Security Thread, Get/Post your tips here!

[litewarez]

Ok it seems like this hacker is causing alot of ripples in the scene so i think its about time sort this niggah out!

What this thread can be used for is to post how you got hacked and what you did to prevent it agian! This way other users can learn the tips and tricks on how to make it harder to get hacked by these script kiddies!

So if your gonna post then please post about 1 of the following:

• If you got hacked (How they got in) - (and how you patched it)
• Security Tips! (such as tips about upload forms password areas) etc
• Any tips regarding lnux security for VPS/DEDI servers
• Bugs you may have found in Forum software!
• Any other things related to this matter

--

My Tips!

1. **Make sure your server passwords are not used elsewhere!**
2. Sucure any private directories by ip whitlist Google
3. In php always secure your inputs with mysql_real_escape_string Tizg - PHP
4. NEVER TRUST YOUR USERS, JUST ACT LIKE YOU DO
5. If you have register globals on make sure you De-register globals PHP
6. Make sure you change the defualt port for your Direct admin or Cpanel
7. In you admin remove the DROP rights for your database username Cpanel
8. If self built system like LW, make sure you salt all user/admin passwords with a md5
9. Disable the usage of php files within a upload directory with php (Help stop shells)
10. Change the location of phpmyadmin to something more secure!
11. Dont add mysql/file editors on your server, download and uplaod via ftp and us phpmyadmin
12. Research about shells (Understand what they am and how hackers get them on your site).
13. Most forum scripts allow you to change your admin location so do that
14. If you renamed your admin, remove links from index to your admin when your logged in so you have to go to the url and know the directory.
15. Remove index visibility by adding -Indexes to your htaccess
16. If you have to exchange passwords with other people! do it over msn and not in PM'S!
17. NEVER use nulled scripts unless they have been nulled by a friend for you personally
18. If using a DGT Nulled release always remove validator.php

Other User Tips!

1. Stay up dated with your web software updates!
2. DO NOT use the same password!
3. Find a host that has a reputation with everyone and ask them about there security on the server.
4. do not go for a host which offeres amazingly cheap prices for high spec'd plans as i have said they are just wanting to make a quick bit of money and dont care about what they do, so security is most probably not that important.
5. do not let anybody know your passwords as that person could be a fool and get hacked and have your info in there private messages etc.
6. USE YOUR BLOODY BRAIN AND GET SOME COMMON SENSE!

Browser Specific tips

1. Try not to save important passwords in your browser
2. Use keyscrambler addon for Firefox.
3. Every time you leave your pc, do CTRL + SHIFT + DEL to clear your passwords etc.
4. keep your browser up to date.

General Fourm tips
Secure your Forum - Thanks to DeLeTeD

VBulletin Specific tips

1. Rename config.php file (http://www.vbulletin.org/forum/showthread.php?t=198856)
2. Secure yourself and set up as super administrator (Click here)

PhpBB Specific tips
If you have tips for here please PM or post them

Server(Non Shared) Specific tips

1. install CSF Firewall, it's not the best, but by far the easiest to use and learn. Also, follow the guides that come with it.
2. Disable the directory "/cpanel" AND change the cpanel access port (this includes Direct-admin)

Updated : 10, June, 2010

 

[Justice]

warezlife.org got hacked seems like badb0y hacked sonic's account and mines on wj

btw i have changed all my password of my sites where im registered.
i just cant understand how he hacked me?

 

[litewarez]

Ok Justice so you have used teh same passwords on wjunction as you have on your server and other forums!

The reason why this is bad is because if another forum gets hacked they have your details for that forum that can easily be decrypted!

then once decrypted they can try them on your emails (witch will have other account details) and then login to places like WJ and read your PM for when your swapping server details there

I belive this is Database Jumping as your DB is now in the hands of the hacker and he will start decrypting them for other sites etc

No your website passwords and server passwords
SHOULD NEVER BE USED ON OTHER FORUMS LIKE WJUNCTION ETC!

 

[Addicted]

indeed rule 1 never use the same password on any other board (i used to root a few people a few years ago because they was dumb to use it on every site, satanwarez owner did and this got me his root on his server, email and credit card details).

also ip and password protect any of your admin panels, stay up to date with your forum software.

and there is many ways to secure your server, if you need help let me no.

 

[Clowner]

i wasn't really hacked but they accessed my cpanel and deleted my forum's database and changed the front page...
they accessed it because one of the hosts staff added a password to my cpanel that was 'password' and they forgot to delete it.. but luckily i was talking with them while it happened and so i told them to restore it my database of a backup they made

 

[litewarez]

Yea i see so make sure you double check what accounts or on your server apart from your own!

i mean real ppl who dont really know about hackers use passwords such as the sitename or 123456 etc and its stupidity.

 

[Addicted]

that's why i don't like sharing my server or using cpanel! so many holes people can find... just a simple php shell would do the trick most of the time if the servers not be secured...

people should check the servers, here is a few shells... if its not secured i can help doing it. http://www.movierush.org/PHP.Shells-KOOSH.zip

 

[litewarez]

Yes thats right you want to stop shells at all costs! there script kiddies attempt to get your site make sure you scan for these fiels and check them out because im not sure that any webware package coems with r57 as a file or r99 etc etc!

