Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

MySql Database Hacked, NOT injections

Three weeks ago, I found a list of my website's users and info on Paste Bin giving away all privacy. I ran updates and protected against SQL Injections. I also added a pre-request to save the SQL in text format in a LOG table whenever user input is required to be able to analyse any injection if my protection wasn't enough.

Then today the same post was on Paste Bin again with recent entries so I checked the LOG table to find only clean entries. Is there anything else than injections I should worry about? The web seems to give info about Injections only!

Could they have had access to the dbpassword in a php file on the server and could they have connected from and external server?

Should I change the dbpassword frequently?

Are there any solution non-script wise like hosting security plan or something like that which should be efficient enough?

I am receiving physical threats from hacked users and would really like to close this quickly...

like image 348
Frederic Beaulieu Avatar asked Aug 07 '12 21:08

Frederic Beaulieu


1 Answers

If you're implementing your own protection against user input, you're probably doing it wrong. Most standard database libraries will give you a way of passing in parameters to queries where it will be sanitised properly, and these will have been coded with more things in mind than you're probably aware of. Reinventing the wheel in anything security-related is a bad idea!

Other things to worry about:

  • Password policy (strong passwords)
  • Access to your database server (is it firewalled?)
  • SSH access to your server (again, firewalled?)
  • Keeping all of your software up-to-date
like image 162
Richard Avatar answered Sep 28 '22 00:09

Richard