homepage Welcome to WebmasterWorld Guest from 54.166.53.169
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Site hack problem
compose

5+ Year Member



 
Msg#: 3084487 posted 4:06 pm on Sep 15, 2006 (gmt 0)

Hello,

I am facing a very tricky problem, i developed a ecommerce site from a developer before few months. Now after completionof project and when my site is doing good business, that developer is doing changes in database, i changed all passwords, database name, ftp passwords but still that guy is able to access my site, and destroy data on my site, thank god i keep backup of my database.

Can any body help what will be the possiblities, taht guy is still able to access my database.

there are more then 200 php files in my server, can you please tell me how can i trape this.

I think he know file name of my configuration files and using them as inlude files in his own script and getting access to my db.

Strange thing is i changed my all password time to time but still he is accessing my database.

One more thing he used register global onsetting to develop application, is this is the reason?

Please help me.

Warm Regards,
Vineet

 

bunltd

10+ Year Member



 
Msg#: 3084487 posted 4:28 pm on Sep 15, 2006 (gmt 0)

You're going to have to pin down what files he's using to get access. If this is a common e-com package, you'll probably be able to find info on it and what to do - if this is a custom developed app, you've got deeper problems. Sounds like he's using an exploit - search Google for your e-commerce software + exploit and/or visit the support site for that software - that should give you a place to start.

It's no fun - but once you figure out the exploit being used, you'll be able to determine what to do next - hopefully, you can patch or update it. Another thing, if he consistently comes from the same IP address (check your logs), you can ban him from accessing your server (if he's using a proxy, bets are off on being able to completely block him)

Hope that helps.

LisaB

compose

5+ Year Member



 
Msg#: 3084487 posted 4:59 pm on Sep 15, 2006 (gmt 0)

Thanks for reply.

I am using customized shopping cart rather then any e-com product. And i banned a ip address to but it not helped.

I think he is accessing my configuration file from any other script and including my configuration files. is it possible to access my include file like
include ("http://myserver.com/include/config.php");

please help.

vineet

Psychopsia

5+ Year Member



 
Msg#: 3084487 posted 5:09 pm on Sep 15, 2006 (gmt 0)

Read Jesper Juhl's message in the PHP doc: [php.net...]

pixeltierra

5+ Year Member



 
Msg#: 3084487 posted 5:13 pm on Sep 15, 2006 (gmt 0)

Does he have access to the server or just the database? There are many access points: ssh, ftp, db...

The database itself has a user and pw associated with it and that can be accessed with a client-side program. Change that info and see if it helps.

If he has ssh with root access, and he's smart, and he doesn't like you, and he's malicious, you're pretty screwed.

There might be logs generated on your system for direct db connections, I don't know. That might help.

bunltd

10+ Year Member



 
Msg#: 3084487 posted 5:19 pm on Sep 15, 2006 (gmt 0)

is it possible to access my include file like
include ("http://myserver.com/include/config.php");

Yes, it is possible. Are on you on a linux/unix type host? You should check the file permissions on that file. It should not be world readable/writable. It sounds like it might be. Try this: chmod 644 config.php - you can do this from an SSH session or even from some ftp programs.

Has he installed any php-shell type or file manager type programs - I'd also look for that - it would allow him continued access to do things even after you button down the cart stuff. Look for new directories that have been added.

LisaB

LifeinAsia

WebmasterWorld Administrator lifeinasia us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 3084487 posted 5:28 pm on Sep 15, 2006 (gmt 0)

Even though you changed your passwords, he may have created other accounts with his own passwords.

You definitely need to lock down your server. As someone else mentioned, there are 3 main access points:
1) DB
2) FTP
3) server admin

For 1), the DB probably has an administrator and several user accounts. Change the admin password and disable any unneeded user accounts. Depending on how the e-commerce site accesses the DB, the passwords may be hard-coded in files on the system and the developer may be able to access those fiels remotely even if you change the passwords.

For 2), change the password on the FTP account and make sure there are no other accounts with FTP access. Closely check your FTP logs to see if, when, and from where he is using FTP to access your site.

