Hacker Site - SQL Injection

Quite a while back now I had a file uploaded to my site overwriting the index, which boasted of this hackers amazing skills in defacing my site. Never did figure out how they did it, however I found my website listed on this site:

<link removed> (Note thats the link to some sort of hacker site, the link may not be safe I don't know so just letting you know).

Anyway, the site is in another language but I noticed it said Somthing: SQL Injection, and after navigating back to the main page of this site I found the form (the one in the link above, don't really want to test it myself). I assume people just enter in whatever site they want and it exploits some sort of common weakness or somthing, but like I said I don't know and since it had SQL Injection listed next to my site I'm going to assume that. I've got the following in place for SQL Injection at the top of every page:

[PHP]
if(!get_magic_quotes_gpc())
{
$_GET = array_map('mysql_real_escape_string', $_GET);
$_POST = array_map('mysql_real_escape_string', $_POST);
$_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}
else
{
$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);
$_COOKIE = array_map('stripslashes', $_COOKIE);
$_GET = array_map('mysql_real_escape_string', $_GET);
$_POST = array_map('mysql_real_escape_string', $_POST);
$_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}
[/PHP]

Is this not enough, what else should I be doing? would someone be able to give me a line of text to enter into forms on my site (I assume it's just somthing like " mysql_query("INSERT........") obviously only somthing that wont do much damage) so I can see where weaknesses are.

Thanks for any advice / opinions on this, just trying to get to the bottom of this so it dosn't happen again.

re: Hacker Site - SQL Injection

SQL Injection deals with SQL, i.e. Database.

Unless they found your SQL password on your site, AND your homepage is actually in the database (not in an HTML file) then they could have re-written it.

Or they just used FTP or SSh and found a password somewhere on your site and used that.

make sure files that contain such passwords and sensitive information ARE NOT in the public domain folders, or folders accessable from the web.

so that i can't do this to get your config file that has your passwords in it.

yoursite.com/config/config.php~

(if your using the linux text editor: emacs or another)

I have a server and its is Constantly pinged via SSH, as a brute force attempt to get the root password.

search google on securing your server, if its hosted by a company, sometimes they are the problem and had nothingt to do with your code, (But they're not going to tell you if the server has been hacked by some chinese dude)

Just make sure you take security measures

Find sites like this on google:

http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/

Good luck and hope it doesn't happen again,


Dan

re: Hacker Site - SQL Injection

Yeh, unless your site runs dynamically, I don't think it's SQL injection. What it is, I'm not sure.

Do you give the ability to upload files, on your website?

re: Hacker Site - SQL Injection

Thanks for the responses.

People can upload image files on my site but they need to be signed up to do so and I didn't notice any odd usernames signed up, they all seem pretty genuine.

Thanks for that link too I'll definetely be having a thourough read of that. I do have password information stored in my one file which is for the database connection, which is in the public_html folder, is this what I should not be doing?

Also, all this person did was upload a file that overwrites the index, all I had to do was just re upload mine and the problem was solved. I thought this seemed a little too easy but no database information and been erased / added (which is why I originally though it wasn't an SQL attack anyway), but is there any checks I should make to ensure they didn't do anything else such as uploading other any malicious fies?

re: Hacker Site - SQL Injection

I would just re-upload ALL your files from scratch. Remove everything and reload everything.

Yes, do remove that password file from public_html, PHP can still access it even if its in a folder not available through the browser (in public_html)

There is times when all a person wants to do is practice his hacking skills, he doesn't really want to destroy/capture any data, it does him no good.

MAKE SURE, you have proper validations in place for that image. Could I Upload a PHP file if i wanted to?

Hack your own site is the best way. Try uploading a php file for example, try uploading anything else that's not a JPG.

Don't just check the last few characters of the name for the file extension, actually do a PHP type check to see if its an image file.

Hope that helps,


Dan

re: Hacker Site - SQL Injection

Where is the best place to keep such files than?

re: Hacker Site - SQL Injection

Actually, I do not have any of my PHP scripts located in the document tree which can be reached by the Apache server. I only have stubs such as this:

where the /script_directory/ is substituted for the directory path where I have the PHP scripts for the given application. This directory is off limits for the Apache server, so it cannot by itself read or write to the script directory. All access must go via my PHP scripts.

re: Hacker Site - SQL Injection

How do I reach things outside "public_html" with php

re: Hacker Site - SQL Injection

I am using Linux, so I don't know whether any answer I give here will apply to you in case you are using another operating system.

Your "document tree" is where your document server (e.g. Apache) is allowed to directly serve pages from. But your PHP engine is not limited to this. As long as the directory and file permissions are set to allow your PHP scripts to read them, then you can access them from other PHP scripts. In the example I showed above, the user will try to access a small script located within the document tree, which will then "require" or "include" the remainder of the PHP script located in a directory outside the document tree.

Of course, if your permissions are not set correctly on the directory where the script file is located, or the script file itself, then maybe your PHP scripts cannot access them.

re: Hacker Site - SQL Injection

I would like o do some more reading on this subject. So you have a link to somewhere on internet where I can read about this some more.

Thanks

re: Hacker Site - SQL Injection

I use the following to check images:

[PHP]
if (!is_uploaded_file($_FILES['uploaded_image']['tmp_name'])) {
$error = "You didn't select a file to upload.<br />";

} else {
if ($_FILES['uploaded_image']['size'] > $maxfilesize) {
$error = "Your image file was too large.<br />";
unlink($_FILES['uploaded_image']['tmp_name']);
} else {


$ext = strrchr($_FILES['uploaded_image']['name'], ".");
if ($ext != ".gif" AND $ext != ".jpg" AND $ext != ".jpeg" AND $ext != ".bmp" AND $ext != ".GIF" AND $ext != ".JPG" AND $ext != ".JPEG" AND $ext != ".BMP" AND $ext != ".png") {
$error = "your file was an unacceptable type.<br />";
unlink($_FILES['uploaded_image']['tmp_name']);
[/PHP]

I attempted to hack my site, I will put that on my to do list. My knowledge of hacking techniques is basic so I'll probably just do things a mischeivious user would do, uploading everything possible etc.

Thanks for all the responses as well, very helpful.

re: Hacker Site - SQL Injection

If your site content was altered, the hacker might have used file path injection (dunno if that's the technical term for it, but it sure sounds legit).

Here's an example. Suppose I had a site that saved uploaded files to an uploads directory. E.g.,:

All is fine as long as $thePfhile['name'] is something benign, such as 'myImage.jpg'.

But what if I decided to name my image '../index.php'? Or '../images/home.jpg' (assuming that was the name of a navigational image on the page)?

Suddenly, we're executing a line that looks something like this:
Thereby overwriting a file that is not supposed to be overwritten!

The solution I use is to verify that the end path represents the correct folder: