so, networking, security holes, hax0rs, arent my area of expertise.

ive recently been concerned about my website that i made for an anime hub that i download in, as a few months ago, my database magically got erased. the admins still have no idea how it happened (the thing is so fucked up, the admins cant even delete the old fucked up database).

so, i want to make sure that im doing things as securely as possible.

the server that my site is on is unix, using apache, with mysql databases. the forum i use is php based. i want to move my site over from html/shtml to php, considering the only options (i think) are to use .jsp (which i know very well, but it would be a pain in the ass), or to php.

so im reading up on php right now.. i guess what im wondering, are any of you aware of potential problems, security holes, etc.. that mysql, php, or the combination of the two have? i know sql has problems with injection, so id imagine there is something similar that i should look out for with php?

heres my site in case anyone wants to see it heh
http://www.animeplanet.d2g.com
be kind, im a code person not a graphics person ^_^

oh.. and the purpose of learning php, is so i can take those 250+ pictures i have that are hard coded, and make it dynamic and database driven.

watch out for mysql insertion/injection attacks.

Originally posted by sothis
so, networking, security holes, hax0rs, arent my area of expertise.

ive recently been concerned about my website that i made for an anime hub that i download in, as a few months ago, my database magically got erased. the admins still have no idea how it happened (the thing is so fucked up, the admins cant even delete the old fucked up database).

so, i want to make sure that im doing things as securely as possible.

the server that my site is on is unix, using apache, with mysql databases. the forum i use is php based. i want to move my site over from html/shtml to php, considering the only options (i think) are to use .jsp (which i know very well, but it would be a pain in the ass), or to php.

so im reading up on php right now.. i guess what im wondering, are any of you aware of potential problems, security holes, etc.. that mysql, php, or the combination of the two have? i know sql has problems with injection, so id imagine there is something similar that i should look out for with php?

heres my site in case anyone wants to see it heh
http://www.animeplanet.d2g.com
be kind, im a code person not a graphics person ^_^

oh.. and the purpose of learning php, is so i can take those 250+ pictures i have that are hard coded, and make it dynamic and database driven.

Do you log in to this thing with Admin rights? If so I would put your site/forums put behind SSL or something to help prevent cyber punks from sniffing out the password to get in and reak havok on the site with your admin password. So with SSL when logging in as Admin your given a secure link. More information and detail I may understand what your trying todo.

Take care,
Jason

hmm what goes into putting the site behind ssl? i have no access to change anything on the server, so if its something required on that end, iwould have to ask an admin to do so... as long as its relatively easy.

as far as logging in as admin, the forum software accesses the database with admin access. when i get home (i guess i cant access the port that webmin is on from work), i will explain the access a little more... but i think users that use the forum just have access to add/delete/update table data.

as far as the interaction between the database of pictures and the site, im not sure how i was supposed to do that (since i never have dealt with databases prior to setting up the forum).

the database name/password are listed in a php file for the forum, but i was told by a few friends that it was secure, and there was no way of someone to view the contents of that file... but again, i have no idea.

i doubt that cleared anything up... again, sorry, i really dont know hardly anything about this kind of stuff :/

www.hideaway.net

www.viruswatch.org

check those guys out and just do a search for "mysql" and "php" for suggestions on your own unique website.

99% of the hacks and exploits out there, are just compromised systems running worms, whose job is to go out and compromise other systems.

99% of the hacks against your system, are going to be hacks against factory default settings. so kill the source, at the source.

if you know that everyone tries to login as "admin", change the name from "admin" to "sothis". how many webmasters do you know whose webserver is missing the "admin" user profile, and whose admin account is "sothis"? =)

also, instead of "index", use something like "homepage" or "firstpage" or something else, for your homepage. again, 99% of the hacks out there attempt to "GET" or "PUT" some nasty code or another against "index.html". if "index.html" is irrellevant, then so is the inevitable script kiddy's attack against your site.

its the second layer in the OSI security model. I mean, if you can't kick their ass, confuse em! =)

thanks for the links burnt...

tho viruswatch.org (tried .com as well) doesnt exist... heh.. got lots of lovely popups from that one ^_^

looks like a lot of the current vulnerabilities can be done by upgrading, hopefully i can convince my admins to do so.

