hacked

sorry it freaked ne out just time to update its an old site and i should have not been complacent with upgrading security .still im open to suggestions

Hi,

try to understand how the infection was accomplished, if by using a compromised FTP account (check server logs, change passwords, secure client machines) or because of a code bug, in this last case there's a lot of documentation you can read:

• http://php.net/manual/en/security.php
• http://phpsec.org/projects/guide/
• https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
• http://phpsecurity.readthedocs.org/en/latest/

Then if you have some doubts about specific procedures show us some example codes.

Also something that is often overlooked.

Check your host machine, i.e the one you are ftping stuff to your website. Sometimes your host machine can be compromised, with keyloggers if you're on windows, thus meaning any time you change your site details and passwords won't matter because your own machine is where the problem lies.

If you're using something like wordpress, do an update, remove any unknown/unsafe plugins, sometimes the exploits lay here.

thank you. i have two areas i need to check, first being an 'admin' section that i really should have changed yonks ago so thats my first. i deleted that straight away till i rewrite it.
I just downloaded the zap vunerability scanner so im hoping that will show light on the error. Never used it but looks promising.
hacker did me a favour in that not much damage done except to my blood pressure

ok first question, if i may
i have a select based on a $_get value renamed $where. the value is a 4 numbers is this enough of a filte to stop a posissible vunerability?

$where = filter_input(INPUT_GET, 'recordID', FILTER_SANITIZE_NUMBER_INT
);

There are a few cases where vulnerabilities can occur, first and most important are file uploads, or writing files to your server.

Ensure nobody can hijack any of your scripts to write php files to your server. Only allow files upload of certain types e.g png, jpg, gif.

Second ensure your queriers are protected using mysql_real_escape or mysqli().

Third santize your html when displaying in the views by using html_entities().

Your code looks custom written so I'm not sure what those functions do.

If referring to filter_input() this is not custom, it's part of PHP:

• http://php.net/manual/en/function.filter-input.php

and it's ok, even submitting something like 10 OR 1=1 the filter will sanitize it to 1011. But keep in mind that it doesn't affects $_GET, $_POST and $_REQUEST, so never do:

$record = filter_input(INPUT_GET, 'recordID', FILTER_SANITIZE_NUMBER_INT);

if($record)
    echo $_GET['recordID']; # <- not good

Because it will output the unsanitized data. In any case, if you're going to use this input in a query, then use prepared statements.

thanks both of you. i susupect thats my vunerabilities i had converted to mysqli a whaile ago but did not use prepared statements. i dumbly thought i was toasty with that andthat the permissions were select only. i have now read further which clearly i should have before,
well im working my way through the site now making the changes.
i eventually downloaded vega scanner which pointed me to my fails, impressed with that just wished id known before so hopefully im on the road to secure site

i think i have my answer but id like to keep this thread opem for now tilli run through all my site issues

well, have changed all my site to use prepare and try, I struggled with some pagination issues converting that to prepared statements, though but seem to have got it so far.
next issue concerns crf, which confounds me a bit, any one got opinions on crf magic? i dont want to be under false imression that im safe and toasty. http://csrf.htmlpurifier.org/