someone is hacking my site, please help

Forum Moderators: phranque

Message Too Old, No Replies

someone is hacking my site, please help

tausi

4:08 pm on Jan 12, 2006 (gmt 0)

I don't know how she/he does it. Please someone explain to me. He post in my guestbook some crazy stuff like gambling sites etc.
Yesterday I took out the sign page of the guestbook page, so that no one can post anything anymore. I left the view page up. Today he has more than 5 post made. How? I am using php and mysql database. So to post he has to insert the entries to my database. Does it mean he is hacking my site? I need help.

ska_demon

4:12 pm on Jan 12, 2006 (gmt 0)

From where I am sat it sounds like this person has guessed your admin password or is exploiting a known hole in your guest book script. It is quite simple to search for say "guestbook v2.0" and find sites that are using it. If that version has known holes anybody could hack it.

Change your admin password!

Ska

Easy_Coder

4:23 pm on Jan 12, 2006 (gmt 0)

where did the guestbook page post to? did you yank that page too?

tausi

4:28 pm on Jan 12, 2006 (gmt 0)

I removed the guestbook. I implemented my own guestbook. Here is the link to the viewguestbook.

[edited by: physics at 4:39 pm (utc) on Jan. 12, 2006]

[edited by: tausi at 4:42 pm (utc) on Jan. 12, 2006]

tausi

4:33 pm on Jan 12, 2006 (gmt 0)

Now i m realizing that even though I removed the signguestbook page, I left the script which send the data to the database. But still, how can he send using my script to my database? . Please give me some more ideas. The guy is so persistant. Everyday he comes to my web and he is hiding under proxy. Is there a way to track a user who is using proxy?

ska_demon

4:35 pm on Jan 12, 2006 (gmt 0)

Tut Tut TOS [webmasterworld.com]

Out of interest why did you delete the guestbook?

Was because you got hacked?

Did you try to change the admin password?

Do you think that implementing a new guestbook will prevent any future hacks or do you just want to give the hacker a new challenge ;oP

Ska

ska_demon

4:37 pm on Jan 12, 2006 (gmt 0)

The hacker knows your admin password, I'm sure of that. Thats why he doesn't need the sign guestbook page. He can just add the entry straight into your database. Simple as that! Try accessing your database from the URL. You might find that anybody can edit it without any sort of security. Especially if it was a free script.

Ska

neo_brown

4:39 pm on Jan 12, 2006 (gmt 0)

Wouldnt he just have to duplicate the form you were using?
In your original page you would have had the path to your script and the variable names used. This information is publically accessible, just view the source for the page.
So he could now simply post the variable to your script in the same way you did (I think). I believe someone already suggested this was what was happening.

physics

5:43 pm on Jan 12, 2006 (gmt 0)

The hacker knows your admin password, I'm sure of that.

How are you sure? As others have mentioned, the form can be removed but if the script still exists the hacker can call the script directly by URL or by posting values with his program.
You should remove the whole guestbook program or at least remove/rename the file that is accepting the POST/GET requests.

physics

5:44 pm on Jan 12, 2006 (gmt 0)

I left the script which send the data to the database.

Remove/rename that.

mack

5:58 pm on Jan 12, 2006 (gmt 0)

I dont see this as a hack. If you allow people to post messages in the guest book then to an extent it is open to abuse.

Very often peopel will use bots to locate guestbooks and inject data into them. The form that users use is only an interface. All that needs to happen is the details will be added to the url as fields. The script will then handle this as if it came from a user and make it available from within your guestbook.

Is is possible your scrit is using a common name and the exploiters are able to locate such files using Google.

As Physics said, rename the file.

Mack.