Website Security

General technological topics without their own forum go here

Website Security

Post by gauravweb on Sat Dec 05, 2009 12:09 pm
([msg=31033]see Website Security[/msg])

I am a student and running a website for my city. I dont know much about website security. Recently I figured out that someone is trying to hack my site using php scripts (my site uses php too). I traced his ip and found it in "Khazakistan" which I'm sure is fake (coz I live in india). However I want to protect my site and also want to learn a lot from you all. So please help me how should I trace who was trying to hack me.?
gauravweb
New User
New User
 
Posts: 22
Joined: Fri Jun 06, 2008 12:35 pm
Location: India
Blog: View Blog (0)


Re: Website Security

Post by thedotmaster on Sat Dec 05, 2009 1:32 pm
([msg=31035]see Re: Website Security[/msg])

These attempts happen all the time. In fact, if I look at my logs for the past few days I see:
Code: Select all
[Thu Dec 03 19:24:42 2009] [error] [client 201.234.36.152] File does not exist: /var/www/phpMyAdmin

An attempt to find unsecured phpMyAdmin installations, which proved unsuccessful.
If I whois that IP address, I find it's from Mexico. I'm in the UK and my server is just there so I can show screenshots, code, etc to some friends.

So why are people attacking both you and me? Well, probably because they're part of a botnet that has taken over their computer. But why has their computer been ordered to scan? For sending spam, hosting fraudulent websites, etc.

The simple way to stop these attacks being successful is keep updated and use secure passwords.
Image
User avatar
thedotmaster
Contributor
Contributor
 
Posts: 984
Joined: Sun May 04, 2008 4:39 pm
Location: North West UK
Blog: View Blog (1)


Re: Website Security

Post by faazshift on Sat Dec 05, 2009 3:20 pm
([msg=31039]see Re: Website Security[/msg])

Ive had this kind of stuff almost constantly on my webserver. Trying to trace the ip does little good, as they have very little meaning. If I firewall the ip's being used, more just start making requests. I also get lots of requests like: "GET http://some.website.whatever/ HTTP/1.0". I hate how much bandwidth these constant requests use, so I have been tempted to make a light-weight python webserver that either drops suspicious requests entirely, or makes the request to apache (basically some kind of makeshift web firewall). Anyway, botnets are very annoying. The best thing to do is to make sure that anything that is public is well inspected, to insure its security. I have spent plenty of time securing what my server is hosting. I have thoroughly analyzed the code and fixed several, surprisingly unexploited, vulnerabilities.
Last edited by faazshift on Sat Dec 05, 2009 4:38 pm, edited 1 time in total.
faazshift
Contributor
Contributor
 
Posts: 516
Joined: Wed Jun 03, 2009 3:55 pm
Location: Riverton, Utah
Blog: View Blog (0)


Re: Website Security

Post by Goatboy on Sat Dec 05, 2009 4:33 pm
([msg=31053]see Re: Website Security[/msg])

thedotmaster wrote:These attempts happen all the time. In fact, if I look at my logs for the past few days I see:
Code: Select all
[Thu Dec 03 19:24:42 2009] [error] [client 201.234.36.152] File does not exist: /var/www/phpMyAdmin

An attempt to find unsecured phpMyAdmin installations, which proved unsuccessful.
If I whois that IP address, I find it's from Mexico. I'm in the UK and my server is just there so I can show screenshots, code, etc to some friends.

So why are people attacking both you and me? Well, probably because they're part of a botnet that has taken over their computer. But why has their computer been ordered to scan? For sending spam, hosting fraudulent websites, etc.

The simple way to stop these attacks being successful is keep updated and use secure passwords.

Yea, I get a ton of these too. Hardly anything to worry about, unless of course you have an unprotected phpmyadmin directory.

What I want to know is how the bot reacts when it does find an open phpmyadmin directory. Much fun could potentially be had if I knew this >:)
Assume that everything I say is or could be a lie.
User avatar
Goatboy
Expert
Expert
 
Posts: 2865
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Website Security

Post by gauravweb on Sun Dec 06, 2009 5:07 am
([msg=31073]see Re: Website Security[/msg])

My problem is not about a bot attack. My website have a section for article submission. Where user must login to submit articles. I record every session details. There are about 15 users registered with my site. Some one has logged into my site using my account details. It happened three times. First time he logged in and submitted <?php phpinfo(); ?> as a new article. However I dont know what he did for the rest of the two times. The login section for my site is at http://www.risingfaizabad.com/art-submit.php

I want to know how could one can get my password. I have noticed suspicious activity only in my account. He does not have passwords for other accounts.
gauravweb
New User
New User
 
Posts: 22
Joined: Fri Jun 06, 2008 12:35 pm
Location: India
Blog: View Blog (0)


Re: Website Security

Post by Goatboy on Sun Dec 06, 2009 11:39 am
([msg=31079]see Re: Website Security[/msg])

gauravweb wrote:My problem is not about a bot attack. My website have a section for article submission. Where user must login to submit articles. I record every session details. There are about 15 users registered with my site. Some one has logged into my site using my account details. It happened three times. First time he logged in and submitted <?php phpinfo(); ?> as a new article. However I dont know what he did for the rest of the two times. The login section for my site is at http://www.risingfaizabad.com/art-submit.php

I want to know how could one can get my password. I have noticed suspicious activity only in my account. He does not have passwords for other accounts.

