Dear all,

Please my php site was hacked three times in 3 weeks. The first two times by the same person it seems. Unfortunately, Bluehost told me it was a problem from my end and that I had to plug security holes in my code. I did my best but it seems that wasn't enough.

Today another attempt was made -successfully, although this time the fellow was only able to put a index.html file in my root folder (I had changed password zillion times!). I removed that and the site is back, but I know it's only temporary. There was even a request from IP 213.6.80.177 to Bluehost for my login details.

I'm way out of my depth. Please is there someone in house who can help me take a look at my site (I will pass the login details). Pleeaassseeee!!!

Are you using third-party software, like Wordpress or a CMS? It's important that you have those updated to the current versions. Part of the reason is that updates resolve security holes that have been found in past versions. It's likely that the hacker has found one of those holes.

If not, then you may want to take down your site until you or someone with coding experience reviews your code for these holes.

From what you've described, it sounds like the former.

Hi RedSox9, thanks for your reply. No I'm not using third-party software. The php was coded from scratch.

Do you have any form input fields? It's possible there may be something there that compromises the integrity of the code.

Do you have any form input fields? It's possible there may be something there that compromises the integrity of the code.

Yes I do - for login. I'll check those, thanks.

Yes I do - for login. I'll check those, thanks.

Wikipedia has a decent write up on SQL Injection which may be the vector into your site.
http://en.wikipedia.org/wiki/SQL_injection

I have all my input pass thru functions, I never directly use $_POST or $_REQUEST.



function chkArgFiltered($argname, $varname="", $defaultval=""){
if ($varname == ""){
$varname = $argname;
} else {
$varname = str_ireplace(".","",$varname);
}
if (isset($_REQUEST[$argname])){
$filteredValue = ereg_replace("[^0-9a-zA-Z\.\-\&\ @]",'', $_REQUEST[$argname]);
$GLOBALS[$varname] = $filteredValue;
} else {
$GLOBALS[$varname] = $defaultval;
}
}


and i filter out none normal chars.

also all my sql passes thru prepared statements

example


$template = "update table set col1 = ?, col2 = ? where id = ?";
$stmt = $conn->prepare($template);

You can also try something like this with the login query

/* SQL statement to query the database */
$query = "SELECT * FROM Users
Where Auth_Userid = quote_smart ($_Post['userid']) ";

function quote_smart($value)
{
// this function stops injection attacks on data in queries
if (get_magic_quotes_gpc())
$value = stripslashes($value);
$value = trim($value);
if($value == '')
$value = 'NULL';
else
{
$value = htmlspecialchars($value, ENT_QUOTES);
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}

Guys, I'm very grateful for these tips. I'm implementing them all, thanks!

Validate each input field for what is valid for that field. In many cases you will not need to use the functions to handle certain special characters because those characters are not valid for that field in the first place.