IPB

Welcome Guest ( Log In | Register )

 Forum Rules 
> Hacked :(
Mata
post Feb 17 2011, 04:08 PM
Post #1


'Trouble Down Pit' now online!
***************

Group: Admin
Posts: 10,206
Joined: 22-February 03
From: Southern UK
Member No.: 1
Gender: Male



So, this site (and every other site that I host) was hacked in the past twelve hours. It might be a good idea to run a virus check on your machine.

Sorry about this - my site became hosted by a new company about six months ago and there seem to be a lot more breaches since this new company took over.

The telltale sign of a hack is often a tiny square, just a few pixels wide and tall, usually at the very top or the very bottom of the screen. If you see one of these then please let me know immediately.


--------------------
Trouble Down Pit: Still updated every Monday and Friday
The Matazone Games blog
The Matazone Shop The Matazone Blog
The Matazone Corset Shop: Snobz corsets at 10% off their recommended price!
Go to the top of the page
 
+Quote Post
 
Start new topic
Replies
SPEAKERfortheLOS...
post Feb 20 2011, 01:27 PM
Post #2


Transdimensional Traveler
************

Group: Established Members
Posts: 1,322
Joined: 20-August 04
From: Somewhere in the Ęther
Member No.: 1,244
Gender: Secret



Thanks for agreeing. Working as the network administrator for a fairly large medical practice I come across this problem all the time. Unfortunately, before I came on board, the practice had an issue with data security and couldn't manage to get rid of the conficker worm/virus due to their issues. Its just amazing what out-of-date software and bad passwords can cause.

<pulpit>

The tenents of the Network Security religion are:
1. STRONG PASSWORDS
2. UP-TO-DATE SECURITY SOFTWARE
3. UP-TO-DATE APPLICATION SOFTWARE
4. MINIMAL USER RIGHTS
5. RTFM

</pulpit>



--------------------
It is by caffeine alone I set my mind in motion,
It is by the beans of Java that thoughts acquire speed,
The hands acquire shaking, the shaking becomes a warning,
It is by caffeine alone I set my mind in motion.


Jack of all trades, master of none,
though offtimes better than master of one.

Carpe Noctem, pro cras nos necemus
Carpe Diem, pro hodie nos mutiamo

Go to the top of the page
 
+Quote Post
MataTeachesMeLud...
post Feb 20 2011, 02:15 PM
Post #3


Member
**

Group: Established Members
Posts: 10
Joined: 8-January 11
Member No.: 16,804
Gender: Secret



QUOTE (moooooooooooooooooooooooooop @ Feb 20 2011, 12:03 AM) *
QUOTE (MataTeachesMeLudology @ Feb 19 2011, 10:10 PM) *
And next to that, injecting data into a page is useless, as it's stored on your own computer. You'd be doing nothing at all. You'd have to send something to the server.

Are you quite sure of that? I was suggesting someone could inject some Javascript.

Did you realise that Javascript is perfectly capable of sending off asynchronous HTTP requests? There is protection against cross site requests in browsers but I can think of a few exploits where sending a request to the server on which the forum is hosted would be enough. I'm not going to post any details as I'm sure Mata wouldn't appreciate it.
What happens when you go to webpage is that you download the file that the server prints out for you. So, you're currently given, being on this page, index.php. Javascript is embedded in this page, and browsers can read and run it, but it is in no way run on the server or handled by it. You can do HTTP requests in Javascript, but it would just be the same as sending HTTP requests using a pure packet sender or using your browser (besides the fact that it's actually not asynchronous, but it wouldn't matter much). So, basically, you're doing a strange workaround.

For information about this sending technique: http://en.wikipedia.org/wiki/Ajax_%28programming%29
I highly advice you to look into that. Especially the first sentence. And that you click on 'client-sided'.

But, the server can be quite harshly attacked by other methods. Stuff such as Register Globals being on, SQL injections, DDOS attacks, Cross-site request alterations, XSS attacks can do quite some damage.

Let me go through this, as I just finished up my optimisation homework and my pathfinding implementation in our gamelab project. (boast boast)

First off: SQL injections. Probably the known ones. The server accepts POST and GET variables, these are variables sent by html forms or by links (or standard static html stuff, anything really) for contact with the server.

