Hacked (For real this time)

No, this isn’t about the competition, but about our website. I got a text message tonight stating that our site was down. When I looked at it, I saw:

Parse error: syntax error, unexpected T_STRING in /home1/ipirates/public_html/admin/settings.php on line 6

Which led me to believe the file was not intact. Upon taking a look at the file, I saw that it had been modified by someone. It says:

   $title = "HAXORED";
   $copyright = "©2009-2011 Monroe Trojan Robotics";
   $footer1 = "Logos of FIRST and our sponsors are trademarks of their respective owners. All rights reserved.";
   $footer2 = "Running ScurvyCMS, coded by Brandon Dusseau. Your site is vulnerable to SQL injection.";
   $footer3 = "Also your <a href="[omitted]">[omitted]</a> page is wide open.";

What I’d like to know is who is responsible for this. I’m not pointing fingers or anything, but at least they could have emailed us instead of poking around in our site settings. Looks like I get to go on a code hunt and check the database for issues. This should be fun, considering there are no backups.

I realize I have to sanitize my login input for the admin panel with SQL Injection prevention… I don’t feel like messing with it though, because I’m tired from the competition. So thank you mysterious hacker, you’ve made my day difficult.

I believe PHP has a string sanitization function built in, somewhere.

to escape inputs use:


I’m aware of that… unfortunately, at the time some pieces of the site were written, I wasn’t. I’ll be fixing it.

This might actually have taken us out of the running for website award at the Livonia district this weekend, since I don’t know when the hacking occurred. Depending on how soon I can assess the damage and repair it, we might be out of the running at Michigan’s state competition as well.

All I want is to find out who did it… I don’t appreciate my site being hacked, even in example.

I think the actual hacking wasn’t wise… However, forward-looking, I’m wondering why you guys are reinventing the wheel.

The only admin panel I have on our website is through FTP. Our website is done through Smarty templating system, which makes individual content-files very very simple. The backend files can be very complex, but the actual content-editing part can be very very simple.

Every team should look in to that… Or use a CMS that has already been established to reduce another attack such as this. It was unfair that your site was hacked, but it is the real world. There are no rules in the real world.

Team 2502

At any rate, both holes have been repaired, and I’m bringing the site back up. If anyone notices some holes, please let me know via PM on here. Thanks.

I highly doubt this was an FRC team member. Most likely an automated script of some sort. You’re lucky it was fairly friendly.

Luckily for you, security is not a criterion of the website award.

Actually I believe once you win it at one district, you are ineligible at another because all 9 district winners compete for the state website award. It wouldn’t make for a very full field if the same teams won the website district award every time. On a side note: http://en.wikipedia.org/wiki/The_Boy_Who_Cried_Wolf .
I’m not saying people won’t believe you now, because you have made the case pretty clear to me and others that this is what occurred. But I hope there was a lesson learned in this. I would also assume you alerted Mr. Ketron.

No, I haven’t had the chance to get a hold of Ketron yet.

In response to the other post, an automated script is very unlikely, because it changed very specific things unique to the website. Also, I did not say it was an FRC team that did it, but it still may have been.

And thanks for clearing up the award eligibility thing. I’m glad this situation won’t affect us.

Sorry it happened, but you could be kind of glad. It wasn’t as bad as it could have been. They were kind of enough just to show you the holes in a way and not completely trash everything.

Teams need to remember if you do go and re-make the wheel, you need to make security high up on the list. That’s the benefit of using a pre-made CMS. Just take it with a grain of salt, and move on. At least it’s now a more secure site.

And remember to make backups FREQUENTLY.

Yet another very real life lesson learned via FRC! SQL injection is how Anonymous hacked HBGary (well, it’s how the hack started…). Very scary stuff; you can read about it on arstechnica.com.

You may be able to ftp into the site, see WHEN the files were modified (if you haven’t modified them), and then correlate that with IP access logs (if you keep them). That should tell you what region of the world it came from.

The issue apparently was that part of the admin panel inadvertently didn’t require login to function properly, and so someone was able to change that one file, so really, unless I logged every action, there would be no way to log the IP. Everything should be fixed now anyway, so I’d say I’m good now.

…unless they were using dialup, and their IP address changed when they logged off and back in.

And don’t laugh, I had dialup access only here at the house until just this year.

I had dialup until November 2009, and I still use it at my dad’s. I know the feeling.

I have dynamic IPs with my current DSL ISP. Even so, there isn’t much you can do with an IP address short of giving it to the police, or the ISP. And the ISP keeps logs for at least a while of who has what IP address for how long.

An update… I checked the IP logger I implemented yesterday and found this:

04/03/2011 12:41:03 - -  - FAILED ATTEMPT
04/03/2011 13:02:09 - - ' OR '1'='1'-- - FAILED ATTEMPT
04/03/2011 13:02:17 - - ' OR '1'='1 - FAILED ATTEMPT
04/03/2011 13:02:22 - -  - FAILED ATTEMPT
04/03/2011 13:02:23 - -  - FAILED ATTEMPT

The IP traces to AT&T’s Livonia node, which covers a good chunk of Southeast Michigan. Any ideas?

Yep, that’s your run-of-the-mill SQL Injection attack. Since the person didn’t actually gain access to your site, I don’t think that’s actually illegal. It’s probably the same person as before though, so you could try going to the ISP/Police. I kinda doubt they will spend time on a simple injection with no real damage (except that you had to fix your site).

To be more specific, we found it traces to somewhere near the corner of 5-mile and Farmington in Livonia, which happens to be near the location of Churchill High School.