Website being hacked! Some one is deleting all posts!

Hey guys,

I logged on to edit my website today to find that most of my forum posts have been deleted!

I have no idea how they have done this....

I have made sure all $_gets and $_posts have mysql real escaped and i just cant find out how they are doing it.

Can any one offer me guidence to find the errors ....

i can provide access to the site to find the error itself.

Anything to prevent my hard work being destroyed.
runnerjp2005Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

theGhost_k8Database ConsultantCommented:
You first check through database if the data is still there.
Make sure your application is fetching properly and error handling is there.
Also you should be aware about sql-injection-attack and write appropriate code to consider the same.
If you're aware about a bit OS, you can verify the activity on server.
0
jet-blackCommented:
Also, it may be because of privilages error in your software
.
0
runnerjp2005Author Commented:
Data is gone from the db.

My privilages are set so only Admin and uid =1 can delete posts.

I have used mysql_real_escape_string on anything entering and leaving the db to prevent sql-injection-attack
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

BenMorelCommented:
There are so many other ways to hack a website / server ...
Don't you have a backup ?
0
runnerjp2005Author Commented:
No ...thankfully im the test phase.

for time being i think i might log all logins with date time ip ect....
all errors (how would i create error log so i can record username ip and error made @ time??)
and all deletiong ect made by users.

Try track down how and who is doing it
0
jet-blackCommented:
Maybe your database allows remote connections and attacker found your password with brute force attack.
We can't say only one thing because of the existance of several techniques to hack.
0
theGhost_k8Database ConsultantCommented:
If you have general query log / binary log enabled you may atleast track details about delete queries.
In linux you may check for access logs to see user activities.
0
runnerjp2005Author Commented:
Im on a shared host and sadly they dont allow access to them files....

What i will do is some how create my own!
0
gr8gonzoConsultantCommented:
mysql_real_escape_string won't save you when you're dealing with values that aren't enclosed in single quotes, like IDs. Consider this code:

$_GET["userID"] = 1;
$_GET["password"] = "foo";
query("SELECT * FROM table WHERE password = '" . mysql_real_escape_string($_GET["password"]) . "' AND userID = " . mysql_real_escape_string($_GET["userID"]));

Now, the password field may be protected, but since userID is an integer in your table, you're probably not enclosing the value in quotes. As a result, mysql_real_escape_string won't really do anything against this:

$_GET["userID"] = "1 OR 1=1";

Make sure to cast any variables (with intval) that are being used inside your query without surrounding single-quotes:

$_GET["userID"] = "1 OR 1=1";
$_GET["password"] = "foo";
query("SELECT * FROM table WHERE password = '" . mysql_real_escape_string($_GET["password"]) . "' AND userID = " . intval($_GET["userID"]));

Using intval will convert "1 OR 1=1" to the first valid full number it finds starting from the left, which is 1.
0
BenMorelCommented:
The best way is still to use prepared statements !
So no escaping is needed.
0
runnerjp2005Author Commented:
so use $_GET["userID"] = "1 OR 1=1";

also the guys done it again... if any 1 can could you log into my site..

www.runningprofiles.com

username:demo
password:demo

Just to see if you can see how they are doing it?
0
jet-blackCommented:
Did you changed your database password?
0
jet-blackCommented:
Maybe they directly access to your database.
0
runnerjp2005Author Commented:
Nah what i have done is recorded any changes made when logged in... they are using the demo login details to change information. So i can say they dont have my db pw
0
jet-blackCommented:
So, can you write the code of this page?
0
runnerjp2005Author Commented:
ok the forum page is
<?php


include '../info.php';
    
if (isset($_POST['edit'])) 
{
	if(isset($_POST['forumlock']))
	{
		$forumlock=1;
	}else
	{
		$forumlock=0;
	}
		$threadid =  mysql_real_escape_string( $_POST['id']);
	if ($_POST['deletepost'] == 'deletepost'){ 
     mysql_query("DELETE FROM forumtutorial_posts WHERE postid='$threadid' AND `author` = '$username'")  
			or die(mysql_error()); 
if ($username = 'Admin'){
mysql_query("DELETE FROM forumtutorial_posts WHERE postid='$threadid' ")  
			or die(mysql_error()); }

$updatep = "UPDATE `users` SET `post_count`=`post_count`-'1' WHERE `Username`='$username'";
            mysql_query ($updatep) or die("Could not update post");

			 mysql_query("DELETE FROM forumtutorial_posts WHERE parentid='$threadid' and `author` = '$username')")  
			or die(mysql_error()); 	
if ($username = 'Admin'){
 mysql_query("DELETE FROM forumtutorial_posts WHERE parentid='$threadid')")  
			or die(mysql_error()); 	