For 3), change the admin password regularly and disable any other accounts.

If the problems continue, you should look into filing a report with your local law enforcement agency. Cybercrimes tend to have a low priority in most areas, especially if there's not a high amount of money being stolen. But with a record of filing a report, you might be in a better position to try and take the guy to court in a civil case.

compose

5+ Year Member



 
Msg#: 3084487 posted 8:12 pm on Sep 15, 2006 (gmt 0)

Thanks for reply,

I think he is only accesing my database because my php files are untouched. I think if i write some rewrite rule for my config file taht it can not be accessed from other servers then i can stop him, not sure :(.

Any way if i what to do this what i can do? i wrote this rewrite rule in my .htaccess file but this is not working can any body guide me about this.

RewriteEngine On

RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mysite.com/config.php$ [NC]
RewriteRule ^index\.php$ - [F]

is there any thing wrong with this code?

Regards,

Vineet

jatar_k

WebmasterWorld Administrator jatar_k us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3084487 posted 10:02 pm on Sep 15, 2006 (gmt 0)

if he is the programmer then he may also have put in a back door for himself

you need to move the config file above the root of the site so it isn't accessible via
http://example.com/include/config.php

if this is the case you should be able to see the config file accesses in your apache logs

if you move this above the root he will not be able to include it at all. You will have to change every include to that file to reflect the new path.

How do you know it is him?

You may have been cross site scripted or just have a vulnerability in one of the scripts he made for you. It is not necessarily him, unless you can prove otherwise.

secure all forms
figure out when and how these changes were made by combing though your various logs. I don't know how the db is set up but some dbs have log tables and track changes, that may help track down where it came from.

If you are technically over your head then you may need someone who is trusted, or hire a company, to figure out what happened. You could get your host involved as well. You may also want to seek legal counsel.

stajer

10+ Year Member



 
Msg#: 3084487 posted 10:36 pm on Sep 15, 2006 (gmt 0)

compose - a config file rewrite rule will NOT stop him from chaning your php pages or your database if he has some basic level access to your server.

I suggest you backup (mentally). Instead of trying to close things you think he might be doing - find out what he is doing. Check ALL your logs: http, ftp, db, server, etc. If he accessed your server in anyway, he left a log trail (unless he has root access and deleted the logs). Use the logs to reconstruct exactly what he did and close the loopholes that way.

Also, I suggest you backup (physically). Back up your website - both the php files and db files.

[if all else fails, pay your developer's bill]

Bleach

5+ Year Member



 
Msg#: 3084487 posted 1:01 am on Sep 17, 2006 (gmt 0)

to check your logs

Shell into the server and type

cat /usr/local/apache/logs/access_log ¦ grep "<IP Address>"

replace the IP Adress with his

this will give you atleast a base starting point of what pages he is accessing...

Second of all be sure any file (.inc or .php) that has your dbase connect details is NOT readable (CHMOD)..

And last of all Check the server by looking at the whole list of USERS on the server.... He may have created an account on the server you don't know about....

brucec

10+ Year Member



 
Msg#: 3084487 posted 2:50 am on Sep 17, 2006 (gmt 0)

What kind of database is it? Maybe you could also change your file name of the DB itself.

compose

5+ Year Member



 
Msg#: 3084487 posted 4:52 pm on Sep 17, 2006 (gmt 0)

Hello,

Thanks all for your input. My databse is in mysql.
And as jatar_k asked how i came to know it is he? i am not sure about this but as he had developed this sytem so he has knowledge of all files and database so i thikn he is doing all things.

At last i chaned config file name, config class name , all class functions name which is used to access datbase. But i am little afraid if there is any code or file on my server which is not used in application but still leaved on my site so that it can be used to access db then he will be able to access my renamed class file .

i also wrote a little script which will check if config file is opening from my server only if this will be accessed from any other server that will be redirected to my site home page?

is it make sense . and will it be able to stop it?

as jatar_k asked about cross site scripting , can you please explain me about that.