My first guess would be SQL injection. If you are not sanitizing your input, it can be extremely easy for an attacker to get in. Review your login.php page and make sure it protects against crafted SQL queries like

Code: Select all
SELECT userpwd FROM users WHERE userid = 'admin';

as this would allow an attacker to view the password for the user "admin" assuming the tables are set up this way. If they are not, it would be a simple task to find out their layout.

Additionally, you could be using a weak password, meaning it is easy to guess (could be a word in a dictionary, 1234, etc.). You should change your password to something more difficult to at least slow him down. And if it's not a weak password...

He could be packet sniffing, meaning he is viewing all the information being sent to your server by you. This is unlikely, as he is listed as being from Kazakhstan, but that could be easily spoofed to throw you off.
Assume that everything I say is or could be a lie.
User avatar
Goatboy
Expert
Expert
 
Posts: 2865
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Website Security

Post by gauravweb on Sun Dec 06, 2009 12:17 pm
([msg=31082]see Re: Website Security[/msg])

Goatboy wrote:
gauravweb wrote:My problem is not about a bot attack. My website have a section for article submission. Where user must login to submit articles. I record every session details. There are about 15 users registered with my site. Some one has logged into my site using my account details. It happened three times. First time he logged in and submitted <?php phpinfo(); ?> as a new article. However I dont know what he did for the rest of the two times. The login section for my site is at http://www.risingfaizabad.com/art-submit.php

I want to know how could one can get my password. I have noticed suspicious activity only in my account. He does not have passwords for other accounts.

My first guess would be SQL injection. If you are not sanitizing your input, it can be extremely easy for an attacker to get in. Review your login.php page and make sure it protects against crafted SQL queries like

Code: Select all
SELECT userpwd FROM users WHERE userid = 'admin';

as this would allow an attacker to view the password for the user "admin" assuming the tables are set up this way. If they are not, it would be a simple task to find out their layout.

Additionally, you could be using a weak password, meaning it is easy to guess (could be a word in a dictionary, 1234, etc.). You should change your password to something more difficult to at least slow him down. And if it's not a weak password...

He could be packet sniffing, meaning he is viewing all the information being sent to your server by you. This is unlikely, as he is listed as being from Kazakhstan, but that could be easily spoofed to throw you off.


I have some demo accounts with weak password. But my account have a medium level password. He had never logged in via any other account. He have always used my account. Also I have never logged in my account other than my home PC. So there is no chance for password sniffing. Other than that I have also first thought about SQL injections but I have already taken precaution against them from starting. You could have a try on my website.
gauravweb
New User
New User
 
Posts: 22
Joined: Fri Jun 06, 2008 12:35 pm
Location: India
Blog: View Blog (0)


Re: Website Security

Post by thedotmaster on Sun Dec 06, 2009 12:28 pm
([msg=31083]see Re: Website Security[/msg])

If you would like users to take a look at the security of your site, please leave a comment in the HTML on the frontpage (near the top of the page) like so:
Code: Select all
<!-- HackThisSite gauravweb -->


This means we can verify that it is actually your site.

However, posting source code is much better. If you choose to do this, please use a pastebin such as: http://pastebay.com/
Remember to blank out any MySQL passwords!
Image
User avatar
thedotmaster
Contributor
Contributor
 
Posts: 984
Joined: Sun May 04, 2008 4:39 pm
Location: North West UK
Blog: View Blog (1)


Re: Website Security

Post by gauravweb on Sun Dec 06, 2009 12:34 pm
([msg=31084]see Re: Website Security[/msg])

thedotmaster wrote:If you would like users to take a look at the security of your site, please leave a comment in the HTML on the frontpage (near the top of the page) like so:
Code: Select all
<!-- HackThisSite gauravweb -->


This means we can verify that it is actually your site.

However, posting source code is much better. If you choose to do this, please use a pastebin such as: http://pastebay.com/
Remember to blank out any MySQL passwords!



I have left what you have said.
Just check the source code for it.
http://www.risingfaizabad.com/art-submit.php
Visit the above page I have edited the above page only.
gauravweb
New User
New User
 
Posts: 22
Joined: Fri Jun 06, 2008 12:35 pm
Location: India
Blog: View Blog (0)


Re: Website Security

Post by thedotmaster on Sun Dec 06, 2009 1:02 pm
([msg=31085]see Re: Website Security[/msg])

http://www.risingfaizabad.com/article-view.php?id= <-- vulnerable to SQL injection
http://www.risingfaizabad.com/category.php?id=aaa <-- something is going on there, not sure what
Image
User avatar
thedotmaster
Contributor
Contributor
 
Posts: 984
Joined: Sun May 04, 2008 4:39 pm
Location: North West UK
Blog: View Blog (1)


Next

Return to General

Who is online

Users browsing this forum: No registered users and 0 guests

cron