}

				
			header( "refresh: 0; url=http://www.runningprofiles.com/members/index.php?page=forum&forum=$forum");
			


}


	      if(isset($_POST['important']))
		{
		         $important=1;
	      }
		else
		{
		          $important=2;
		}
 	
if ($username = 'Admin'){
	$title = $_POST['title'];
	$query = "UPDATE forumtutorial_posts SET forumlock = '$forumlock', important = '$important', title = '$title' WHERE postid='$threadid' ";
	mysql_query($query) or die('Error, query failed');}
	header( "refresh: 0; url=http://www.runningprofiles.com/members/index.php?page=forum&forum=$forum"); 
}
else
{
//	$threadid =  mysql_real_escape_string( $_POST['id']);
	$threadid =  $CONT_ID;
	
	$check = '';
	
	$forumlock=0;// default value if it's not set
	$checkimpor = '';
	
$important=0;// default value if it's not set

?>
<script src="../../css/SpryCollapsiblePanel.js" type="text/javascript"></script>
   
      <div id="CollapsiblePanel<?php echo $threadid; ?>" class="CollapsiblePanel">
  <div class="CollapsiblePanelTab"  > Edit</div>
  <div class="CollapsiblePanelContent">
<form name='input' action='index.php?page=forum&amp;forum=<? echo $forum ?>' method='post'>
	
	<div align="center">
	  <p>Title:
	    <input class='inputinbox' name='title' type='text' value='<? echo $getthreads3[title];?>' />
	      <br/>

	 <?php   if($getthreads3['forumlock']==1) {

	      echo "<input type='checkbox' name='forumlock' checked='checked' />";
	}
 else 
{
 echo "<input type='checkbox' name='forumlock' />";
} ?>
	    Lock a Room<br/>
	<?php if($getthreads3['important']==1) {   echo "<input type='checkbox' name='important' checked='checked' />";	}
else
{
echo "<input type='checkbox' name='important' />";
}
?>
	    Important       <br/>
		    <input type="checkbox" name="deletepost" value="deletepost" />
	    Delete post</p>
	  <input type="hidden" name="id" value="<?php echo $getthreads3[postid] ?>" />
	    <input type='submit' name='edit' class="submit-btn"  value='' />
     
	</div>
</form>	  

<?
}
?></div>
</div>


 <script type="text/javascript">
<!--
var CollapsiblePanel1 = new Spry.Widget.CollapsiblePanel("CollapsiblePanel<?php echo $threadid; ?>", {contentIsOpen:false});
//-->
      </script>

Open in new window

0
runnerjp2005Author Commented:
Here is how to display everything and the added edit code above...
<?php
        require_once '../settings.php';

        checkLogin('1 2');

        include "../info.php";    // sets username/id ect
        include "../getuser.php"; // records user view on page
        include "checkinfo.php";  //Your ip address is...;
        include "forumnav.php";   // shows where you are on the forum


        //look to see if the forum is currently locked
        $sQry  ="SELECT `locked` FROM forum_lock LIMIT 1";
        $obQry =mysql_query($sQry) or die(sprintf("Could not query forums (%d): %s", mysql_errno(), mysql_error()));
        $record=mysql_fetch_array($obQry);

        if (isset($record['locked']) && $record['locked'])
            {
            //error message
            die("Sorry, the forums are currently locked.");
            }
        else
            {
                                $timestamp = time();
           $sql = "UPDATE `users` SET `".$forum."`='".$thedate."' WHERE id = '".$id."';";
       mysql_query($sql) or die("Could not insert post"); //insert post


            //Here we count the number of results
            //Edit $data to be your query
            $data     =mysql_query(
                           "Select * from forumtutorial_posts where parentid='0' AND forum = '$forum' ORDER BY important, lastrepliedto");
            $rows     =mysql_num_rows($data);


            //This is the number of results displayed per page
            $page_rows=25;


            //This sets the range to display in our query
            

            if ($pagenum === "last")
                {
                $query ="Select COUNT(*) as C from forumtutorial_posts where parentid='$id'";
                $result=mysql_query($query);
                $data  =mysql_fetch_array($result);

                if ($data['C'] == 0)
                    $pagenum=1;
                else
                    $pagenum=ceil($data['C'] / $page_rows);
                }

