6 Replies - 1190 Views - Last Post: 28 September 2007 - 03:01 PM

#1 Emper0r  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 68
  • Joined: 07-December 06

Website getting hacked, someone please help

Posted 28 September 2007 - 02:03 PM

Hey guys, ok recently my website www.gameinfinite.com has been getting hacked by a guy named "Morgan" who's apparently from another country (as evident by the site he always links to and his e-mail). Well, for the life of me I can't figure out how he's doing what he's doing, and I'm in desperate need of help, here's what he's doing:

Every few days he edits all the .html files in my FTP and on the bottom of every page adds an iFrame code segment that makes the page redirect to one of his pages with an image and a suspicious VB script running in the background. It's clear by where the code is in the file(at the very bottom) and the indentations that he's inserting the code into my .html files somehow.

Here's the thing, everyone I ask says he's most likely doing it via MySQL injections, but the only MySQL on my website is used for my forums, who have so far been untouched by the hacker. My forums are currently using phpbb 2.0.22 and a MySQL database. Could he somehow be accessing the .html files in my FTP by going through the forums? But if he's doing that why wouldn't he mess with the forums as well? Also, I really don't think he has my username/password for the FTP because if he did he would be doing more than just adding lines of code wouldn't he? And as I said, the code he adds is always at the very bottom of the page with a few indentations on every page which strongly indicates some sort of external injections.

So basically what I'm asking is if you guys could visit gameinfinite.com, see if you see some sort of security hole or something I should add for security or if you have ANY ideas of how he could be doing this and how it could be stopped I'd be very, very grateful. Thank you very much to anyone who helps!

This post has been edited by Emper0r: 28 September 2007 - 02:04 PM


Is This A Good Question/Topic? 0
  • +

Replies To: Website getting hacked, someone please help

#2 Martyr2  Icon User is online

  • Programming Theoretician
  • member icon

Reputation: 4399
  • View blog
  • Posts: 12,255
  • Joined: 18-April 07

Re: Website getting hacked, someone please help

Posted 28 September 2007 - 02:32 PM

Well, you need to run through the standard lock down procedure. You need to immediately change your FTP login and any logins you can to access your site. Then you need to check all the permissions of your HTML files and folders to make them uneditable (for the time being) from any groups other than you. I have known PHPBB to be somewhat open to possible injection problems in the past but I can't say for sure that he is going through the board. He potentially can inject through any place where the user can enter text and hit submit. Even through something as simple as a login form with a text field and a button.

If you have any form elements on your page, you will want to go through the processing scripts for those forms and see if all data is being escaped properly, that your input is being validated first for correct type before being put in a SQL query and record any queries being executed in some sort of log file or database so you can view later as to what queries are being generated.... then look for the ones that appear improper.

Be sure to also check your currently existing database data for anything referring to an iframe that can be pulled from the database and put on the page. Also check the documents in your site for any filename that doesn't appear correct to you or you don't know what it is.

Once they are in, you have to be very on top of things to get them completely out and clean that site. You essentially have to look at all data going in and out of the site and from your database as suspect.

Good luck to you.
Was This Post Helpful? 0
  • +
  • -

#3 skyhawk133  Icon User is offline

  • Head DIC Head
  • member icon

Reputation: 1877
  • View blog
  • Posts: 20,284
  • Joined: 17-March 01

Re: Website getting hacked, someone please help

Posted 28 September 2007 - 02:35 PM

Have you changed your password between hackings?

Are you using a shared hosting provider? Have you reviewed your FTP logs, HTTP logs, etc ??

Or are you just re-uploading your web site each time and waiting for it to get hacked again?
Was This Post Helpful? 0
  • +
  • -

#4 Emper0r  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 68
  • Joined: 07-December 06

Re: Website getting hacked, someone please help

Posted 28 September 2007 - 02:42 PM

View PostMartyr2, on 28 Sep, 2007 - 02:32 PM, said:

Well, you need to run through the standard lock down procedure. You need to immediately change your FTP login and any logins you can to access your site. Then you need to check all the permissions of your HTML files and folders to make them uneditable (for the time being) from any groups other than you. I have known PHPBB to be somewhat open to possible injection problems in the past but I can't say for sure that he is going through the board. He potentially can inject through any place where the user can enter text and hit submit. Even through something as simple as a login form with a text field and a button.

If you have any form elements on your page, you will want to go through the processing scripts for those forms and see if all data is being escaped properly, that your input is being validated first for correct type before being put in a SQL query and record any queries being executed in some sort of log file or database so you can view later as to what queries are being generated.... then look for the ones that appear improper.

Be sure to also check your currently existing database data for anything referring to an iframe that can be pulled from the database and put on the page. Also check the documents in your site for any filename that doesn't appear correct to you or you don't know what it is.

Once they are in, you have to be very on top of things to get them completely out and clean that site. You essentially have to look at all data going in and out of the site and from your database as suspect.

Good luck to you.


Thank you very much for the response. Well, I do have some fairly simple forms that visitors can use to contact members of the site. Here's one of the forms:

http://www.gameinfin...D2_Contact.html

Can you see any source code in there that could be potentially exploited?

I've checked all the databases, I've changed all the passwords. Also, the only one who has the permission to write on any of the .html files is me(the owner). However, I think I'll disable that for the time being to see if that will stop him.

Thanks again.
Was This Post Helpful? 0
  • +
  • -

#5 skyhawk133  Icon User is offline

  • Head DIC Head
  • member icon

Reputation: 1877
  • View blog
  • Posts: 20,284
  • Joined: 17-March 01

Re: Website getting hacked, someone please help

Posted 28 September 2007 - 02:54 PM

If you are in fact using the latest version of PHPBB, I don't see anything right off the bat.

Is this a shared web host?
Was This Post Helpful? 0
  • +
  • -

#6 Emper0r  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 68
  • Joined: 07-December 06

Re: Website getting hacked, someone please help

Posted 28 September 2007 - 02:58 PM

View Postskyhawk133, on 28 Sep, 2007 - 02:54 PM, said:

If you are in fact using the latest version of PHPBB, I don't see anything right off the bat.

Is this a shared web host?


No the only person with access to the FTP is me, the hosting is done by netfirms.com.

One of the Netfirms tech support guys mailed me a way of how he might be doing it, don't feel secure posting it in a public forum however. Mind if I private message you with the e-mail he sent so you can share your thoughts?
Was This Post Helpful? 0
  • +
  • -

#7 Martyr2  Icon User is online

  • Programming Theoretician
  • member icon

Reputation: 4399
  • View blog
  • Posts: 12,255
  • Joined: 18-April 07

Re: Website getting hacked, someone please help

Posted 28 September 2007 - 03:01 PM

Well you definitely have some problems with those forms there because I was able to put in a crap name and send it without anything else. Look in the file contactscript7.php in your Contact Forms folder and make sure that all values coming from the fields name, email, and msg are properly escaped and also check to make sure they are not null.

I would suggest you post the code from that script here, but I am not too sure that would be a wise thing right now.

You could try a private message to me and I can take a look.

This post has been edited by Martyr2: 28 September 2007 - 03:02 PM

Was This Post Helpful? 0
  • +
  • -

Page 1 of 1