as far as the tips:

turns out my admin account is named sothis :p i dont have an account labeled "admin"..

as far as the index.html thing, do you mean that normally, the scripts dont go past that page? if so, ill be fine, as my index.html page is just just an intro page... you have to click on either the picture site link or the forum to get near the php or databases.

erm. kinda.

actually, what I mean is, say like, everyone is issued a front door key. for the sake of simpler, more efficient communication, we all call it "front door key". The admins make a front door key for you called "front door key", and you give all your friend that you want to give front door access to, a copy of the "front door key".

ok, say you don't like that. because the front door looks for the words "front door" onthe key.

so you paint "north side door" on your door.

and you paint "north side door key" on your key.

any hackers that have a skeleton key, have a skeleton key that looks for the words "front door." ah, but sothis doesn't have a "front door" per se, she has a "north side door."

same entry, same interface, different name. totally unaffected by the billions and billions of exploits agains "front door."

so it goes with "index."

if you go to "www.nwtekno.org/index", you'll get the same page as "www.nwtekno.org"

so, if you wanna prevent nwtekno from ever, ever, ever getting exploited by generic exploits which, through a whole plethora of different tactics, exploit "index.html"


......don't use "index" as your main page, make up something else. use that. tell your friends, "visit my homepage at www.sothis.com/firstpage.html" or something, and you'll find that 99% of the website hacks don't affect you.

everyone's got their own patterned behaviours, even hackers. hack the hackers. do something outside the realm of "patterned behaviour" - rename and redesign your generic stuff, into something unique. ultimately you stand out, you look unique, and you're more protected too =)

good luck.......oh, and am I gonna be able to download anime? I really love anime......I'd share! =) please???

http://www.acm.wwu.edu/~sothis/ap/images/sothis.jpg

AXE

btw, its viruslist

viruslist.org ....forward-slash Index =P

yea, sorry about that. viruslist. they're pretty cool.

is that a picture of the infamous sothis? or is that a user named disortion before getting his head shaved by the army? =)

Originally posted by burnt
is that a picture of the infamous sothis? or is that a user named disortion before getting his head shaved by the army? =)

Nope. That's the real McCoy! Nobody knows what I look like *shifts eyes*.

AXE

hmm that would be my picture... tho im not sure why distortion posted it.. its in my profile already.

and thats pocky not some form of tobacco.. people always say that :/

Originally posted by sothis
hmm that would be my picture... tho im not sure why distortion posted it.. its in my profile already.

Oh...I didn't check your profile tho. I found it on the site.

AXE

still doesnt explain why you posted it in the first place tho? kind of off the subject of the thread yanno.

so back to the subject at hand, although it might be a safe thing to change the intro page of the site, i really dont think i want to deal with that hassle... the redirect is enough to remember, but to have people need to remember something tacked onto the end (this isnt a site that is just viewed by ~10 people, when i had a counter up a few months ago before i even put the forum up, i got like 500 unique hits a day... there are 450ish people in the hub at all times)... i dunno, just seems too much to ask of everyone.

ill check out the viruslist site when i get home i think ^_^

Originally posted by sothis
hmm what goes into putting the site behind ssl? i have no access to change anything on the server, so if its something required on that end, iwould have to ask an admin to do so... as long as its relatively easy.

as far as logging in as admin, the forum software accesses the database with admin access. when i get home (i guess i cant access the port that webmin is on from work), i will explain the access a little more... but i think users that use the forum just have access to add/delete/update table data.

as far as the interaction between the database of pictures and the site, im not sure how i was supposed to do that (since i never have dealt with databases prior to setting up the forum).

the database name/password are listed in a php file for the forum, but i was told by a few friends that it was secure, and there was no way of someone to view the contents of that file... but again, i have no idea.

i doubt that cleared anything up... again, sorry, i really dont know hardly anything about this kind of stuff :/

Well if your able to get into webmin than you are likely to have ssl on the server. When you connect to webmin is it https:// being that the s after http is important. Let me know.

Thanks,
Jason

wow.....anime is still around....kool i use to be imto that...use to know a really good anime artist.....but cant remember his name to many years gone by....:)

if anything, you only get one ssl port from the default installation of most webservers. probably port 8888, and since its pointless to use the default, everybody-knows-it port as your default encrypted port, then....

but yea, i'm pretty sure that both iis and iplanet will fire up into admin on http://localhost and let you cruise around and configure your admin webserver, including installing other webservers, "unencrypted" locally...heh.

