Menu
Someone has hacked my database and has dropped the table.
In my PHP page there is one single query where I am using mysql_real_escape_string:
$db_host="sql2.netsons.com";
$db_name="xxx";
$username="xxx";
$password="xxx";
$db_con=mysql_connect($db_host,$username,$password);
$connection_string=mysql_select_db($db_name);
mysql_connect($db_host,$username,$password);
mysql_set_charset('utf8',$db_con);
$email= mysql_real_escape_string($_POST['email']);
$name= mysql_real_escape_string($_POST['name']);
$sex= mysql_real_escape_string($_POST['sex']);
if($_POST['M']!=""){ $sim = 1; }else { $sim = 0; }
$query = "INSERT INTO `users` (`email`, `name`, `sex`, `M`) VALUES
( '".$email."', '".ucwords(strtolower($name))."', '".$sex."','".$sim."')";
$res = mysql_query($query) or die("Query fail: " . mysql_error() );
mysql_close($db_con);
And register_globals is disabled.
So, how was my database hacked?
318
One way is to try to obtain information directly from an Internet-connected device by installing spyware, which sends information from your device to others without your knowledge or consent. Hackers may install spyware by tricking you into opening spam email, or into “clicking” on attachments, images, and links in ...
Step 1: Change your passwords This is important because hackers are looking for any point of entry into a larger network, and may gain access through a weak password. On accounts or devices that contain sensitive information, make sure your password is strong, unique—and not easily guessable.
Report the scam to the FTC. Every complaint and report matters when trying to stop hackers. Report the issue to the FBI via their Internet Crime Complaint Center. And lastly, contact your State Attorney General's Office.
mysql_real_escape_string
The MySQL connection. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If no connection is found or established, an E_WARNING level error is generated.
As explain here : Does mysql_real_escape_string() FULLY protect against SQL injection?
Based on your code snippet, you have connected database twice.
$db_con=mysql_connect($db_host,$username,$password);
$connection_string=mysql_select_db($db_name);
mysql_connect($db_host,$username,$password);
mysql_set_charset('utf8',$db_con);
And you did not supply the database link identifier for :
$email= mysql_real_escape_string($_POST['email']);
$name= mysql_real_escape_string($_POST['name']);
$sex= mysql_real_escape_string($_POST['sex']);
Therefore, mysql_set_charset has no effect to real escape supplied$_POST for multi-bytes characters.
Suggestion
mysql_connect($db_host,$username,$password);
$db_con when doing mysql_real_escape_string
63
It doesn't look like the code you pasted provides a suitable attack. The way I would investigate this is scan the MySQL binary logs for the relevant DROP TABLE statement, to give me a timestamp. Then you can use that timestamp to look for Apache requests you can correlate with it.
Then it's just a case of carefully auditing the code in each candidate request until you nail it :(
31
Maybe you have a MySQL user with a weak password. I would change all passwords and check who is authorized to connect to the MySQL database. Lock down your firewall so that only needed ports are opened (80,443?)
Here is some articles about locking down your php code http://www.addedbytes.com/writing-secure-php/
Best regards. Asbjørn Morell
4
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
