hack in database

pppplus

pppplus

Verified User
Joined
Dec 19, 2008
Messages
526
Hi

I have a problem.
One person changes values in database, for his account.

The site is a game site

And I do not find where is the problem.

So can you help me to trace how this person can do this ?

1- I secure all post / get data
2- I add mysql_real_escape_string / (int) to all datas sent to database in queries

I add a small script to detect possible injection code, shell code, to reject some commands.

This person can always modify data in database. I suppose he has direct access to database... but :
- I change passwords (ftp, mysql, admin)
- He only change one sort of data in database (why not other datas ?)

He write me he can deface all my website and ask money...

So if you have some method to trace his activities, it would be very helpfull.
You can also test security in my website, I give you url.

I check logs, and he go to some website on my server.

Thanks for your help.
 
Last edited:
Hello,

I guess, you need someone to do an audit for you. So you might need to hire somebody from these forums or search for other commerce services.
 
Yes, I can be interested to pay someone to audit site / server.
It depends of price.

I want also to be able to check myself.
So, I always wait for help and propositions to audit.
 
Check headers of his email and check his ip and go police first at all. Should be a nice start.

Also, is the website a cms? If yes, is it up2date? Have you checked logs? Also you should compare email ip and logs ip and see if there is any match for check which pages that ip did access.

Regards
 
Hi Sellerone

Hacker is from Morocco, so going to police is not usefull. And police is very very slow ! I already do the same for a french person, and it takes 6 months to stop him paying with fake CB numbers.

No website is not a CMS.

Yes, I check logs, and I find nothing bad.

I do not understand what you mean between email and ip.

I have his IP when he cheat, and I read logs. But I detect nothing bad in Url used.

I have not actually logs of queries sent. I am trying to add them. But it will done very big file, because there are a lot of site in this server. Is it possible to add queries only for one website ?
 
How did he contact you? By email? If yes, you should be able to see his ip ( i suppose ) in email headers (if he used a mail client), if you find that ip you should grep the logs with that ip and see what access that ip made on your server and maybe (ofc is not sure) find out which file he use to change the db.

Regards
 
Yes, of course reading Apache logs might help unless he's got a direct access to MySQL server via 3306 port or phpMyAdmin.
 
I'd start by turning up logging all the way on apache and on mysql. I'd write hooks into the software to write logging to a separate database (hopefully on a separate machine, reachable only by key-based sshd across a private IP#. Change all username defaults to random usernames (for example admin to p9ELwFemf9mq, and always access the server only through https, ssh, ssl, tls.

And I'd chattr all the code immutable so he can't change your logging changes to the code unless he's got root access.

Moving the site to a new, freshly prepared server may be a good idea; if you do that be sure to do a security audit on the new server before moving the site.

You may need to block users from Morocco, though depending on the hacker's sophistication it may not help, and it could keep good visitors away.

Jeff
 
Thanks for all your answers.

1/ I have IP of users, it is not a problem. They connect via TOR, but I block a lot of them, and they connect now from Morocco.
2/ Blocking Morocco, is not a very good idea, because of Proxy, it's clear.

3/ move in VPS or more in a new server is a "bad" solution for me. To much time, for a small website. I had to find what is my problem, and which method they use.

What is strange for me :
- I detect no sql injection (I test all $_REQUEST values)
- cheaters know I block them, because they can't win nothing now.
- but they continue to try with always the same method.
- they only change 2 fields in a table, then they "play" normally.

So, if it was a real security hole, they probably already deface site, or delete database as they write to me.
There is a real problem, because they always can modify datas, but they do not modify anything else.

Same thing, if they have access directly to database by phpmyadmin or port 3306, why not do more bad things for me ?
 
I don't think any of us have enough information to know more than you do; you're the set of eyes on the code, but perhaps you need to have a php security expert study all your code for you, as a different set of eyes may see something you've missed.

Jeff
 
You must log in or register to reply here.
Back
Top