This is quite a cool method. Let's say we've got a URL like this: http://jamesbond.com/profile.php?user=MataTeachesMeLudology.
The site will most likely show a profile page from the user MataTeachesMeLudology. But, there's more behind it. Most likely, the site is running on the PHP language with a SQL setup. The php script will see that you've entered a new variable, user. And that it is MataTeacheMeLudology. So it requests the SQL-database to get the user MataTeachesMeLudology with the following Pseudo-SQL instruction:
"SELECT * FROM 'site_users' WHERE 'username' = 'MataTeachesMeLudology' LIMIT 1". In plain english that means "Hey, give me all the info for the user with the name MataTeachesMeLudology, oh yeah, I just need one result (LIMIT 1)". What happens next is PHP receives that info and puts whatever it should know into the page.

But what if you change the name MataTeachesMeLudology to something else? It would get the result for that. Now, do note that in the SQL result everything is covered in '-signs. These are the limits of that instruction. But, on unsafe software, (and older PHP version) you can exploit these limits. Let's change the user to something else.

http://jamesbond.com/profile.php?user=' OR password = '123456

What the duck did you just do? Let me explain. So, the server will do the exact same as it did before (It does not see you're changing the instruction), so the instruction to the database will be:
"SELECT * FROM 'site_users' WHERE 'username' = '' OR password = '123456' LIMIT 1", or, in English that is "Yo database, I need all the info for the user with the username '' or whoever has the password 123456.. Oh yeah, limit the result to 1 person." PHP thinks "' OR password = '123456" is the username you wanted, while the SQL server thinks it's part of the instruction.
The database will answer this call, and give you the result of whoever's password is that.

There can be done so much worse with this. Luckily, PHP prevents this in newer versions by default, and every larger software distribution prevents these exploits (Wordpress, etc)

Second, DDOS attacks. These are nasty little things. Basically, you get a group of 14 years old kids, and make all of them send massive amounts of requests to the server using programs. MASSIVE amounts. The server will try and answer all of these, but can't keep up and dies a slow and painful death.

DDOS attacks are usually aimed at weak spots of a website, so on register pages, mail scripts, feedback buttons, that sort of things. You can prevent these with captchas. These lovely solutions make it impossible for applications to fill in forms as they should be filled in as they require human input (you need to read an image, or answer a question)

But in overall, you can't protect yourself enough from these. But they don't count as hacks, they just make your site very slow or kill it, at most.

Register Globals. These are basically a setting that has been used in older versions. Turn them off if you have the option to. These put GET and POST in independent variables. When you have the URL http://jamesbond.com/profile.php?user=james, it would create $user and put james in it. If you were already using $user, it would be overwritten and the site could behave in the way the hacker wants it to do.

Cross-site request alterations are basically requests to other sites. Check http://en.wikipedia.org/wiki/Cross-site_re...characteristics out for a very good example.

XSS can be a user-specific attack, where you steal the cookie of a user on that computer. These cookies contain info about the user that identifies them to the website (They make you log in on forums, for example). You could steal this cookie from one's computer and use it as your own, in the hope that you will become logged in as that user. If this is an admin, you can do quite some damage. PHP sessions are being used by larger websoftware (such as forums or wordpress) and stores an ID of that session in a cookie, so you can't read the content of whatever the site holds to identify you. You can prevent this in multiple ways, and is incorporated by larger websoftware.

So, if the site was hacked, it was probably a Mata-specific problem, someone targeted his computer with a keylogger and exploited the forums. If the site was simply attacked, (as in, "dawg your site is deeeeaaaad") it was a DDOS attack (which are very popular lately).

QUOTE
QUOTE (MataTeachesMeLudology @ Feb 19 2011, 10:10 PM) *
Up-to-date browser USUALLY (as in, almost always, but there are small exceptions) does not allow applications to be stored on your computer under any circumstance without properly notifying the user about this. Next to that, the latest versions of Windows automatically detect whenever an application that is downloaded from the internet or is coming from a questionable source and notifies the user whenever that application is trying to run. This means basically that the user can deny the launch of any unwanted applications as well.

Java could do stuff to your computer, but you're properly notified of the fact that it's trying to do that by the Java application itself. Exploits could still happen, but is rather unlikely.

It's all in the usually. That minority to which it doesn't apply are going to get screwed by your poor advice. The others won't be terribly inconvenienced so I still consider it a fairly irresponsible thing to say.
It is in the usually indeed! I can safely say that 99% of the time software does not contain damaging vulnerabilities. This is, when you download only applications that are advised, massively used by others, under heavy inspections, and in a stable version.

