
}
print "</td></tr>";
}
print "</table>";
print "<hr>";
}
}
 
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
 
$comment = $_POST['comment'];
$comment = mysql_real_escape_string($comment);
$comment = htmlspecialchars($comment);
 
$comment = eregi_replace('(\\\')', ''', $comment);
$comment = eregi_replace('(\[b\])', '<b>', $comment);
$comment = eregi_replace('(\[/b\])', '</b>', $comment);
$comment = eregi_replace('(\[i\])', '<i>', $comment);
$comment = eregi_replace('(\[/i\])', '</i>', $comment);
$comment = eregi_replace('(\[u\])', '<u>', $comment);
$comment = eregi_replace('(\[/u\])', '</u>', $comment);
 
$subject = $_POST['subject'];
$subject = mysql_real_escape_string($subject);
$page = $_POST['page'];
$date = $_POST['date'];
$cname = $_POST['cname'];
 
if ($comment == '') { 
       error('Comment field left empty. Please fill it in and try again.'); 
}
 
else {
$sql = "INSERT INTO comments SET page='$page', cname='$cname', postdate='$date', subject='$subject', comment='$comment'";
$result = mysql_query($sql) or die(mysql_error());
    if (!result) {
    error('Error connecting to database');
    }
    else {
    header('Location: http://' . $_SERVER['HTTP_HOST'] . $_POST['page'] . "#comments"); 
 
 
    }
}
 
}
 
?>
Thanks!

Re: Being hacked? Unknown person posting gibberish in forms

Posted: Wed Apr 22, 2009 7:30 am
by miro_igov
what is the value of your register_globals? Maybe login procedure contains injection vulnerability?

Re: Being hacked? Unknown person posting gibberish in forms

Posted: Wed Apr 22, 2009 9:53 am
by anivad
Didn't know anything about register_globals until now - I'm new to PHP. What exactly does it do? Google isn't helping much.

Login procedure escapes all input (username + password) with mysql_escape_string; is that enough?

Re: Being hacked? Unknown person posting gibberish in forms

Posted: Mon Apr 27, 2009 10:22 pm
by anivad
Ok, I turned register_globals off, but it's still happening.

Login code:

Code: Select all

<?PHP
 
include 'common.php';
 
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
    $uname = $_POST['username'];
    $pword = $_POST['password'];
    $cookie = $_POST['setcookie'];
    $time = time();
 
// Database connect
 
$dbuser = "whoaisno_anakin";
$dbpass = "etturn";
$database = "whoaisno_users";
$server = "localhost";
 
$db_handle = mysql_connect($server, $dbuser, $dbpass);
$db_found = mysql_select_db($database, $db_handle);
 
if ($db_found) {
$pword = md5($pword);
$pword = htmlspecialchars($pword);
$uname = htmlspecialchars($uname);
$pword = mysql_real_escape_string($pword);
$uname = mysql_real_escape_string($uname);
 
 
    $SQL = "SELECT * FROM login WHERE uname = '$uname' AND pword = '$pword'";
    $result = mysql_query($SQL) or die (mysql_error());
    $num_rows = mysql_num_rows($result);
 
// result checking
 
    if ($result) {
        if ($num_rows > 0) {
            session_start();
            $_SESSION['login'] = "1";
            $_SESSION['uname'] = "$uname";
            if($cookie) {
            setcookie("winm[uname]", $uname, $time + 2592000);
            setcookie("winm[pword]", $pword, $time + 2592000);
            }
            header ("Location: loginsuccess.htm");
        }
        else {
            session_start();
            $_SESSION['login'] = "";
            error('Login failed. Check that you are registered, and that your username and password are correct.');
        }
    }
 
    mysql_close($db_handle);
 
    }
 
}
 
?>

Re: Being hacked? Unknown person posting gibberish in forms

Posted: Tue Apr 28, 2009 3:09 am
by anivad
The most relevant question for all of us, who are in their thirties, would probably be How to get rid of those Dark circles under our eyes?
In our hectic day's schedule we have to consider a way that is very useful as well as fast in its action. This is where Dermapril usage can be greatly beneficial for us.


This is one of the best site to help remove dark circles under eyes
http://ezinearticles.com/?Get-Rid-of-Un ... id=2263268The most relevant question for all of us, who are in their thirties, would probably be How to get rid of those Dark circles under our eyes?
In our hectic day's schedule we have to consider a way that is very useful as well as fast in its action. This is where Dermapril usage can be greatly beneficial for us.


This is one of the best site to help remove dark circles under eyes
http://ezinearticles.com/?Get-Rid-of-Under-Eye-Dark-Circles---Three-Part-Process&id=2263268
Nah, more gibberish than that. It's just a bunch of letters, no actual words.

Re: Being hacked? Unknown person posting gibberish in forms

Posted: Tue Apr 28, 2009 10:29 pm
by anivad
Wow. That's... kind of fascinating. But I don't know how they're managing to post that in the first place. :? Adding a captcha wouldn't work, because currently they seem to have a way of bypassing the whole login system.

Re: Being hacked? Unknown person posting gibberish in forms

Posted: Wed Apr 29, 2009 7:47 am
by anivad
ARGGGH just happened two more times, and they've given up on the gibberish and started actual spam. Earlier on I had deleted the calling cards as soon as I could, but somehow they still found me. All the advertised links point to subdomains of the website dnip.net.

Other sites have been hit too -> http://www.google.com/search?q=dnip.net ... rt=10&sa=N

This sucks. I just blocked their specific username from leaving comments such that whenever they try to post a comment in future they'll get an error message that says "Screw you. I HOPE YOU AND YOUR CLIENT ROT IN HELL", but I doubt that would hold them off for long.


EDIT: Found a solution. Apparently bots can't find you if you put the submit code in Javascript. Now to see if that works...