            $pagenum=(is_numeric($pagenum) && $pagenum >= 1) ? (int)$pagenum : 1;
            $max    ='limit ' . ($pagenum - 1) * $page_rows . ',' . $page_rows;
            //This is your query again, the same one... the only difference is we add $max into it

            {
            /* gets users online */
                                    $getusersonline="SELECT user_id,user FROM useronline WHERE file = 'http://www.runningprofiles.com/members/index.php?page=forum&forum=$forum' AND
timestamp > " . (time() - 900); //grab from sql users on in last 15 minutes
            $getusersonline2=mysql_query($getusersonline) or die("Could not get users");
            $num=mysql_num_rows($getusersonline2);
        ?>

            <table width = "99%">
                <tr>
                    <td width = "84%">
                    <?php
                        echo "<b>There " . ($num != 1 ? "are" : "is") . " $num user" . ($num != 1 ? "s" : "")
                                 . " currently viewing the $forum board: </b>";

                        $tmp=array();

                        while ($getusersonline3=mysql_fetch_array($getusersonline2))
                            {
                            $tmp[]="<a href='$getusersonline3[user]'>$getusersonline3[user]</a>";
                            }

                        echo implode(',', $tmp);
                    ?>
                    </td>

                    <td width = "16%" align = "right"><a href = 'index.php?page=mainforums'>

                        <img src = "http://www.runningprofiles.com/images/homeforum.gif" alt = "home"
                             border = "0"/></a><?php echo
    ' <a href="index.php?page=post&amp;forum='.$forum.'"><img src="http://www.runningprofiles.com/images/new_post.gif" alt="home" border="0" /></a>' ?></td>
                </tr>
            </table>
<center>
            <table width = "99%" class = 'forum'>
                <tr>
                    <td>
                        <table class = 'maintable'>
                            <tr class = 'headline'><td>
                                    <div align = "center">Key
                                    </div></td>

                                <td>
                                    <div align = "center">Topic
                                    </div></td>

                                <td width = "9%">
                                    <div align = "center">Topic Starter
                                    </div></td>

                                <td width = "6%">
                                    <div align = "center">Replies
                                    </div></td>

                                <td width = "21%">
                                    <div align = "center">Last replied time
                                    </div></td>
                            </tr>

                        <?php
                            //We need to add a Little variable that will automatically increase so that
                            //Each div (container) in the editforum.php script is unique:
                            $CONT_ID    =1;

                            $getthreads =
                                "Select * from forumtutorial_posts where parentid='0' and forum = '$forum' ORDER BY important ASC, lastrepliedto DESC $max";

                            $getthreads2=mysql_query($getthreads) or die("Could not get threads");

                            while ($getthreads3=mysql_fetch_array($getthreads2))
                                {
                                $important = $getthreads3['important'];
                        ?>

                        <?php
                                echo '<tr class = "' . (($important == 1) ? 'mainrow1' : 'mainrow') . '">
<td width="5%" height="39" align="center" valign="middle">';

                                $query1    =mysql_query(
                                                "SELECT COUNT(postid) FROM forumtutorial_posts WHERE( postid= '$getthreads3[postid]' OR parentid = '$getthreads3[postid]' ) AND author='$username'");
                                $count     =mysql_result($query1, 0, 0);

                                echo($count != 0)
                                    ? '<img src="/images/posted.jpg" alt="posted" />' : '<img src="/images/posted2.jpg" alt="posted2" />';?>

                               </td> 
<td width="59%" valign="top">   


<table style="WIDTH: 100%; BORDER-COLLAPSE: collapse">
     <tbody>
       <tr>
         <td><div align="left"> <?php echo '<a href="index.php?page=message&amp;forum=' . $forum . '&amp;id='
                                         . $getthreads3[postid] . '">' . $getthreads3['title'] . '</a>';

                               if ( $username == 'Admin') { include 'editforum.php';}
                                //Now increase it:
                                $CONT_ID++;?> </div></td>
         <td><div align="right"> <?php     echo($getthreads3['forumlock'] == 1)
                                    ? ' <img src="/images/quick_lock.gif" alt="locked"/>' : '';
                                echo($getthreads3['important'] == 1)
                                    ? ' <img src="/images/sticky.gif" alt="sticky"/>' : '';
?></div></td>
      </tr>
    </tbody>
  </table>





                         
                               <?php echo '</td>  
<td align="left" valign="middle"><div align="center"> <a href="/members/' . $getthreads3['author'] . '">'
                                         . $getthreads3['author'] . ' </a> </div></td>'
                        ?>

