Have you been hacked ?

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
User avatar
Dr Evil
Forum Contributor
Posts: 184
Joined: Wed Jan 14, 2004 9:56 am
Location: Switzerland

Have you been hacked ?

Post by Dr Evil »

Hi all,
just a quick question. Has anyone of you been hacked? If is was your code what did you do to correct it ?

Dr Evil
Straterra
Forum Regular
Posts: 527
Joined: Mon Nov 24, 2003 8:46 am
Location: Indianapolis, Indiana
Contact:

Post by Straterra »

I have never been hacked, because I have taken the proper procedures to secure my system.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: Have you been hacked ?

Post by Roja »

Dr Evil wrote:Hi all,
just a quick question. Has anyone of you been hacked? If is was your code what did you do to correct it ?

Dr Evil
While I haven't been hacked, I spend a considerable amount of time securing my system, and yes, my code.

How do you secure your code? Start by assuming that an attacker wants in, and wants as much access as possible. The first place you want to look is for anything that would give him database or admin access to the application.

Next I look at file permissions.. on a poorly configured host, with loose permissions, it may be possible for an attacker to overwrite files and have them included in your code.

I even look at include() statements, as they often have things like include($somefile). If $somefile gets set by the user, and you don't do proper variable cleaning, you may be including THEIR code.

Finally I try to reduce the dangerous system calls - things like exec(), fopen(), and so on.

Most importantly, I continue to do that, over and over again. I don't ever stop. Security is a process, not a one-time fix.

Hope that helps. :)
User avatar
Dr Evil
Forum Contributor
Posts: 184
Joined: Wed Jan 14, 2004 9:56 am
Location: Switzerland

Post by Dr Evil »

Thanks. That sounds quite smart. I try to code as safe as possible, but can't keep wondering if I'm up to date or if I thought of it all.

This question popped in when I read this post:
viewtopic.php?t=16997
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Dr Evil wrote:Thanks. That sounds quite smart. I try to code as safe as possible, but can't keep wondering if I'm up to date or if I thought of it all.
You probably havent thought of it all, and probably arent up to date.

Security is a trade-off. You are trading time spent securing the code to prevent time spent fixing what a hacker does if he gets in.

If you are spending 40 hours a week securing something that would take 2 hours to clean up, well, thats not a great tradeoff.

It sounds like you genuinely care, and try to consistently apply secure principles, and that puts you ahead of 90%* of the coding population. :)


* - Statistic from "Lies, more lies and statistics - The art of making stuff up for online forum postings".
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

I haven't been hacked but I did hack the easyspace hosting provider once - entirely by accident. A folder browsing script with an "up a level" method jumped right out of the client's domain and spewed out a list of all the other sites on the (shared) host.

That was a year ago - they still haven't fixed their set up.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

McGruff wrote:I haven't been hacked but I did hack the easyspace hosting provider once - entirely by accident. A folder browsing script with an "up a level" method jumped right out of the client's domain and spewed out a list of all the other sites on the (shared) host.

That was a year ago - they still haven't fixed their set up.
Thats not neccesarily insecure.

Its non-optimal, and it definitely leaves room for bad things to happen, however, its not in-and-of-itself insecure.

Basically, its not chrooting users. If you setup your scripts properly, and have your sensitive information in files that either arent viewable by the webserver, OR, store sensitive information outside of the main web folders, then you should be able to avoid any security issues.

That being said, from your description, they dont use seperate web/non-web trees, and a number of scripts MUST have sensitive information in files viewable by the webserver user. So, yeah, it's probably insecure.. but not for sure.

*I* certainly wouldnt host there.. :)
microthick
Forum Regular
Posts: 543
Joined: Wed Sep 24, 2003 2:15 pm
Location: Vancouver, BC

Post by microthick »

I know there are a few developers here that code insecure login systems.

I've gotten admin access on a few of them using simple SQL injection.
jimbothegrey
Forum Newbie
Posts: 1
Joined: Tue Jan 27, 2004 3:24 am

I don't trust my code...

Post by jimbothegrey »

We use an engine called TotalShield from http://www.applicure.com
It seats outside the Apache/PHP and filters anything that can go wrong...

This is really nice addon... saves a lot of time...
They are also answering fast to questions/requests.

Cheers.
Post Reply