 

[jayfella]

Good thread litewarez, nice info. I didnt really get hacked, but i made the stupid mistake of using my hotmail account with my admin account. They got into my hotmail account, and as a result, requested a forgotten password, and bada-bing, in you go.

Fortunately they never got into the backend so all was good, but just remember that hotmail accounts are NOT secure, they are hackable. NEVER use a hotmail account in conjunction with your administrator account, or for anything else such as a paypal account.

If you know a little php, you can add a password to your backend, such as:

admin.php?mySTRONGpassword

If the password is wrong, just redirect back to index.php.
That way, even if they know your login details, they cant get into the backend unless they know that password as well or have access to your DB, in which case your fucked anyway.

 

[Whoo]

I suggest getting into RoboForm, it remembers passwords, has a master password to protect all the password files and has a built-in password generator. Every password is different for me, never use the same password twice.

 

[ChosenOne]

KeePass is amazing! ^^^

 

[Webestrian]

thx for the tips.& i wud say ,just never trust everyone.

 

[pi0tr3k]

My tips:
- Hide your index.php in the dir non-accessible for others.
- Use keyscrambler addon for Firefox.
- DON'T SAVE PASSWORDS IN FF.
- Every time you leave your pc, do CTRL + SHIFT + DEL to clear your passwords etc.

Litewarez, explain this please:

1. Sucure any private directories by ip whitlist
2. In php always secure your inputs with mysql_real_escape_string

 

[Chutad]

Keep your code secure against intruders. In this article we provide examples of SQL injection attacks and how you can write code to prevent them. Stop people from getting information from your database.

In an XSS attack, the attacker tries to use client-side methods of injecting client-side script and then high-jacking a user's session. Now, we're going to provide some examples of a server-side attack where an intruder will try to obtain information from within your database. After the examples, we will go through methods of securing your code against these types of attacks.
SQL injection attacks take advantage of code that does not filter input that is being entered directly into a form. Susceptible applications are applications that take direct user input and then generate dynamic SQL that is executed via back-end code. For example say you have a logon form that accepts a user name and password. Once authenticated against the database, the application then sets a session value, or some other token for allowing the user to access the protected data.
Take a logon form for example, here you have two basic form elements, a textbox for accepting a user name, and a password box for the password.

<form action="myscript.aspx">
<input type="textbox" name="username">
<input type="password" name="password"><br/>
<input type="submit">[SIZE=1]
</form>[/SIZE]

Then in the code behind:

Dim SQL As String = "SELECT Count(*) FROM Users WHERE UserName = '" & _
username.text & "' AND Password = '" & password.text & "'"
Dim thisCommand As SQLCommand = New SQLCommand(SQL, Connection)
Dim thisCount As Integer = thisCommand.ExecuteScalar()

In the previous code block it executes the built SQL script directly, if count is greater than one, then you know the values entered in for the user name and password were the ones matching the database.
Now with that code in the previous example, suppose someone entered the following string into your username text box:
' or 0=0 -- The apostrophe will close the username value being sent to the SQL query, then pass another argument to the SQL query, after the last argument it then comments out the rest of the query using the "--". Since the second argument they entered into your texbox is an "or" statement, the first check on the user name doesn't matter, and since 0 is always going to equal 0 the script will execute successfully and return a positive logon. Guess what? Your intruder now has access to your application.
Ok so maybe they can logon into your application, but what else can they do? Let's take another example of SQL injection, as in the previous example of using the apostrophe to terminate the value, and proceed on to another argument, lets do this, but using something that can really ruin your application's data and day:
'; drop table users -- Definitely something that can ruin your day. Of course this type of an attack you'll probably notice pretty quick. Other SQL commands can then be entered to determine your database's structure, and return all user names and passwords from the database. You make it even easier for the attacker if you do not provide some ambiguous error message and provide the error message returned from .NET. This error message can provide critical information they need to determine what to enter in your form in order to obtain information.

SQL Injection Prevention

One method of preventing SQL injection is to avoid the use of dynamically generated SQL in your code. By using parameterized queries and stored procedures, you then make it impossible for SQL injection to occur against your application. For example, the previous SQL query could have been done in the following way in order to avoid the attack demonstrated in the example:

Dim thisCommand As SQLCommand = New SQLCommand("SELECT Count(*) " & _
 "FROM Users WHERE UserName = @username AND Password = @password", Connection)
thisCommand.Parameters.Add ("@username", SqlDbType.VarChar).Value = username
thisCommand.Parameters.Add ("@password", SqlDbType.VarChar).Value = password
Dim thisCount As Integer = thisCommand.ExecuteScalar()

