getting hacked

[[email protected]]

http://www.uwsofny.org/

keeps getting hacked, i have a text editor on the back end fckeditor to be precise. i checked for sql injection and dont thing thats the cause as it dint let me in.

any help.

[PeejAvery]

The first thing I would do is upgrade to the latest version of the WYSIWYG editor. FCKeditor no longer exists...it's now CKeditor as of 3.0 and beyond.

Second, go through your activity logs around the time that the home page was modified. This will give you a list of all connections made. The hack time and activity will be recorded in there. It's just a matter of finding it.

Lastly...What do you mean by "dint let me in?" SQL injection doesn't grant access, it simply masks the query into multiple parts. Either way, unless you are escaping your query string variables, this still makes the most sense.

[[email protected]]

The first thing I would do is upgrade to the latest version of the WYSIWYG editor. FCKeditor no longer exists...it's now CKeditor as of 3.0 and beyond.

Second, go through your activity logs around the time that the home page was modified. This will give you a list of all connections made. The hack time and activity will be recorded in there. It's just a matter of finding it.

Lastly...What do you mean by "dint let me in?" SQL injection doesn't grant access, it simply masks the query into multiple parts. Either way, unless you are escaping your query string variables, this still makes the most sense.

Well i think i am using CKeditor, was fck before so just keep calling it that.

Secondly where can i find the activity log, its hosted with godaddy.

Thirdly what i mean by dint let me in is.... i tried to mask the query into multiple parts like entering the username and password like

Code:

admin' or '1=1

and it dint let me in.....

below is the code that i use to authenticate and i think it was u (peejavery) who helped me with it a couple of years ago.

Code:

$myusername=$_POST['username']; 
$mypassword=$_POST['password']; 

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1)
{
	// Register $myusername, $mypassword and redirect to file "login_success.php"
	$info = mysql_fetch_array($result);
	 $_SESSION['uid']=$info['user_id'];
 	$_SESSION['screenname']=$info['name'];

	session_register("myusername");
	session_register("mypassword"); 
	
		  header("location:view/items_list.php");
		
}
else 
{
header("Location:index.php?id=notLogin");
}

??

[PeejAvery]

Not sure where GoDaddy's logs are. They would be somewhere in your control panel, or on your FTP server.

As for the SQL injection...you're only looking at your login code. If this is SQL injection, then it wouldn't have happened from the login...because you have that secured. It would have happened from another query. Most likely through the URL where you have page ids.

[[email protected]]

Not sure where GoDaddy's logs are. They would be somewhere in your control panel, or on your FTP server.

As for the SQL injection...you're only looking at your login code. If this is SQL injection, then it wouldn't have happened from the login...because you have that secured. It would have happened from another query. Most likely through the URL where you have page ids.

ok i understand. but if they cannot go past the login their session would never register so they would never be able to get in using the url?

even if they did how can i secure the url id's that i am getting.... should i again escape those id's before using them?

[PeejAvery]

but if they cannot go past the login their session would never register so they would never be able to get in using the url?

I'm not talking about them actually accessing the administrative side. There are pages in that site visible to the public that have page IDs. Those IDs are passed through the URL (i.e. http://www.uwsofny.org/info_page.php?pageid=10).

Every variable that comes from, or has interaction with, a human NEEDS to be escaped!!!

[[email protected]]

I'm not talking about them actually accessing the administrative side. There are pages in that site visible to the public that have page IDs. Those IDs are passed through the URL (i.e. http://www.uwsofny.org/info_page.php?pageid=10).

Every variable that comes from, or has interaction with, a human NEEDS to be escaped!!!

when you say needs to be escaped you mean to say i need to use addslashes() right??

My magicquotes is on so doesnt that escape all GET POST and COOKIE DATA.

ALSO PLEASE COULD YOU GIVE ME A BRIEF EXAMPLE OF HOW SOME BODY WOULD GET INTO THE SYSTEM OR CHANGE CONTENT MANIPULATING THE URL THAT YOU SHOWED ABOVE, I WISH TO LEARN.

[PeejAvery]

Use mysql_real_escape_string(), not addslashes(). SQL injection can still happen with addslashes() when processing multibyte strings.

Magic quotes are dangerous and are deprecated finally in PHP6. Having to code conditionally for them is just a pain and waste of code.

I'm sorry, but I could not post an example. It would violate the forum's Acceptable Use Policy.