                                <?php echo '<td align = "center" valign = "middle">'.$getthreads3['numreplies'].'</td>

                                <td valign = "top">'; ?>
                                <?php
                                        $dbtime=$getthreads3['lastrepliedto'];
                                        $time  =date("F j, Y, g:i a", $dbtime);
                                        gettheTime($dbtime, $time);
                                ?>

                                    <?php echo
                                        '<br />Last post by <b><a href="' . $getthreads3['lastposter'] . '">'
                                            . $getthreads3['lastposter'] . '</a><a href="index.php?page=message&amp;forum='
                                            . $forum . '&amp;id=' . $getthreads3['postid']
                                            . '&amp;pagenum=last"> <img src="http://www.runningprofiles.com/images/last_posting.gif" alt="last post" border="0" /></a></b></td>'; ?>
                        <?php
                                    echo '</tr>';
                                }
                        ?>
                        </table></td>
                </tr>
            </table>
</center>
            <br/>

            
        <?php
          echo "<br /><center>";

    // Find out the total number of pages depending on the limit set
    $numofpages=$rows / $page_rows;
    $totalpages=ceil($numofpages);
    // Start links for pages
    $maxpage   =$totalpages == 0 ? 1 : $totalpages;                   // add this line
    echo "Page " . $pagenum . " of " . $maxpage . "</center>"; // change this



   // Sets link for previous 25 and return to page 1
    
     if ($pagenum != 1)
        {
        $pageprev=($pagenum - 1);
        echo "<center><a href=\"" . $_SERVER['PHP_SELF']
                 . "?page=forum&amp;forum=$forum&amp;pagenum=1\"><<</a>&nbsp;&nbsp;";
        echo "<a href=\"" . $_SERVER['PHP_SELF']
                 . "?page=forum&amp;forum=$forum&amp;pagenum=$pageprev\">PREV&nbsp;</a> ";
        }
    else
        {
        echo "<center>PREV&nbsp;";
        }
   

    // Loop thru all the pages and echo out the links
    for ($i=1; $i <= $numofpages; $i++)
        {
        if ($i == $pagenum)
            {
            echo "[" . $i . "] ";
            }
        else
            {
            echo "<a href=\"" . $_SERVER['PHP_SELF'] . "?page=forum&amp;forum=$forum&amp;pagenum=$i\">$i</a> ";
            }
        }

    // Check for straglers after the limit blocks
    if (($rows % $page_rows) != 0)
        {
        if ($i == $pagenum)
            {
            echo "[" . $i . "] ";
            }
        else
            {
            echo "<a href=\"" . $_SERVER['PHP_SELF'] . "?page=forum&amp;forum=$forum&amp;pagenum=$i\">$i</a> ";
            }
        }

     // Print out the Next 25 and Goto Last page links
if (($rows - ($page_rows * $pagenum)) > 0)
        {
        $pagenext=$pagenum++;
        echo "<a href=\"" . $_SERVER['PHP_SELF']
                 . "?page=forum&amp;forum=$forum&amp;pagenum=$pagenext\">NEXT&nbsp;</a>&nbsp;&nbsp;";
        echo "<a href=\"" . $_SERVER['PHP_SELF']
                 . "?page=forum&amp;forum=$forum&amp;pagenum=$totalpages\">>></a>&nbsp;&nbsp;</center>";
        }
    else
        {
        echo("NEXT </center> <br />");
        }


            
        ?>
   
            <table width = "90%" align = "center" class = 'loggedin'>
                <tr>
                    <td valign = "top" bgcolor = "#99B3B4"><strong>Forum keys:</strong></td>
                </tr>

                <tr>
                    <td align = "center" valign = "middle">
                        <img src = "/images/posted.jpg" alt = "posted"/>(Topic you have posted in)

                        <img src = "/images/posted2.jpg" alt = "not posted"/>(Normal Topic)

                        <img src = "/images/quick_lock.gif" alt = "locked"/>(Locked Topic)

                        <img src = "/images/sticky.gif" alt = "sticky"/>(Sticky Topic)

                        <br/>
                    </td>
                </tr>
            </table>

        <?php
                }
            }
        ?>

Open in new window

0
hieloCommented:
if you are doing comparisons such as the following::
if ($username = 'Admin')
{
  //DELETE query here
}

then the delete query will ALWAYS execute regardless of who is the currently logged in $username. You need TWO equal signs to do comparisons, NOT one. By using one, you are essentially turning anybody into Admin user.


Change all those if comparisons from one equal sign to TWO. You have it in more than one location on ID:30029411
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.