QUOTE
QUOTE (MataTeachesMeLudology @ Feb 19 2011, 10:10 PM) *
I'd only do this if Mata keeps your passwords stored without an hash. Which, by standards, he'll probably do. (I don't see him changing the source code of IPS, no offence)

Why must you get so uppity every time anyone offers people decent advice? I think speaker was talking about Mata's passwords for administering the server, rather than every user.

Why bother with this sentence if you're immediately going to point out that it's probably bad advice in the next? It doesn't impart any information and is just confusing.
What I pointed out with this sentence is that Mata probably installed IPS software using the wizard, set the settings, created forums, installed some plugins he liked and left it for it was. IPS most likely (REAL LIKELY) stores passwords in hashes, which makes them unreadable for the admin or anyone that can access the database (whether it is allowed or not). If he'd changed the passwords to be stored as normal-viewed, anyone with access could read these passwords and use them in any way they wish. But that would require Mata to have PHP knowledge and actually know how to make that come out the right way, without bugs, which is, unless you wrote the IPS code yourself, hard to do.


What do I want to point out with this post?

You're pretty safe. Use your virus-scanner as you wish, but please do understand that people can't reach you that easily. I honestly believe that some people actually are afraid to go on a webpage without running their virus-scanner every time they land on a new page. It's pretty safe, every piece of software is trying to prevent you from getting viruses (except for the viruses, of course, hehe), besides applications that don't give a shit you get viruses or not (like some torrent applications, or other P2P applications.. But you're doing illegal stuff whenever you're doing that, so basically you get what you deserve if you don't know what you're doing.)

I am saying 'usually' or 'almost always' or anything related to that a lot. This is basically to prevent the use of fallacies in my sentences, (as I expect with implying expertise in my comments). Specifically I am trying to prevent the generalisation fallacy. Look that up if you wish.


TL;DR: I trust Mata with the contents of my harddrive and whatever is going to be put on it
QUOTE (SPEAKERfortheLOST @ Feb 20 2011, 02:27 PM) *
Thanks for agreeing. Working as the network administrator for a fairly large medical practice I come across this problem all the time. Unfortunately, before I came on board, the practice had an issue with data security and couldn't manage to get rid of the conficker worm/virus due to their issues. Its just amazing what out-of-date software and bad passwords can cause.

<pulpit>

The tenents of the Network Security religion are:
1. STRONG PASSWORDS
2. UP-TO-DATE SECURITY SOFTWARE
3. UP-TO-DATE APPLICATION SOFTWARE
4. MINIMAL USER RIGHTS
5. RTFM

</pulpit>
As a professional web-developer I agree with these.. Although the last one should have 'Or at least the Ducking instructions on-screen'. wink.gif
Reason for edit: No swearing please.
Go to the top of the page
 
+Quote Post
Polynomial
post Feb 20 2011, 05:48 PM
Post #4


Novice Guppy
*

Group: New Members
Posts: 1
Joined: 20-February 11
Member No.: 17,057
Gender: Male



I happened upon this thread whilst lurking and decided to sign up just to say how much I agree with MTML here. To say he speaks the truth is an understatement.

Nearly all website hacks are SQL injection related these days. There are a few cases where underlying services (httpd, ftpd, etc) are vulnerable, but the vuln report counts are several orders of magnitude lower than SQL injection flaws in CMS software.

I'd also like to add that password hashes alone are no longer secure. Even if you're using SHA1, short passwords can be cracked in a few minutes and simple passwords are easy to recover from a whole array of hash lookup database sites. The only way to truly secure them is to append a random salt value to the password before hashing, which is stored along with each individual user. For example:
CODE
$pass = 's3cret_p4assword';
$salt = 'UPr!qlZMyA/w#5et'; // generate at random for each user
$hash = sha1($pass . $salt);

You can then look up the salt from the table when the user logs in and use that with the password to generate the salted hash. This prevents database lookups and rainbow table attacks. However, users still need to choose secure passwords.

