0

very embarassing but i just got hacked by the folloeing, any advise truly welcome

    Hacked By : Mr.HaurgeulisX196 TypingText = function(element, interval, cursor, finishedCallback) { if((typeof document.getElementById == "undefined") || (typeof element.innerHTML == "undefined")) { this.running = true; return; } this.element = element; this.finishedCallback = (finishedCallback ? finishedCallback : function() { return; }); this.interval = (typeof interval == "undefined" ? 100 : interval); this.origText = this.element.innerHTML; this.unparsedOrigText = this.origText; this.cursor = (cursor ? cursor : ""); this.currentText = ""; this.currentChar = 0; this.element.typingText = this; if(this.element.id == "") this.element.id = "typingtext" + TypingText.currentIndex++; TypingText.all.push(this); this.running = false; this.inTag = false; this.tagBuffer = ""; this.inHTMLEntity = false; this.HTMLEntityBuffer = ""; } TypingText.all = new Array(); TypingText.currentIndex = 0; TypingText.runAll = function() { for(var i = 0; i < TypingText.all.length; i++) TypingText.all[i].run(); } TypingText.prototype.run = function() { if(this.running) return; if(typeof this.origText == "undefined") { setTimeout("document.getElementById('" + this.element.id + "').typingText.run()", this.interval); return; } if(this.currentText == "") this.element.innerHTML = ""; if(this.currentChar < this.origText.length) { if(this.origText.charAt(this.currentChar) == "<" && !this.inTag) { this.tagBuffer = "<"; this.inTag = true; this.currentChar++; this.run(); return; } else if(this.origText.charAt(this.currentChar) == ">" && this.inTag) { this.tagBuffer += ">"; this.inTag = false; this.currentText += this.tagBuffer; this.currentChar++; this.run(); return; } else if(this.inTag) { this.tagBuffer += this.origText.charAt(this.currentChar); this.currentChar++; this.run(); return; } else if(this.origText.charAt(this.currentChar) == "&" && ! this.inHTMLEntity) { this.HTMLEntityBuffer = "&"; this.inHTMLEntity = true; this.currentChar++; this.run(); return; } else if(this.origText.charAt(this.currentChar) == ";" && this.inHTMLEntity) { this.HTMLEntityBuffer += ";"; this.inHTMLEntity = false; this.currentText += this.HTMLEntityBuffer; this.currentChar++; this.run(); return; } else if(this.inHTMLEntity) { this.HTMLEntityBuffer += this.origText.charAt(this.currentChar); this.currentChar++; this.run(); return; } else { this.currentText += this.origText.charAt(this.currentChar); } this.element.innerHTML = this.currentText; this.element.innerHTML += (this.currentChar < this.origText.length - 1 ? (typeof this.cursor == "function" ? this.cursor(this.currentText) : this.cursor) : ""); this.currentChar++; setTimeout("document.getElementById('" + this.element.id + "').typingText.run()", this.interval); } else { this.currentText = ""; this.currentChar = 0; this.running = false; this.finishedCallback(); } }

    Terminal
3
Contributors
10
Replies
67
Views
2 Years
Discussion Span
Last Post by edbr
Featured Replies
  • 2
    cereal 1,524   2 Years Ago

    Hi, try to understand how the infection was accomplished, if by using a compromised FTP account (check server logs, change passwords, secure client machines) or because of a code bug, in this last case there's a lot of documentation you can read: * http://php.net/manual/en/security.php * http://phpsec.org/projects/guide/ * https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet * http://phpsecurity.readthedocs.org/en/latest/ … Read More

  • 1

    Also something that is often overlooked. Check your host machine, i.e the one you are ftping stuff to your website. Sometimes your host machine can be compromised, with keyloggers if you're on windows, thus meaning any time you change your site details and passwords won't matter because your own machine … Read More

  • 1
    cereal 1,524   2 Years Ago

    If referring to `filter_input()` this is not custom, it's part of PHP: * http://php.net/manual/en/function.filter-input.php and it's ok, even submitting something like `10 OR 1=1` the filter will sanitize it to `1011`. But keep in mind that it doesn't affects `$_GET`, `$_POST` and `$_REQUEST`, so never do: $record = filter_input(INPUT_GET, 'recordID', … Read More

  • 1

    thanks both of you. i susupect thats my vunerabilities i had converted to mysqli a whaile ago but did not use prepared statements. i dumbly thought i was toasty with that andthat the permissions were select only. i have now read further which clearly i should have before, well im … Read More

0

sorry it freaked ne out just time to update its an old site and i should have not been complacent with upgrading security .still im open to suggestions

2

Hi,

try to understand how the infection was accomplished, if by using a compromised FTP account (check server logs, change passwords, secure client machines) or because of a code bug, in this last case there's a lot of documentation you can read:

Then if you have some doubts about specific procedures show us some example codes.

Edited by cereal

Votes + Comments
+1
1

Also something that is often overlooked.

Check your host machine, i.e the one you are ftping stuff to your website. Sometimes your host machine can be compromised, with keyloggers if you're on windows, thus meaning any time you change your site details and passwords won't matter because your own machine is where the problem lies.

If you're using something like wordpress, do an update, remove any unknown/unsafe plugins, sometimes the exploits lay here.

0

thank you. i have two areas i need to check, first being an 'admin' section that i really should have changed yonks ago so thats my first. i deleted that straight away till i rewrite it.
I just downloaded the zap vunerability scanner so im hoping that will show light on the error. Never used it but looks promising.
hacker did me a favour in that not much damage done except to my blood pressure

0

ok first question, if i may
i have a select based on a $_get value renamed $where. the value is a 4 numbers is this enough of a filte to stop a posissible vunerability?

$where = filter_input(INPUT_GET, 'recordID', FILTER_SANITIZE_NUMBER_INT
);

0

There are a few cases where vulnerabilities can occur, first and most important are file uploads, or writing files to your server.

Ensure nobody can hijack any of your scripts to write php files to your server. Only allow files upload of certain types e.g png, jpg, gif.

Second ensure your queriers are protected using mysql_real_escape or mysqli().

Third santize your html when displaying in the views by using html_entities().

Your code looks custom written so I'm not sure what those functions do.

1

If referring to filter_input() this is not custom, it's part of PHP:

and it's ok, even submitting something like 10 OR 1=1 the filter will sanitize it to 1011. But keep in mind that it doesn't affects $_GET, $_POST and $_REQUEST, so never do:

$record = filter_input(INPUT_GET, 'recordID', FILTER_SANITIZE_NUMBER_INT);

if($record)
    echo $_GET['recordID']; # <- not good

Because it will output the unsanitized data. In any case, if you're going to use this input in a query, then use prepared statements.

Votes + Comments
thanks for the correction
1

thanks both of you. i susupect thats my vunerabilities i had converted to mysqli a whaile ago but did not use prepared statements. i dumbly thought i was toasty with that andthat the permissions were select only. i have now read further which clearly i should have before,
well im working my way through the site now making the changes.
i eventually downloaded vega scanner which pointed me to my fails, impressed with that just wished id known before so hopefully im on the road to secure site

0

i think i have my answer but id like to keep this thread opem for now tilli run through all my site issues

0

well, have changed all my site to use prepare and try, I struggled with some pagination issues converting that to prepared statements, though but seem to have got it so far.
next issue concerns crf, which confounds me a bit, any one got opinions on crf magic? i dont want to be under false imression that im safe and toasty. http://csrf.htmlpurifier.org/

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.