**
and see, thats the thing. if your forum software accesses the data or webpages via a standard, default, just-clicked-next path, creating port 8888, then hey - cool. follow the path. figure it out. *then* uninstall, and reinstall on a unique path. and not port 1337, thats usually the second guess, d00d. ;)

***
ditto on your port 1433 or whatever for your database - I mean, just like you're using "sothis" instead of "admin", use "sothisDATA" instead of "SA" for your SQL...and something else unique for your webadmin. etc...

that way - I mean, yea, you try and build a system thats going to stand up to a shitload of requests at any given time, be they from hacking or just plain ol popularity. I mean, sure, keep it clean *after* building a good foundation. but in the worst case scenario, when all your friends are out getting hacked, you're in the cool, because your website is unique. it isn't "admin", its "sothis". and it isn't "8888", its something else unique.

thats why I was saying use something besides "index". and hey, whats even cooler is - you can still configure your webserver to redirect all requests from www.whatever.com - to a page besides index. it'd be totally transparent to your users, they wouldn't have to type in a buncha extra shit. yeaaaaaaaa....directing by default to "index" is a default webserver setting, not an internet "you-must-comply-this-way" rule =)



its something to think about. what if you were - by default - unaffected by any hacks or exploits which utilized the logic of blanket statements? werd.....
***
anyway, as far as getting ssl and 128 bit encrypted cool stuff, The Certificate Authority and VeriSign, Inc. both issue certificates.

you can get em cheaper through 3rd party whatevers, but there's a naaaaaaaaaaasty 3rd party digital certificate exploit that was just recently discovered. it hurts internet explorer 4.x, 5.x, and 6.0. With no immediate fix in sight, last I heard. it *RE-ROUTES*, or redefines the certificate, or some shit. basically, its no good.

so its best to buy that stuff direct from the source. again, good luck! =)

Default SSL Port is 443

alright, if one of you can school me in the field of permissions, id highly appreciate it... heres the situation i have now.. i have NO idea if its doing what i think its doing, or if its safe, or what to set up for this new database for that matter

when you explain please talk to me like a 5 year old as permissions REALLY confuse me :p

i have a database, called "sothis_phpBB".
under "database permissions" (im using graphical webmin access), the user is listed as "sothis", hosts: "localhost", permissions: all.

now, if i go to user permissions, there is a user "sothis_phpBB" that i made... hosts: localhost, permissions: select/update/delete/create table data

theres also a user "root" listed, hosts localhost, permissions all... i didnt put that one there tho.. so i dont know if its supposed to be there or not

so, is this how i think it is?
sothis is the user in the mysql server that has all access to anything. thus, i had thought that it was the user with all access to the database, in order to modify the database, etc.. (and its the username/password that is used in the config file for the forum)... then i thought, the actual database would see the sothis_phpBB user when anyone uses the forum so it would only have limited access

is that right? or am i completely wrong

and for that matter, what user do i say is the primary user for the new database? sothis again with all access? and then what user has permission on it, if im just going to be getting data out of it or putting data into it with a script?

*fires up Webmin and looks into port 901, 9000, 10000 respectively*

I wonder if burnt or Zupe heard about a url grabber that takes the dynamic requests from a redirect site and pushes out an exploit (probably just a small file that works like PING) to each one? Hmmn, maybe im confused. But the way I understand it is that redirect sites are about as safe as putting your money under a mattress behind 3 doors. Sure it takes longer and you may hafta travel down a few dusty halls and maybe into a creepy basement, but the money's still there. And we all know bots do the work in that case... In any event, a redirect is sort of like a dynamic IP hence the insurgence of DYNIP Hotline and Shareaza users. Once again, if im way off base ,feel free to set me straight in my pre-CCNA phase. Someday I'll actually make sense and know what i'm talking about. :D

Originally posted by sothis
alright, if one of you can school me in the field of permissions, id highly appreciate it... heres the situation i have now.. i have NO idea if its doing what i think its doing, or if its safe, or what to set up for this new database for that matter

when you explain please talk to me like a 5 year old as permissions REALLY confuse me :p


i have a database, called "sothis_phpBB".
under "database permissions" (im using graphical webmin access), the user is listed as "sothis", hosts: "localhost", permissions: all.

