Hacked (For real this time)
 

No, this isn't about the competition, but about our website. I got a text message tonight stating that our site was down. When I looked at it, I saw:

Parse error: syntax error, unexpected T_STRING in /home1/ipirates/public_html/admin/settings.php on line 6

Which led me to believe the file was not intact. Upon taking a look at the file, I saw that it had been modified by someone. It says:

What I'd like to know is who is responsible for this. I'm not pointing fingers or anything, but at least they could have emailed us instead of poking around in our site settings. Looks like I get to go on a code hunt and check the database for issues. This should be fun, considering there are no backups.

I realize I have to sanitize my login input for the admin panel with SQL Injection prevention... I don't feel like messing with it though, because I'm tired from the competition. So thank you mysterious hacker, you've made my day difficult.

Re: Hacked (For real this time)
 

I believe PHP has a string sanitization function built in, somewhere.

Re: Hacked (For real this time)
 

to escape inputs use:

Re: Hacked (For real this time)
 

I'm aware of that... unfortunately, at the time some pieces of the site were written, I wasn't. I'll be fixing it.

This might actually have taken us out of the running for website award at the Livonia district this weekend, since I don't know when the hacking occurred. Depending on how soon I can assess the damage and repair it, we might be out of the running at Michigan's state competition as well.

All I want is to find out who did it... I don't appreciate my site being hacked, even in example.

Re: Hacked (For real this time)
 

I think the actual hacking wasn't wise... However, forward-looking, I'm wondering why you guys are reinventing the wheel.

The only admin panel I have on our website is through FTP. Our website is done through Smarty templating system, which makes individual content-files very very simple. The backend files can be very complex, but the actual content-editing part can be very very simple.

Every team should look in to that... Or use a CMS that has already been established to reduce another attack such as this. It was unfair that your site was hacked, but it is the real world. There are no rules in the real world.

Keehun
Team 2502

Re: Hacked (For real this time)
 

At any rate, both holes have been repaired, and I'm bringing the site back up. If anyone notices some holes, please let me know via PM on here. Thanks.

Re: Hacked (For real this time)
 

I highly doubt this was an FRC team member. Most likely an automated script of some sort. You're lucky it was fairly friendly.

Re: Hacked (For real this time)
 

Luckily for you, security is not a criterion of the website award.

Re: Hacked (For real this time)
 

Actually I believe once you win it at one district, you are ineligible at another because all 9 district winners compete for the state website award. It wouldn't make for a very full field if the same teams won the website district award every time. On a side note: http://en.wikipedia.org/wiki/The_Boy_Who_Cried_Wolf .
I'm not saying people won't believe you now, because you have made the case pretty clear to me and others that this is what occurred. But I hope there was a lesson learned in this. I would also assume you alerted Mr. Ketron.

Re: Hacked (For real this time)
 

No, I haven't had the chance to get a hold of Ketron yet.

In response to the other post, an automated script is very unlikely, because it changed very specific things unique to the website. Also, I did not say it was an FRC team that did it, but it still may have been.

And thanks for clearing up the award eligibility thing. I'm glad this situation won't affect us.

Re: Hacked (For real this time)
 

Sorry it happened, but you could be kind of glad. It wasn't as bad as it could have been. They were kind of enough just to show you the holes in a way and not completely trash everything.

Teams need to remember if you do go and re-make the wheel, you need to make security high up on the list. That's the benefit of using a pre-made CMS. Just take it with a grain of salt, and move on. At least it's now a more secure site.

Re: Hacked (For real this time)
 

And remember to make backups FREQUENTLY.

Re: Hacked (For real this time)
 

Yet another very real life lesson learned via FRC! SQL injection is how Anonymous hacked HBGary (well, it's how the hack started...). Very scary stuff; you can read about it on arstechnica.com.

You may be able to ftp into the site, see WHEN the files were modified (if you haven't modified them), and then correlate that with IP access logs (if you keep them). That should tell you what region of the world it came from.

Re: Hacked (For real this time)
 

The issue apparently was that part of the admin panel inadvertently didn't require login to function properly, and so someone was able to change that one file, so really, unless I logged every action, there would be no way to log the IP. Everything should be fixed now anyway, so I'd say I'm good now.

Re: Hacked (For real this time)
 

...unless they were using dialup, and their IP address changed when they logged off and back in.

And don't laugh, I had dialup access only here at the house until just this year.