Bitcoin Forum

Have you got input sanitation in place? I think the method they used was simply SQL Injection. I can't test, though, since the database is either offline or the form php file isn't configured correctly. But you just have to prevent SQL injection by sanitizing the input.

Php.net has a huge article all about it.

http://php.net/manual/en/security.database.sql-injection.php

Shows common attacks, and the solution.

"Never connect to the database as a superuser or as the database owner. Use always customized users with very limited privileges."

Sanitize anything coming from the client that you're going to insert into a database using mysqli_real_escape_string.

PHP.Net documentation for that here
http://www.php.net/manual/en/mysqli.real-escape-string.php

Were the credentials for the database the same as credentials for ssh or any other file server running?

Perhaps it's something else.

http://httpd.apache.org/security/vulnerabilities_22.html

Here there seems to be some documented vulnerabilities for the version of the webserver you are running. Perhaps that's why and perhaps you should update to the latest version?

I will give it a try later today.. Sure it was done through the form and not through FTP?

Nearly positive. I was told by the hacker it was done through the login form. First he modified the login page, then probably grabbed my SQL login through a similar manner.

Or... that's just a red herring. I highly doubt a SQL exploit can modify web pages.

do you have brute force protection as well? because someone can just run bruteforce until it pops a correct user and pass.

I never said it was an SQLi. I just know it used the login form that uses an SQL database, and he just managed to grab my SQL info for other purposes after breaking my form.
That isn't the issue here.

<?php
$ip = $_SERVER['REMOTE_ADDR'];
$time = date("l dS of F Y h:i:s A");
$script = $_SERVER[PATH_TRANSLATED];
$fp = fopen ("[WEB]SQL_Injection.txt", "a+");
$sql_inject_1 = array(";","'","%",'"'); #Whoth need replace
$sql_inject_2 = array("", "","","&quot;"); #To wont replace
$GET_KEY = array_keys($_GET); #array keys from $_GET
$POST_KEY = array_keys($_POST); #array keys from $_POST
$COOKIE_KEY = array_keys($_COOKIE); #array keys from $_COOKIE
/*begin clear $_GET */
for($i=0;$i<count($GET_KEY);$i++)
{
$real_get[$i] = $_GET[$GET_KEY[$i]];
$_GET[$GET_KEY[$i]] = str_replace($sql_inject_1, $sql_inject_2, HtmlSpecialChars($_GET[$GET_KEY[$i]]));
if($real_get[$i] != $_GET[$GET_KEY[$i]])
{
fwrite ($fp, "IP: $ip\r\n");
fwrite ($fp, "Method: GET\r\n");
fwrite ($fp, "Value: $real_get[$i]\r\n");
fwrite ($fp, "Script: $script\r\n");
fwrite ($fp, "Time: $time\r\n");
fwrite ($fp, "==================================\r\n");
}
}
/*end clear $_GET */
/*begin clear $_POST */
for($i=0;$i<count($POST_KEY);$i++)
{
$real_post[$i] = $_POST[$POST_KEY[$i]];
$_POST[$POST_KEY[$i]] = str_replace($sql_inject_1, $sql_inject_2, HtmlSpecialChars($_POST[$POST_KEY[$i]]));
if($real_post[$i] != $_POST[$POST_KEY[$i]])
{
fwrite ($fp, "IP: $ip\r\n");
fwrite ($fp, "Method: POST\r\n");
fwrite ($fp, "Value: $real_post[$i]\r\n");
fwrite ($fp, "Script: $script\r\n");
fwrite ($fp, "Time: $time\r\n");
fwrite ($fp, "==================================\r\n");
}
}
/*end clear $_POST */
/*begin clear $_COOKIE */
for($i=0;$i<count($COOKIE_KEY);$i++)
{
$real_cookie[$i] = $_COOKIE[$COOKIE_KEY[$i]];
$_COOKIE[$COOKIE_KEY[$i]] = str_replace($sql_inject_1, $sql_inject_2, HtmlSpecialChars($_COOKIE[$COOKIE_KEY[$i]]));
if($real_cookie[$i] != $_COOKIE[$COOKIE_KEY[$i]])
{
fwrite ($fp, "IP: $ip\r\n");
fwrite ($fp, "Method: COOKIE\r\n");
fwrite ($fp, "Value: $real_cookie[$i]\r\n");
fwrite ($fp, "Script: $script\r\n");
fwrite ($fp, "Time: $time\r\n");
fwrite ($fp, "==================================\r\n");
}
}

/*end clear $_COOKIE */
fclose ($fp);
?> 

derp sorry. to me it sounds like sql injection just put this at the header of every page and that will reject those requests and log their ip and the string they tried to use. Also are you running this website from home using apache?

The server is a professional setup that my friend owns (he hosts many sites). I'd normally have logs of what strings were used but not in this case. I'll add this for the future, thanks.

Still searching for the actual exploit. The hacker claimed it was relatively simple to execute but I can't imagine how he manage to modify the page permanently unless he had a way to escape and execute his own PHP.

their may be a exploit in the apache server that hosts the site. in regular apache that isn't modified it would take someone a few seconds to gain access and deface a site or have access to all the files. You might be able ot find how he did it be googling something to do with apache and defacing sites/ gaining access to db's

I'll take a look into this, but it wouldn't explain why the hacker didn't cleanly deface the main page and left some odd escaped tags - this is what leads me to believe it was done ONLY using the form.

I'll take a look into this, but it wouldn't explain why the hacker didn't cleanly deface the main page and left some odd escaped tags - this is what leads me to believe it was done ONLY using the form.

if he was using the form then he used sql injection which i  provided the fix above for.

no new data in the database asking with permanently modifying the page says otherwise.

 Is apache the only other potential beach?

IP: 142.68.145.165
Method: COOKIE
Value: {"distinct_id": "75dde009-e9fe-4dd3-a685-b758925f480f","$initial_referrer": "$direct","$initial_referring_domain": "$direct"}
Script:
Time: Sunday 20th 2012f May 2012 03:48:52 PM
==================================

it probably your little 10yr old sister... who knows user/pass :P

j/k

no new data in the database asking with permanently modifying the page says otherwise.

 Is apache the only other potential beach?

I think the point everyone is missing is that the PHP file was altered.

Not something that's easy to do from the database.

Do you use eval() anywhere?

Just as a sanity check; the screenshot you provided, is this what you actually saw yourself?
Or is this what the 'hacker' provided you with?

I did some checks on your website, but there is nothing really compromised as far as I can see.
I did manage to register on your website and inject some code into scan.php
e.g.: http://198.12.67.18/test/scan.php?code=%22%22%3ETroolol%3Ca

By some source-code reviewing I saw you had used a login-script you downloaded somewhere ("Registration/Login Form by html-form-guide.com"). By downloading the package I found out which php-files exist in your directory (or existed) and managed to register myself as user "test".

Didn't spend a lot of time, but maybe the code is vulnerable somewhere. The package I downloaded seems okay.. did you get an older version?

Well... the form is vulnerable to XSS (and screenshot looks like, too) as single quotes in inputs are not escaped... but that alone would not gain him database credentials. did he really modify some files or only made it look like they were modified?

Can you provide the php source code? A code rewiew would be easier than blind guessing.


Proof for XSS:
enter as user (or pass) and click on the input field afterwards. Could also be used in a similar way to inject images/html code into the website or steal cookies.

He blind hacked it in minutes without source access, so I am offering the bounty for the same thing.

He blind hacked it in minutes without source access, so I am offering the bounty for the same thing. td204 is right in that I am using that 3rd party form for logins, so you can look for it and see the source.

He blind hacked it in minutes without source access, so I am offering the bounty for the same thing. td204 is right in that I am using that 3rd party form for logins, so you can look for it and see the source.

short version:
You have more than 30 vulnerabilities including a severe one that you need to address immediately.  I've only completed 5% of my scan.

dear OP.  turn off your website.  it's bad.

back in a couple.

short version:
You have more than 30 vulnerabilities including a severe one that you need to address immediately.  I've only completed 5% of my scan.

I think I found your problem.


sending report via PM

I hit your server 25,000 times.  You have serious vulnerabilities as listed in this image:
http://postimg.org/image/rnegf0m6n/


