Hi,

Could someone tell me how an unused blog could be used by someone, or something, to attack other servers? Apparently someone was running a community dating service from my unused blog, but how?

I had my sites shut down because of a security problem, which turned out to involve this unused blog.

Everything has since been restored, after the removal of the blog.

I would really appreciate some information as to how this can happen, and how I can prevent it ever happening again.

neelloc21:confused:

Hi,

Could someone tell me how an unused blog could be used by someone, or something, to attack other servers? Apparently someone was running a community dating service from my unused blog, but how?

I had my sites shut down because of a security problem, which turned out to involve this unused blog.

Everything has since been restored, after the removal of the blog.

I would really appreciate some information as to how this can happen, and how I can prevent it ever happening again.

neelloc21:confused:

You read about stuff like this while you are learning the ropes of web programming ... ie, why you should use htmlspecialchars() to remove any possibility of someone patching in some code into text fields. I've never really understood how it's done and I don't think many really do except to accept that it can be done. Just because you think you took the blog offline doesn't mean that it can't be used by someone if it is still in your directory. The hacker runs scripts to find those things by testing your web root directory for code and if they find it, they move in to play their game. That web dating service probably wasn't legit and likely served to scam people. Glad to hear you were able to clean up your site.

Hi Brian,

Thanks for your reply.

Re the htmlspecialchars() not sure what that means?

I gather whatever is in my directory can be open to hacking, so by using htmlspecialchars(), does this ensure security?

My lack of techie expertise has me worried now, it presents a good argument for learning the basics before building sites.

neelloc21

Hello to all ,
My dating site has been suspended 3 times in 4 days or so just cuz i couldn find all the backdoors and fix the problem with the secuity hole on my website ( currently runing dolphin 6.1.2 )
well an old blog means old version of blog software >>> bigger chance for security holes and attacker exploiting them and compromising you and your account :)
also as far as i know the htmlspecialchars() function is used to filter search feild from using chars like ">"<"*" etc .. which prevents code to be executed and again allowing attacker compromise your site and account
I hope that was helpful enough

For input fields to be properly secure they need to be properly validated so that their content is valid for that field.

Since there is sometimes a conflict in meaning with certain characters such as < > & ' " etc there are functions provided that convert these characters to a different format where their regular appearance may take on the wrong meaning.

htmlspecialchars() is one of these functions and is used where you are going to display content on a web page where that content may contain characters that might be misunderstood to be HTML rather than content. The function converts the < > & etc so that they display as that on the web page instead of being interpreted as HTML commands. It has nothing whatever to do with security ina database but simply to do with properly displaying content in a web page.

Another function is mysql_real_escape_string() which is used for content you are inserting into a mysql database where the field might validly contain characters that might be misinterpreted as part of the mysql command that is inserting or updating the database. It converts characters such as quotes in a way that allows the sql processor to identify them as a part of the content instead of a part of the sql command. You only need to use this on fields being applied to a database where the field ight validly contain characters that can be confused with the sql command itself. If a field can only contain letters, numbers, spaces and cannot not contain any % * " ' etc that have special meanings in the sql then there is no need to call that function. It is only needed where the field may validly contain characters that may be misinterpreted as part of the sql.

In both cases you need the function for your content to be processed correctly when it contains specific characters. If your data can never validly contain any of those characters then you would never need to use those functions since the problem characters will never get past your validation of the field in order to be a problem.

Security holes are caused by not properly validating the field when it is first input. If you let people enter invalid data into fields and don't flag it as an error then by typing certain values into a field someone can use that field to modify the sql command that is updating the database in order to change what the command does or update the source of your HTML for a generated web page to include their HTML as well as yours.

Thanks to Aviatrix and Felgall for your helpful replies.
neelloc21