help with website security.....

hello, its been a while since i have been to this site and i dont know where to start but, there is a guy who keeps hacking into my site and i cant seem to figure out how he does it….i have patched teh sql inj. vulns, but i cant seem to find antoher way in and i was hoping someone would be able to tell me how he does it?…i kinda dont wanna post the site here cause the last time i posted something, i got flammed…..and i probably will get flammed again but i would really appreciate it if someone would be able to help me…..pm me if you can help

thnx in advance

cy

run a port scan a good one is http://www.t1shopper.com/tools/port-scanner/

Got any logs you'd be able to post? Also, is this running on a box you own?

yea i have looked through the logs and i know his ip address…but it dont show n e thing and no its not on my box….its through a hosting company

Block the IP.

hellboundhackersok wrote: Block the IP.

Then he just uses another proxy.

Well, could you post all logs pertaining to their ip address then? Through hosting company can be tricky and possible for the attack to have not even come from your site. But you said they had hacked you before through your site and you fixed the vulnerability? Now it is very possible the first time they hacked it, they had placed some piece of code in any of your pages that allow them to manipulate the content of your site whenever they want.

The lack of information I have right now makes it hard to troubleshoot such a problem in which there are an infinite amount of ways they could have done this.

ok will a raw access log work????? if so…..ill post 1

nights_shadow wrote: Well, could you post all logs pertaining to their ip address then? Through hosting company can be tricky and possible for the attack to have not even come from your site. But you said they had hacked you before through your site and you fixed the vulnerability? Now it is very possible the first time they hacked it, they had placed some piece of code in any of your pages that allow them to manipulate the content of your site whenever they want.

The lack of information I have right now makes it hard to troubleshoot such a problem in which there are an infinite amount of ways they could have done this.

Exactly. Without more information we have no way of knowing. But its definitely possible he put a backdoor, or maybe if you have a php shell with no authentication on your server for some reason?

Any type of log will help. Post whatever you got.

n e 1 know of a good online file hosting site so i can post it?

Yeah. ANY. Just go with megaupload.

REMOVED

Wow is this a sick joke. You actually purchased a domain named "gangsta-lords". That shows character. And as for uploading the logs… Your truly not the brightest cookie.

u see what i mean….i expected people to start actin like that…..everytime i come and ask for help i get people like u…..so if you arent gonna help, then dont bother posting

By chance, what browser are you using? I have an exploit that will allow me to jack your session. I'm guessing there are many more in the way you implemented your system. Get in touch with me via AIM if you want to talk a little more.

No one said their not going to help you, I was merely implying that there are infinite combination's of letters and numbers and with the ones you happen to choose… Catch my drift. On the flip side (flip it), I am not the one out of all these people who is most familiar with your issues, and there are plenty other people to help you. Just relax. Plus you really need to keep in mind that once someone hacks you they will install their own backdoor and get in whenever that feel the want. I believe nights_shadow mentioned that.

Filter. All. Input.

You're probably hooked up to a free webhost? You can't access the hosting box? Good for you, easier job. Just filter ALL input. Everything.

mo im not hooked up to a free webhost…..

chances are he has a backdoor from the first time he got in.

as spyware said, sanatize ALL your input. cookies, sessions, post, get, etc…. that way majority of exploits will be prevented. plus its good coding practice. if you don't sanitize your variables, your asking for problems.

secondly, there's little we can suggest with the current information.

have you checked all the pages he is visiting?

If not, post a log that shows all pages he has visited that way we can see if he is exploiting a GET variable or using a backdoor.

narrows down the search a little.

also, run a quick scan on your site files for "system(", "exec(", "eval(", etc.. try find any possible backdoors.

i finally fixed it….he was using my admin cookies…..thnx everyone for helping out, i can finally get my site going….

alldatizholy wrote: i finally fixed it….he was using my admin cookies…..thnx everyone for helping out, i can finally get my site going….

If he was using your admin cookies, you have a vulnerability so that he could get your cookies. Check your site for XSS vulnerabilities.

thats what i did….thats how i found out…

alldatizholy wrote: i finally fixed it….he was using my admin cookies…..thnx everyone for helping out, i can finally get my site going….

In admin actions, is everything tokenized? Otherwise he could use a different vulnerability to execute admin actions.