Hacked (For real this time)

[BrandonD-1528]

No, this isn't about the competition, but about our website. I got a text message tonight stating that our site was down. When I looked at it, I saw:

Parse error: syntax error, unexpected T_STRING in /home1/ipirates/public_html/admin/settings.php on line 6

Which led me to believe the file was not intact. Upon taking a look at the file, I saw that it had been modified by someone. It says:

Code:

<?php
   $title = "HAXORED";
   $copyright = "&copy;2009-2011 Monroe Trojan Robotics";
   $footer1 = "Logos of FIRST and our sponsors are trademarks of their respective owners. All rights reserved.";
   $footer2 = "Running ScurvyCMS, coded by Brandon Dusseau. Your site is vulnerable to SQL injection.";
   $footer3 = "Also your <a href="[omitted]">[omitted]</a> page is wide open.";
  ?>

What I'd like to know is who is responsible for this. I'm not pointing fingers or anything, but at least they could have emailed us instead of poking around in our site settings. Looks like I get to go on a code hunt and check the database for issues. This should be fun, considering there are no backups.

I realize I have to sanitize my login input for the admin panel with SQL Injection prevention... I don't feel like messing with it though, because I'm tired from the competition. So thank you mysterious hacker, you've made my day difficult.

[BigJ]

I believe PHP has a string sanitization function built in, somewhere.

[plnyyanks]

Quote:

Originally Posted by BigJ

I believe PHP has a string sanitization function built in, somewhere.

to escape inputs use:

Code:

mysql_real_escape_string($string);

[BrandonD-1528]

I'm aware of that... unfortunately, at the time some pieces of the site were written, I wasn't. I'll be fixing it.

This might actually have taken us out of the running for website award at the Livonia district this weekend, since I don't know when the hacking occurred. Depending on how soon I can assess the damage and repair it, we might be out of the running at Michigan's state competition as well.

All I want is to find out who did it... I don't appreciate my site being hacked, even in example.

[keehun]

I think the actual hacking wasn't wise... However, forward-looking, I'm wondering why you guys are reinventing the wheel.

The only admin panel I have on our website is through FTP. Our website is done through Smarty templating system, which makes individual content-files very very simple. The backend files can be very complex, but the actual content-editing part can be very very simple.

Every team should look in to that... Or use a CMS that has already been established to reduce another attack such as this. It was unfair that your site was hacked, but it is the real world. There are no rules in the real world.

Keehun
Team 2502

[BrandonD-1528]

At any rate, both holes have been repaired, and I'm bringing the site back up. If anyone notices some holes, please let me know via PM on here. Thanks.

[Vikesrock]

I highly doubt this was an FRC team member. Most likely an automated script of some sort. You're lucky it was fairly friendly.

[remulasce]

Luckily for you, security is not a criterion of the website award.

[TJ92]

Quote:

Originally Posted by BrandonD-1528

I'm aware of that... unfortunately, at the time some pieces of the site were written, I wasn't. I'll be fixing it.

This might actually have taken us out of the running for website award at the Livonia district this weekend, since I don't know when the hacking occurred. Depending on how soon I can assess the damage and repair it, we might be out of the running at Michigan's state competition as well.

All I want is to find out who did it... I don't appreciate my site being hacked, even in example.

Actually I believe once you win it at one district, you are ineligible at another because all 9 district winners compete for the state website award. It wouldn't make for a very full field if the same teams won the website district award every time. On a side note: http://en.wikipedia.org/wiki/The_Boy_Who_Cried_Wolf .
I'm not saying people won't believe you now, because you have made the case pretty clear to me and others that this is what occurred. But I hope there was a lesson learned in this. I would also assume you alerted Mr. Ketron.

[BrandonD-1528]

No, I haven't had the chance to get a hold of Ketron yet.

In response to the other post, an automated script is very unlikely, because it changed very specific things unique to the website. Also, I did not say it was an FRC team that did it, but it still may have been.

And thanks for clearing up the award eligibility thing. I'm glad this situation won't affect us.

[Dustin Shadbolt]

Sorry it happened, but you could be kind of glad. It wasn't as bad as it could have been. They were kind of enough just to show you the holes in a way and not completely trash everything.

Teams need to remember if you do go and re-make the wheel, you need to make security high up on the list. That's the benefit of using a pre-made CMS. Just take it with a grain of salt, and move on. At least it's now a more secure site.

[johnmaguire2013]

And remember to make backups FREQUENTLY.

[JesseK]

Yet another very real life lesson learned via FRC! SQL injection is how Anonymous hacked HBGary (well, it's how the hack started...). Very scary stuff; you can read about it on arstechnica.com.

You may be able to ftp into the site, see WHEN the files were modified (if you haven't modified them), and then correlate that with IP access logs (if you keep them). That should tell you what region of the world it came from.

[BrandonD-1528]

The issue apparently was that part of the admin panel inadvertently didn't require login to function properly, and so someone was able to change that one file, so really, unless I logged every action, there would be no way to log the IP. Everything should be fixed now anyway, so I'd say I'm good now.

[MishraArtificer]

Quote:

Originally Posted by JesseK

You may be able to ftp into the site, see WHEN the files were modified (if you haven't modified them), and then correlate that with IP access logs (if you keep them). That should tell you what region of the world it came from.

...unless they were using dialup, and their IP address changed when they logged off and back in.

And don't laugh, I had dialup access only here at the house until just this year.