06.20 20:04.24, Started scanning http://http:80//198.12.67.18/test:80/ ...
06.20 20:04.24, Start URL : http://http:80//198.12.67.18/test:80/
06.20 20:04.24, Scanning Mode : Heuristic
06.20 20:04.24, Server banner: Unknown
06.20 20:04.25, Crawling started, URL: http://http//198.12.67.18/test:80/
06.20 20:04.26, Unable to detect custom 404 pattern automatically.
06.20 20:04.26, Some crawling options will be automatically disabled.
06.20 20:04.26, Processing file /198.12.67.18/test:80
06.20 20:04.27, Analyzing client side JavaScripts
06.20 20:04.27, Analyzing file: http://http/198.12.67.18/test:80/
06.20 20:04.27, Script analysis done
06.20 20:04.27, Processing file /198.12.67.18/test:80 (variation 1)
06.20 20:04.27, Processing file /198.12.67.18/test:80 (variation 2)
06.20 20:04.27, Searching for possible site errors.
06.20 20:04.27, Searching for aspect alerts.
06.20 20:04.27, Crawling done.
06.20 20:04.27, Scanning started.
06.20 20:05.20, Finished scanning.
06.20 20:05.20, Flush file buffers.
06.20 20:05.41, Started scanning http://198.12.67.18:80/test:80/ ...
06.20 20:05.41, Start URL : http://198.12.67.18:80/test:80/
06.20 20:05.41, Scanning Mode : Heuristic
06.20 20:05.41, Server banner: Apache 2.x
06.20 20:05.41, Crawling started, URL: http://198.12.67.18/test:80/
06.20 20:05.42, Apache mod_negotiation filename bruteforcing
06.20 20:05.42, Error page Web Server version disclosure
06.20 20:05.43, Searching for possible site errors.
06.20 20:05.43, Searching for aspect alerts.
06.20 20:05.43, Crawling done.
06.20 20:05.43, Scanning started.
06.20 20:05.45, Apache httpd Remote Denial of Service
06.20 20:06.00, CSRF testing finished.
06.20 20:06.00, Finished scanning.
06.20 20:06.00, Flush file buffers.
06.20 20:06.47, Started scanning http://198.12.67.18:80/ ...
06.20 20:06.47, Start URL : http://198.12.67.18:80/
06.20 20:06.47, Scanning Mode : Heuristic
06.20 20:06.47, Server banner: Apache 2.x
06.20 20:06.47, Crawling started, URL: http://198.12.67.18/
06.20 20:06.49, Processing file /
06.20 20:06.49, Apache mod_negotiation filename bruteforcing
06.20 20:06.49, Error page Web Server version disclosure
06.20 20:06.51, Analyzing client side JavaScripts
06.20 20:06.51, Analyzing file: http://198.12.67.18/
06.20 20:06.51, Script analysis done
06.20 20:06.51, Processing file / (variation 1)
06.20 20:06.51, Processing file / (variation 2)
06.20 20:06.51, Searching for possible site errors.
06.20 20:06.51, Searching for aspect alerts.
06.20 20:06.51, Crawling done.
06.20 20:06.51, Scanning started.
06.20 20:06.51, Apache httpd Remote Denial of Service
06.20 20:07.08, Possible sensitive files
06.20 20:07.12, Possible sensitive directories
06.20 20:07.15, Possible sensitive directories
06.20 20:07.53, Restart crawling
06.20 20:07.53, Processing file /test.php
06.20 20:07.53, Processing file /phpmyadmin
06.20 20:07.53, Processing file /test
06.20 20:07.53, Processing file /index.php
06.20 20:07.54, Processing file /test
06.20 20:07.54, Processing file /phpmyadmin
06.20 20:07.54, Password type input with auto-complete enabled
06.20 20:07.54, User credentials are sent in clear text
06.20 20:07.54, Processing file /test/basic.css
06.20 20:07.54, Processing file /test/login.php
06.20 20:07.54, Password type input with auto-complete enabled
06.20 20:07.54, User credentials are sent in clear text
06.20 20:07.54, Processing file /phpmyadmin/index.php
06.20 20:07.54, Password type input with auto-complete enabled
06.20 20:07.54, User credentials are sent in clear text
06.20 20:07.54, Processing file /phpmyadmin/index.php (variation 1)
06.20 20:07.54, Processing file /phpmyadmin/themes
06.20 20:07.54, Processing file /phpmyadmin/index.php (variation 2)
06.20 20:07.54, Password type input with auto-complete enabled
06.20 20:07.54, User credentials are sent in clear text
06.20 20:07.54, Processing file /phpmyadmin/index.php (variation 4)
06.20 20:07.54, Processing file /phpmyadmin/themes/original