By passing parameters you avoid many types of SQL injection attacks, and even better method of securing your database access is to use stored procedures. Stored procedures can secure your database by restricting objects within the database to specific accounts, and permitting the accounts to just execute stored procedures. Your code then does all database access using this one account that only has access to execute stored procedures. You do not provide this account any other permissions, such as write, which would allow an attacker to enter in SQL statement to executed against your database. Any interaction to your database would have to be done using a stored procedure which you wrote and is in the database itself, which is usually inaccessible to a perimeter network or DMZ.
So if you wanted to do the authentication via a stored procedure, it may look like the following:

Dim thisCommand As SQLCommand = New SqlCommand ("proc_CheckLogon", Connection)
thisCommand.CommandType = CommandType.StoredProcedure
thisCommand.Parameters.Add ("@username", SqlDbType.VarChar).Value = username
thisCommand.Parameters.Add ("@password", SqlDbType.VarChar).Value = password
thisCommand.Parameters.Add ("@return", SqlDbType.Int).Direction = ParameterDirection.ReturnValue
Dim thisCount As Integer = thisCommand.ExecuteScalar()

Finally, ensure you provide very little information to the user when an error does occur. If there is database access failure, make sure you don't dump out the entire error message. Always try to provide the least amount of information possible to the users. Besides, do you want them to start helping you to debug your code? If not, why provide them with debugging information?
By following these tips for your database access you're on your way to preventing unwanted eyes from viewing your data.

 

[litewarez]

My tips:
Litewarez, explain this please:

1. Sucure any private directories by ip whitlist
2. In php always secure your inputs with mysql_real_escape_string

Well IP Whitelisting is only allowing certain ip's to be able to access a certain are

so for instance lets say you have too folders

1. Admin
2. Includes

Well you NOBODY but you need to access these folders so you can create a htaccess file to deny access to anyone with an ip that is not in the list!

This is done by adding a htaccess file to that directory with these contents

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Litewarez authorized area"
AuthType Basic
<LIMIT GET>
    order deny,allow
    deny from all
    allow from X.X.X.X
    allow from X.X.X.X
</LIMIT>

you can add as many ip's as you wish by addin another allow from IP line

just replace teh X's with your ip

MySql Escaping (mysql_real_escape_string)

mysql_real_escape_string escapes data inputted by the browser so lets look at this sql example

$sql = "SELECT * FROM admins WHERE admin_username = '{$_POST['username']}' AND admin_password = '{$_PSOT['password']}'"

No if i in putted a normal username and password into the login form lets see the final sql string

I logged in with Username: Litewarez and Password: Litewarez
Heres how it will look

SELECT * FROM admins WHERE admin_username = 'Litewarez' AND admin_password = 'Litewarez'

But if i was to insert chars such as ' i can cnage it so lets see another example

I logged in with Username: Litewarez' OR '1'='1 and Password: Litewarez' OR '1'='1

lets see how the string is constructed now?

SELECT * FROM admins WHERE admin_username = 'Litewarez' OR '1'='1' AND admin_password = 'Litewarez' OR '1'='1'

This will log the person in as there is a OR 1 = 1 witch is true, this is ways hackers use too fool the system

but if i used mysql_real_escape_string on every $_POST then it would add a \ to every ' and the backslash means that thats a literal char and it will not affect the sql string structure and it will check for an admin that actually has a ' in his username or password

 

[litewarez]

Whoo's idea for RoboForm and using random passwords is REALLY GOOD. this helps avoid keyloggers and if you got shit memory its a ++ all round!

Also these systems remember passwords for domain and domain dir witch is extremely useful as if you happen to go on a fishing domain like faceboook.com or summat like that it wont add the passwords to the form as this is not the domain they was saved from!

 

[iFlames]

First Step Should Be Change Your Passwords
Admin and global mod Passwords, host client area password, cpanel and ftp password
[also check admin accounts if email id is changed]

Next Step Change Database Name and User
just import the previous db in the new one..

Optional: Protect AdminCP and ModCP Directories

Delete and Upload Fresh vBulletin [or wichever script u are using] Again

 

[canucrackit]

don't use nulled scripts

 

[SceneMan]

Well IP Whitelisting is only allowing certain ip's to be able to access a certain are

so for instance lets say you have too folders

1. Admin
2. Includes

Well you NOBODY but you need to access these folders so you can create a htaccess file to deny access to anyone with an ip that is not in the list!

This is done by adding a htaccess file to that directory with these contents

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Litewarez authorized area"
AuthType Basic
<LIMIT GET>
    order deny,allow
    deny from all
    allow from X.X.X.X
    allow from X.X.X.X
</LIMIT>

you can add as many ip's as you wish by addin another allow from IP line

just replace teh X's with your ip

litewarez would it not be more securer if you denied all ips to those dir's and then when you come to needing to use the directorys you just add you ip for that time then remove it when you finish.

 

[Storming]

Some things:

Do not use the same passwords
Dont tell no one know your passwords for anything on the web ( ie via pm or w.e )
keep everything up to date.
Never use nulled scripts ( get them from trusted nullers only)
Never download anything you are un-sure about if you are not sure use VirusTotal.com and scan it to see if it is infected.
Dont let people have access unless you are sure you can really trust them.

Alot of it is common sense really..