Trying to figure out how my site got hacked

Forum Moderators: coopster

Message Too Old, No Replies

Trying to figure out how my site got hacked

new to php and mysql

Shanee

10:27 pm on Jul 21, 2006 (gmt 0)

hello...
1st of all i want to tell that i am new to PHP+MYSQL.

i am using PHP+MYSQL CMS for my jokes website. someone hacked my site three time after that when i login to my FTP account i get index.htm which contain about messeges from the damn hacker, can any one tell me whats the flaw or reason maybe of this problem.
thanks

[edit reason] no urls thanks [/edit]

[edited by: jatar_k at 10:29 pm (utc) on July 21, 2006]

jatar_k

1:50 am on Jul 22, 2006 (gmt 0)

it's hard to say really

what software packages do you use on your site? blog software, forum software, image uploads or others?

have they replaced your index page?

have you spoken to your host at all?

lammert

9:15 am on Jul 22, 2006 (gmt 0)

As a user, it is always difficult to tell which flaw caused a problem with a PHP based CMS system. If it would be easy, the developers would have closed that hole before the CMS went in production :)

What you can do however, is blocking write access to your site directories and .php files with chmod (assuming you are on unix) for the user which runs the httpd process on your server. Even if there are holes in the CMS (almost all CMS systems have them, hackers just need to find them) the hacker won't succeed in messing up your site because it is not possible to change your existing .php files or upload new files.

Shanee

11:10 am on Jul 22, 2006 (gmt 0)

dear mates thanks for replaying me
i am using EasySiteNetwork Jokes CMS and also using an script for users which help them to send me joke,
<?

// Configuration Settings
$SendFrom = "Add The joke";
$SendTo = "jokespk@gmail.com";
$SubjectLine = "Add the Joke";
$ThanksURL = "http://www.example.com/joke-added.php"; //confirmation page
$Divider = "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~";

// Build Message Body from Web Form Input
$MsgBody = @gethostbyaddr($_SERVER["REMOTE_ADDR"]) . "\n$Divider\n";
foreach ($_POST as $Field=>$Value)
$MsgBody .= "$Field: $Value\n";
$MsgBody .= $Divider . "\n" . $_SERVER["HTTP_USER_AGENT"] . "\n";
$MsgBody = htmlspecialchars($MsgBody); //make content safe

// Send E-Mail and Direct Browser to Confirmation Page
mail($SendTo, $SubjectLine, $MsgBody, "From: " . $SendFrom);
header("Location: $ThanksURL");
?>

is there any flaw in the upper php code? which help the hacker to attack on my site,
whenever i noticed the attack, i found a new file in the root directory of my site, like (index.html, hacked.txt etc... )
i am realy scared due to this problem this will be so nice if someone just give me the way to fix or stop such a attackes
Thanks
Shanee

[edited by: coopster at 4:43 pm (utc) on July 22, 2006]
[edit reason]
[1][edit reason] generalized domain [/edit] [/edit][/1]

dreamcatcher

11:50 am on Jul 22, 2006 (gmt 0)

Hi Shanee,

Is that a writeable config file? If so, are you forgetting to remove the write permissions after editing? For added security pop the config file outside of your web root.

Shanee

12:58 pm on Jul 22, 2006 (gmt 0)

dear mate
the upper Coding is outside from CMS, the CMS contain just one file which have writbale function and thats need the ADMIN Access, but i am still wonderig how can the attackers can creat the files on my site like i mantioned (index.htm)

Thanks