now, if i go to user permissions, there is a user "sothis_phpBB" that i made... hosts: localhost, permissions: select/update/delete/create table data

theres also a user "root" listed, hosts localhost, permissions all... i didnt put that one there tho.. so i dont know if its supposed to be there or not

so, is this how i think it is?
sothis is the user in the mysql server that has all access to anything. thus, i had thought that it was the user with all access to the database, in order to modify the database, etc.. (and its the username/password that is used in the config file for the forum)... then i thought, the actual database would see the sothis_phpBB user when anyone uses the forum so it would only have limited access

is that right? or am i completely wrong

All the mysql server will be is a database for phpBB2, to my knowledge phpBB2 will make nessessary permissions inside the database for who gets access to the board and who doesn't ie:moderators, users, etc.

I would make the sql user you created which was? sothis_phpBB? Allow that user to access all, make sure it's password protected. To my belief you want that mysql user (sothis_phpBB) to be able to have full access in doing what it needs to access the database and do it's thing.

and for that matter, what user do i say is the primary user for the new database? sothis again with all access? and then what user has permission on it, if im just going to be getting data out of it or putting data into it with a script?

your primary user (admin) for the actuall phpBB2 site is done with-in the install process under the admin input box on the first initial setup. Yes your right, consider mysql as a garage, and phpBB is the father the kids play in the room (forums) post their scribble on the walls (threads) all of that goes into the mysql database through the sothis_phpBB admin account you created in wedadmin. If you need any help give me a aim IM @ ZupanGOD.

Good Luck!
-Jason

I would make the sql user you created which was? sothis_phpBB? Allow that user to access all, make sure it's password protected. To my belief you want that mysql user (sothis_phpBB) to be able to have full access in doing what it needs to access the database and do it's thing.


well, right now, its certainly working with sothis as the main user... and in the config file, sothis with its password is what accesses the database. i was under the impression that by making the actual sothis_phpBB user for the database the select/update etc, with host localhost, it would handle the limited access

so what you are saying, is that i dont need sothis_phpBB at all? that i can just axe that, keep sothis as all access, and be done?

Originally posted by sothis


well, right now, its certainly working with sothis as the main user... and in the config file, sothis with its password is what accesses the database. i was under the impression that by making the actual sothis_phpBB user for the database the select/update etc, with host localhost, it would handle the limited access

so what you are saying, is that i dont need sothis_phpBB at all? that i can just axe that, keep sothis as all access, and be done?

You just need a specific user for phpBB2 to use.

-Jason

Originally posted by sothis
so im reading up on php right now.. i guess what im wondering, are any of you aware of potential problems, security holes, etc.. that mysql, php, or the combination of the two have? i know sql has problems with injection, so id imagine there is something similar that i should look out for with php?

Hmmm.. have you tried putting your processor in the microwave? :D

ive recently been concerned about my website that i made for an anime hub that i download in, as a few months ago, my database magically got erased. the admins still have no idea how it happened (the thing is so fucked up, the admins cant even delete the old fucked up database).

i guess posting this thread was a bad thing to do. guess what just happened again.

*hangs head in anger and frustration*

i havent made a backup since 8-9-02 and i cant even run the sql to back it up. god.

you need someone right there working with you. seriously.

what is this site for? downloading anime? hrm......

how far is bellingham from portland. are there any sysadmins in bellingham who wanna swap anime for - well, fuck, getting free anime is good payment.

if not, I can cruise up there in a week or 2......I'm more experienced in SQL not mySQL, but I can figure out anything with right-click options. seriously.

basically the admins work on their own time because its volunteer, and wouldnt accept help anyways probably. im going to write the main admin who is an asshole (and never even helped me the first time) and hope something is fixed. else im going to have to backup and create a new database every time this happens >_<

a question. is there *any* way that someone can view a .php file's contents? with all permissions maybe? is there ANY possible way? im trying to rule out the idea that someone could have gotten my database/username from the .php file its listed in and used that to drop the database

jeez... sorry. i know there are some computer nerds who read the forum and thought i would ask... damn. :rolleyes:

doesn't hurt to ask.