Anyway, as MTML said, update frequently. And, if you can, modify the core of IPB to detect and filter SQL injections.
Go to the top of the page
 
+Quote Post

Posts in this topic
- Mata   Hacked :(   Feb 17 2011, 04:08 PM
- - CheeseMoose   I did wonder why AVG went mental at me when I trie...   Feb 17 2011, 04:11 PM
- - Hobbits   AVG shouted at me at home, and at work today, when...   Feb 17 2011, 04:53 PM
- - moooooooooooooooooooooooooop   Google Chrome gave me a full screen warning about ...   Feb 17 2011, 05:31 PM
- - CheeseMoose   Just came on with Chrome and it's still warnin...   Feb 17 2011, 05:49 PM
|- - Hobbits   QUOTE (CheeseMoose @ Feb 17 2011, 05:49 P...   Feb 17 2011, 06:16 PM
- - moooooooooooooooooooooooooop   QUOTE (Hobbits @ Feb 17 2011, 06:16 PM) Q...   Feb 17 2011, 06:23 PM
- - Mata   I've just registered the site in Google's ...   Feb 17 2011, 06:44 PM
- - SPEAKERfortheLOST   And this is why I use Linux. I don't have to ...   Feb 17 2011, 09:24 PM
|- - MataTeachesMeLudology   Fun-fact: Computers can't get viruses from web...   Feb 17 2011, 09:54 PM
- - Pikasyuu   QUOTE (SPEAKERfortheLOST @ Feb 17 2011, 01...   Feb 17 2011, 11:22 PM
- - moooooooooooooooooooooooooop   QUOTE (MataTeachesMeLudology @ Feb 17 2011, 0...   Feb 17 2011, 11:39 PM
- - CrazyFooIAintGettinOnNoPlane   QUOTE (SPEAKERfortheLOST @ Feb 17 2011, 09...   Feb 18 2011, 08:50 AM
- - Mata   And now my sites have been attacked again. The bas...   Feb 18 2011, 09:01 AM
- - Sharazad   <3 for my avast! doing a virus scan and a b...   Feb 18 2011, 11:34 AM
- - Mata   We have McAfee on the university computers... Gues...   Feb 18 2011, 12:02 PM
|- - Sharazad   QUOTE (Mata @ Feb 18 2011, 01:02 PM) We h...   Feb 18 2011, 12:27 PM
- - Mata   It took about six hours, but I'm pretty sure I...   Feb 18 2011, 10:08 PM
|- - Hobbits   QUOTE (Mata @ Feb 18 2011, 10:08 PM) It t...   Feb 18 2011, 11:31 PM
- - SPEAKERfortheLOST   I would suggest you look into changing ALL your si...   Feb 19 2011, 01:21 AM
|- - MataTeachesMeLudology   QUOTE (moooooooooooooooooooooooooop @ Feb 18 ...   Feb 19 2011, 10:10 PM
- - moooooooooooooooooooooooooop   QUOTE (MataTeachesMeLudology @ Feb 19 2011, 1...   Feb 19 2011, 11:03 PM
- - Mata   MTML - Moop is a pretty hardcore coder and has bee...   Feb 20 2011, 10:14 AM
- - CrazyFooIAintGettinOnNoPlane   I'd like to add that Speaker's advice shou...   Feb 20 2011, 12:12 PM
- - SPEAKERfortheLOST   Thanks for agreeing. Working as the network admin...   Feb 20 2011, 01:27 PM
|- - MataTeachesMeLudology   QUOTE (moooooooooooooooooooooooooop @ Feb 20 ...   Feb 20 2011, 02:15 PM
|- - Polynomial   I happened upon this thread whilst lurking and dec...   Feb 20 2011, 05:48 PM
- - Mata   All of these things are lovely in theory, but when...   Feb 20 2011, 06:35 PM
|- - TigerLily013   QUOTE (Mata @ Feb 20 2011, 02:35 PM) All ...   Feb 24 2011, 04:58 AM
|- - Sharazad   QUOTE (TigerLily013 @ Feb 24 2011, 05:58 ...   Feb 24 2011, 05:24 AM
|- - CrazyFooIAintGettinOnNoPlane   QUOTE (TigerLily013 @ Feb 24 2011, 04:58 ...   Feb 24 2011, 09:46 PM
- - Mr Fuzzy   OK, I've cracked, and will wade in with my two...   Feb 28 2011, 01:58 AM


Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



Lo-Fi Version Time is now: 23rd October 2017 - 08:22 AM
Use these links if you're going to shop at Amazon and a percentage of what you spend goes towards helping this site!