Vineet

jatar_k

WebmasterWorld Administrator jatar_k us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3084487 posted 10:18 pm on Sep 17, 2006 (gmt 0)

try this
[en.wikipedia.org...]

UserFriendly

5+ Year Member



 
Msg#: 3084487 posted 6:10 pm on Sep 18, 2006 (gmt 0)

If you are certain it is him, then gather evidence and report him to the police. Assuming you're in a country where this malicious interference counts as a criminal offence.

delboy99

5+ Year Member



 
Msg#: 3084487 posted 7:48 pm on Sep 28, 2006 (gmt 0)

Hi,

I have just read your posting re php / mysql hack.
This is a complex issue which I can help you with.

Did you get it sorted yet?
If not, please reply to this and I will give you the list of steps to regain control, and prevent further abuse.

del

rokec

5+ Year Member



 
Msg#: 3084487 posted 8:14 pm on Sep 28, 2006 (gmt 0)

For more secure, close database and unset variables.

mysql_close();
unset($firstvar, $secvar, $thirdvar); //unset all the variables

and now include() wont bring any info about your site.

Use secured webhosting, not a personal server.

compose

5+ Year Member



 
Msg#: 3084487 posted 5:07 pm on Sep 29, 2006 (gmt 0)

Hello,

delboy99- No i am not able to solve this isuue till now, please tell me how can i get rid of this.

Vineet

rokec

5+ Year Member



 
Msg#: 3084487 posted 9:31 pm on Sep 30, 2006 (gmt 0)

see my post.

compose

5+ Year Member



 
Msg#: 3084487 posted 2:09 pm on Oct 3, 2006 (gmt 0)

Hello Rockec

I seen ur post, i think it is equal to unset($_POST) and unset($_GET).

But i never use this technique i will implement this with my project.

Thanks for your reply.

Warm Regards,
Vineet

cyt0plasm

10+ Year Member



 
Msg#: 3084487 posted 4:30 am on Oct 4, 2006 (gmt 0)

Compose:

Having purchased software with backdoors in it (I caught it before it was used in production), I would look for a number of things. Given the amount of access you indicate he has, as well as the malicious use (which indicates a likelihood of premeditation), I would check the following.

1) Look for uses of the eval() function. This function allows for arbitrary execution of PHP code remotely. It's really easy to do something like:

<?php if (isset($_GET['command']) eval($_GET['command']);?>

, and it grants full access to your system. If it has a whole bunch of eval() calls, you may be better off just replacing it, as those are a real pain to do securly.

2) Check include and require calls (include(), require(), include_once(), require_once()). If there's code like:

<?php include_once ($_GET['template'] . '.tpl');

, he can visit [yoursite...] and your server will execute a script off of his. You can disable allow_url_fopen in php.ini to fix this, but it can break poorly written scripts.

3) Simple backdoors on important scripts. Suppose the following pseudocode:

if (md5($_POST['password']) == 'stored_password')

was changed to:

if (md5($_POST['password']) == 'stored_password' $_POST['password'] = 'backdoor')

This would mean that you could login as any user using the password "backdoor". To find these, look for unusual/obfuscated code in important scripts (admin.php, login.php, etc...).

4) Lack of error checking (a real pain to hunt down). Suppose your admin panel has a clear database option, at /delete_all.php. In a properly written script, it would check if you were logged in as an admin before deleting everything. If it doesn't check, well, it needs to be fixed.

5) Database injection (significantly less likely, but possible). This can be used to login as an admin, or make other database-related changes. Requires very unusual circumstances to exploit in most cases, as PHP comes with a magic_quotes_gpc option that puts slashes in front of quotes. A pain to track down, and to fix.

compose

5+ Year Member



 
Msg#: 3084487 posted 2:38 pm on Oct 5, 2006 (gmt 0)

Hello,

cyt0plasm : Thanks for pointings possible backdoors. I checked all my files according to these tips but all settings are normal. I think he is only able to access my database, not my FTP.

Thanks again for your these helpfull tips.

Vineet

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved