Page 1 of 2
My site has been sabotaged
Posted: Mon Sep 18, 2006 9:30 pm
by draco2317
I bought a script, and i guess it wasnt protected. I had been busy and hadnt check in on the page in a month and i saw that there was an unusually high ammount of incorrect log-ins. Log story short, when someone is trying to register, instead of going to the form processing script, it tries to log the person in, instead of adding the profile. I tried renaming the scripts so that the correct script was accessed, and renamed the verify login script to login_check.php, and when i tried to register, it looked for the new file login_check.php. I figured this wasnt an error, as i looked at the code, and on a service level it shows it is supposed to call the right script. Please help me, i need to get my site back up If you need to look at the scripts please contact me via pm, as i dont want to post it on here. Thanks again in advance for your help.
Posted: Mon Sep 18, 2006 10:26 pm
by feyd
Do you have the original files? Have you compared them to the currently live files? Since you paid for this script you may want to contact the author.
If there is no direct vulnerability in the software, then it is likely that your files were compromized through the server itself via a different user account or even your own. It's difficult to say without knowing far more detail.
Posted: Mon Sep 18, 2006 11:44 pm
by draco2317
I have checked the file against the original and nothing seems out of place. I contacted the developer by my year maintainace has expired, and he wants too much money to look at it.
Posted: Tue Sep 19, 2006 10:50 am
by RobertGonzalez
Seriously, the only way you are going to get help on this issue here is to post some code. Asking for a PM to release code is asking people to charge you to look at your code.
Posted: Tue Sep 19, 2006 6:52 pm
by Ambush Commander
Trouble is, it's probably against the license he's been granted to use. If you know a little bit about PHP, try to excerpt just the suspect sections. We'll claim fair use.

Posted: Tue Sep 19, 2006 7:09 pm
by draco2317
I am able to post all the code, but i have no idea where to even begin, i have looked over the code and didnt see any red flags, but i am by no means an average programer, i would be a novice at best. I have been told that the script is vulnerable to sql injection because the varables are not escaped. So on the other thread (I mistakenly thought i had posted orginally in the wrong forum and tried in what i thought was right) I posed the question.
Based on what i read from a page give by another member about escaping should i make the following changes?
Code: Select all
$exista=@mysql_query("select * from models where user='$user' or email='$email'");
To
Code: Select all
$exista=@mysql_query("select * from models where user='$user' or email='$email'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
However the other thread got to be more about how i posted the code wrong, which is cool because i want to follow the rules. But my question never was answered. If its neccessery i can post all the code I need to. Thanks for all your help
Posted: Wed Sep 20, 2006 10:40 am
by RobertGonzalez
Ok, no more thread floating. There was considerable discussion in the other thread about what you are going through. The question you just asked above should have gone in that thread. I would suggest we stop using this thread as a discussion platform for your code's vulnerabilities and move the entire conversation back into the other thread. Please.
Posted: Wed Sep 20, 2006 11:19 am
by draco2317
I posted that question in the other forum, and as i sated when i posted it here, the other forum switched focus from my question to how i didnt follow the rules and my question was ignored. I wasnt trying to thread float just wanted an answer. But dont worry, I this will be my last post and also my last visit to this forum. I will find one that will asnwer my questions instead of just bashing me for screwing up. I have no problem being told that i messed up, but it seems like no one will shut up about it now and i got the point a while ago. I picked this thread to continue my question as it wasnt bloated with my screw up. If the mods didnt want a double thread they should have closed one of them. I regret that i am losing out on a good resourse, but if i can get the help that it offers what am i really losing. While i no that not everyone here, probably just a handful, is to blame, however those people need to grow up and stop professing their superiority.
Posted: Wed Sep 20, 2006 11:26 am
by Maugrim_The_Reaper
I feel like floating a third...
Use the first version of the query, but something like:
Code: Select all
$sql = array();
$sql['user'] = mysql_real_escape_string($user);
$sql['email'] = mysql_real_escape_string($email);
$exista=@mysql_query("select * from models where user='" . $sql['user'] . "' or email='" . $sql['email'] . "'");
This creates a new array of "escaped" values while leaving the originals untouched. Everything in the $sql array must be escaped so it's an easy way to disinguish between raw data ($user) and escaped data ($sql['user']).
When posting to the forums, we try to keep the rules enforced. It's not meant to come across as unfriendly at all. Stick around a bit longer and you'll see we're not an intolerable unfriendly bunch

.
Posted: Wed Sep 20, 2006 12:21 pm
by jolinar
And you actually PAID for this code?

Maybe the developer should be sent to a "secure computing" lecture or two. What's the mantra?
Treat all input as evil unless verified
Posted: Wed Sep 20, 2006 12:35 pm
by draco2317
Maugrim,
Maybe you are right, maybe i will stick around. I must say i have learned alot about what not to do.
Posted: Wed Sep 20, 2006 12:57 pm
by draco2317
jolinar,
Well yes, i am sorta ashamed that i did pay for this code, not much but still more than i should have. The guy i bought it from was self thought, not be reading books or anything, just trying stuff out, so he says. I bought this about a year ago, when I didnt know anything about programming, not that i know alot now, and I have been burned. The one good thing about it is i can change and alter the code anyway i want. I just wonder upon a full review if there would be more lines that needed correcting then ones that were okay. Live and learn I guess.
Posted: Wed Sep 20, 2006 1:30 pm
by RobertGonzalez
draco2317 wrote:I posted that question in the other forum, and as i sated when i posted it here, the other forum switched focus from my question to how i didnt follow the rules and my question was ignored. I wasnt trying to thread float just wanted an answer. But dont worry, I this will be my last post and also my last visit to this forum. I will find one that will asnwer my questions instead of just bashing me for screwing up. I have no problem being told that i messed up, but it seems like no one will shut up about it now and i got the point a while ago. I picked this thread to continue my question as it wasnt bloated with my screw up. If the mods didnt want a double thread they should have closed one of them. I regret that i am losing out on a good resourse, but if i can get the help that it offers what am i really losing. While i no that not everyone here, probably just a handful, is to blame, however those people need to grow up and stop professing their superiority.
Just to clarify things a little bit, it is not anyone's intent to bash anyone or anyone's code. Your first post was appropriately placed in the PHP - Security forum. But there was not code in it for us to evaluate. The second post was placed in Coding Critique, which is where you put your code when you want others to tear into it to some degree. That is not a forum in which we expect to look at things like Security primarily (though we do when critiquing code). That forum is where we go to see how other peoples code can be improved. After a few repsonses it was placed into PHP - Security to be evaluated for Security instead of general coding technique.
If I (and this is only from me) did or said anything that was received by you as offensive, I apologize. But please realize we, as moderators and admins, have jobs to do here to make sure our forums run smoothly for everyone. I am not trying to excuse any potentially offensive behavior on my part. I am just offering an explanation of why we do the things we do here.
Posted: Wed Sep 20, 2006 1:42 pm
by Luke
well put, Ev-dawg

Posted: Wed Sep 20, 2006 1:47 pm
by RobertGonzalez
Thanks Ninja.
