6 Replies - 382 Views - Last Post: 15 January 2013 - 08:47 AM Rate Topic: -----

#1 Thinus du Pisanie  Icon User is offline

  • D.I.C Head

Reputation: 2
  • View blog
  • Posts: 107
  • Joined: 07-October 11

Php link encription

Posted 15 January 2013 - 05:37 AM

Good day

I have a question our info site are being hacked and replace with bad words I have change the domain username and password several times and replace the site but every time they hack it again.

What can I do to make it difficult or anything to prevent it.

Can I encrypt these or any help will be appreciated please...
<table width="750" border="0" align="right">
  <tr>
    <td class="hjhj"><a href="../index.htm">Home</a> |<a href="about.html"> About</a> </td>
  </tr>
</table>



Is This A Good Question/Topic? 0
  • +

Replies To: Php link encription

#2 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3541
  • View blog
  • Posts: 10,236
  • Joined: 08-June 10

Re: Php link encription

Posted 15 January 2013 - 05:42 AM

View PostThinus du Pisanie, on 15 January 2013 - 01:37 PM, said:

I have change the domain username and password several times and replace the site but every time they hack it again.

this implies that the link is not the problem. somewhere in your code is an unfixed exploit that the hackers can repeatedly use.

the first thing you should do is log every request (usually web servers do that by default). then you "only" have to find the requests, that caused to change the content.
Was This Post Helpful? 0
  • +
  • -

#3 Thinus du Pisanie  Icon User is offline

  • D.I.C Head

Reputation: 2
  • View blog
  • Posts: 107
  • Joined: 07-October 11

Re: Php link encription

Posted 15 January 2013 - 05:52 AM

I am an inexperience programmer and really have no idea what you are talking about right now.

If maybe you can be more specific

Regards
Was This Post Helpful? 0
  • +
  • -

#4 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3541
  • View blog
  • Posts: 10,236
  • Joined: 08-June 10

Re: Php link encription

Posted 15 January 2013 - 06:08 AM

something more specific, hm.

ok, open your web serverís control panel. then go to logging (usually a bunch of text files). download the one that contains the time where your data have been changed. look for something suspicious.

a typical access log file looks like that
::1 - - [09/Jan/2012:10:09:53 +0100] "GET / HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7"
::1 - - [09/Jan/2012:10:09:53 +0100] "GET /xampp/ HTTP/1.1" 302 237 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7"
::1 - - [09/Jan/2012:10:09:53 +0100] "GET /xampp/splash.php HTTP/1.1" 200 1325 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7"
::1 - - [09/Jan/2012:10:09:53 +0100] "GET /xampp/img/blank.gif HTTP/1.1" 200 43 "http://localhost/xampp/splash.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7"
::1 - - [09/Jan/2012:10:09:53 +0100] "GET /xampp/xampp.css HTTP/1.1" 200 4178 "http://localhost/xampp/splash.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7"
::1 - - [09/Jan/2012:10:09:53 +0100] "GET /xampp/img/xampp-logo.jpg HTTP/1.1" 200 19738 "http://localhost/xampp/splash.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7"
::1 - - [09/Jan/2012:10:09:53 +0100] "GET /favicon.ico HTTP/1.1" 200 7782 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7"
::1 - - [09/Jan/2012:10:09:58 +0100] "GET /xampp/lang.php?de HTTP/1.1" 302 - "http://localhost/xampp/splash.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7"
::1 - - [09/Jan/2012:10:09:58 +0100] "GET /xampp/index.php HTTP/1.1" 200 594 "http://localhost/xampp/splash.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7"
::1 - - [09/Jan/2012:10:09:58 +0100] "GET /xampp/head.php HTTP/1.1" 200 1394 "http://localhost/xampp/index.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7"
::1 - - [09/Jan/2012:10:09:58 +0100] "GET /xampp/start.php HTTP/1.1" 200 1081 "http://localhost/xampp/index.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7"
::1 - - [09/Jan/2012:10:09:58 +0100] "GET /xampp/navi.php HTTP/1.1" 200 4620 "http://localhost/xampp/index.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7"
::1 - - [09/Jan/2012:10:09:58 +0100] "GET /xampp/img/xampp-logo-new.gif HTTP/1.1" 200 4878 "http://localhost/xampp/head.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7"
::1 - - [09/Jan/2012:10:09:58 +0100] "GET /xampp/img/head-fuer.gif HTTP/1.1" 200 776 "http://localhost/xampp/head.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7"
::1 - - [09/Jan/2012:10:09:58 +0100] "GET /xampp/img/head-windows.gif HTTP/1.1" 200 1362 "http://localhost/xampp/head.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7"
::1 - - [09/Jan/2012:10:09:58 +0100] "GET /xampp/xampp.js HTTP/1.1" 200 573 "http://localhost/xampp/navi.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7"


(only much much longer)

the interesting part is the string between "GET" (resp. "POST") and the string "HTTP". look for data that should not be there.

next is, where are your data stored, text files, database? depending on that inspect the PHP code that adds those data. is there a security hole (SQL Injection)? basically all parts where you donít thoroughly check the submitted data bear a possible exploit. if you find such a place, fix it.
Was This Post Helpful? 0
  • +
  • -

#5 Thinus du Pisanie  Icon User is offline

  • D.I.C Head

Reputation: 2
  • View blog
  • Posts: 107
  • Joined: 07-October 11

Re: Php link encription

Posted 15 January 2013 - 06:11 AM

It is just a info site no usernames no passwords no database.
Was This Post Helpful? 0
  • +
  • -

#6 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3541
  • View blog
  • Posts: 10,236
  • Joined: 08-June 10

Re: Php link encription

Posted 15 January 2013 - 06:36 AM

then you save the pages as (HTML) text files? then you can narrow down the attack time by checking the modification dates of the files.
Was This Post Helpful? 0
  • +
  • -

#7 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2990
  • Posts: 10,332
  • Joined: 08-August 08

Re: Php link encription

Posted 15 January 2013 - 08:47 AM

They might not be hacking your site directly. If you allow ftp access they may be logging in using that, either anonymously (you shouldn't allow this) or they might have sniffed your password as it's sent "in the clear" when using ftp.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1