06.20 20:07.54, Processing file /phpmyadmin/themes/original/img
06.20 20:07.54, Processing file /phpmyadmin/phpmyadmin.css.php
06.20 20:07.54, Processing file /phpmyadmin/Documentation.html
06.20 20:07.55, Processing file /phpmyadmin/Documentation.html (variation 1)
06.20 20:07.56, Processing file /phpmyadmin/print.css
06.20 20:07.56, Processing file /phpmyadmin/phpmyadmin.css.php (variation 1)
06.20 20:07.56, Session token in URL
06.20 20:07.56, Processing file /phpmyadmin/index.php (variation 3)
06.20 20:07.56, Password type input with auto-complete enabled
06.20 20:07.56, User credentials are sent in clear text
06.20 20:07.56, Processing file /test/style/fg_membersite.css
06.20 20:07.56, Broken links
06.20 20:07.56, Processing file /test/scripts/gen_validatorv31.js
06.20 20:07.56, Processing file /test/style
06.20 20:07.56, Processing file /test/login.php (variation 1)
06.20 20:07.56, Password type input with auto-complete enabled
06.20 20:07.56, Processing file /test/UPC.ttf
06.20 20:07.56, Processing file /phpmyadmin/themes
06.20 20:07.56, Processing file /phpmyadmin/themes/original
06.20 20:07.56, Processing file /phpmyadmin/phpmyadmin.css.php (variation 2)
06.20 20:07.56, Session token in URL
06.20 20:07.56, Processing file /phpmyadmin/themes/original/img
06.20 20:07.56, Processing file /phpmyadmin/index.php (variation 7)
06.20 20:07.56, Password type input with auto-complete enabled
06.20 20:07.56, User credentials are sent in clear text
06.20 20:07.56, Broken links
06.20 20:07.56, Processing file /phpmyadmin/index.php (variation 5)
06.20 20:07.56, Password type input with auto-complete enabled
06.20 20:07.56, Processing file /phpmyadmin/index.php (variation 9)
06.20 20:07.56, Password type input with auto-complete enabled
06.20 20:07.56, Session token in URL
06.20 20:07.56, Processing file /phpmyadmin/changelog.php
06.20 20:07.57, Processing file /phpmyadmin/docs.css
06.20 20:07.57, Processing file /phpmyadmin/index.php (variation 6)
06.20 20:07.57, Processing file /phpmyadmin/index.php (variation 8)
06.20 20:07.57, Processing file /phpmyadmin/translators.html
06.20 20:07.57, Broken links
06.20 20:07.57, Processing file /phpmyadmin/license.php
06.20 20:07.57, Processing file /test/scripts
06.20 20:08.06, Processing file /test/style
06.20 20:08.06, Processing file /test/scripts
06.20 20:08.08, Processing file /phpmyadmin/setup
06.20 20:08.08, Analyzing client side JavaScripts
06.20 20:08.08, Analyzing file: http://198.12.67.18/phpmyadmin/
06.20 20:08.08, Analyzing file: http://198.12.67.18/test/login.php
06.20 20:08.08, Script analysis done
06.20 20:08.08, Processing file /phpmyadmin/index.php (variation 11)
06.20 20:08.08, Password type input with auto-complete enabled
06.20 20:08.08, Processing file /phpmyadmin/index.php (variation 10)
06.20 20:08.08, Password type input with auto-complete enabled
06.20 20:08.08, Processing file /phpmyadmin/index.php (variation 12)
06.20 20:08.08, Password type input with auto-complete enabled
06.20 20:08.08, Searching for possible site errors.
06.20 20:08.08, Searching for aspect alerts.
06.20 20:08.08, Session Cookie without HttpOnly flag set
06.20 20:08.08, Session Cookie without Secure flag set
06.20 20:08.08, Crawling done.
06.20 20:08.08, Scanning started.
06.20 20:08.18, Cross Site Scripting (verified)
06.20 20:35.33, Cross Site Scripting (verified)
06.20 20:35.33, Possible username or password disclosure
06.20 20:35.37, Possible server path disclosure (Unix)
06.20 20:35.37, Possible username or password disclosure
06.20 20:35.38, Error message on page
06.20 20:35.39, Email address found
06.20 20:35.40, Email address found
06.20 20:35.40, Possible server path disclosure (Unix)
06.20 20:36.09, Possible sensitive directories

lol, oh ok... so the 49 vulnerabilities including 25 serious ones mean nothing.
why are you asking for help if you obviously know it all and can't learn a thing?
my assessment of your high school coding is worth thousands.

jackass


here's the report I sent the idiot op: