Website hаck

Started by brknny, Jul 05, 2022, 08:06 AM

Previous topic - Next topic

brknnyTopic starter

I wrote my mini cms. Wrote and left on the Internet. And somehow I come, I look at the site, they hаcked and wrote all sorts of nasty things =)
Children probably. The fact is that the password from the site was simple.
The question is, did the hаckers guess the password, or is there really a hole in the script.
The hooligans also climbed in the settings and this is most frightening, since after them the following data remained:

    Upload photo width: Empty
    Photo preview width: Empty
    Photo folder: ../../../../etc/
    Number of records displayed in the table per page: Empty


authorization looks like this:
//authorization
if (isset($_POST['password']))
{
$sql=mysql_query("SELECT * FROM `other` WHERE `id`='admin_password'"); while ($req = mysql_fetch_assoc($sql)){$md5_pass=$req['key'];}
if(md5($_POST['password']) != $md5_pass) $error_authorization="wrong password!<br>"; else {$_SESSION['login']='admin'; $md5_pass='';}
}
if(empty($_SESSION['login']))
    {
    echo "<form method='post'>
    $error_authorization
    Пароль<br>
    <input type='password' name='password'><br>
    <input type='submit' value='Войти' name='rederect_submit'>";
    }
else
    {
//admin
}
  •  

nesterland

Throw in each folder, index.[ php | html] file .
Change the folder login  in the admin panel to a different name.
Record everything  to database. who and what visits your site, any of the pages, including get and post requests.

You can also change the access rights to the files themselves. Especially to the configuration file, if it exists of course. This is the minimum that I can advise you ... Well, of course, you need to select your password more strongly.
I didn't read the code, this format., My eyes can't stand it.
  •  

jainteq

 Use an SSL certificate
Thanks to the HTTPS connection, which provides an SSL certificate, all data transmitted through your server is encrypted and cannot be intercepted by hаckers. An SSL certificate is a security standard, especially for e-commerce sites where transactions take place. In addition, Google itself strongly recommends sites to use HTTPS encryption and ranks such resources higher in search results.
 If you haven't switched to HTTPS yet, it's time to do it. SSL from the most famous certification authorities with free connection and support is provided by Hostpro web  hosting provider.

 Choose secure hosting
A high-quality web hosting provider will always provide an appropriate level of security to its clients' websites. At a minimum, this is a backup, thanks to which you can restore all the website data if something suddenly goes wrong.
As a maximum – DDoS protection and antivirus in the tariff. Hostpro, for instance, makes backups of its clients' sites on servers in Ukrainian and foreign (France, the Netherlands) data centers every night. In addition, ImunifyAV+ antivirus and DDoS protection are provided with web hosting tariffs.

 Strengthen access control and protect passwords
Use two-factor authentication when logging into the admin area of the site, social network accounts, email, cloud services and other resources. You will have to enter an additional code from an SMS message, an application, scan your fingerprint or retina every time you log in to your account, but it's worth it.

You need a strong password for the website admin panel, because it is, in fact, the easiest way for hаckers to gain access to all important data – both yours and the client's. The perfect password:

✔️ Consists of at least 12 digits, special characters and uppercase and lowercase letters.

✔️ Does not contain personal information, such as name/birthday, which can be found out from the network.

✔️ Each account has its own password.

✔️ Change passwords periodically. For online financial accounts, this needs to be done twice a month. It is better to change login passwords at least once a quarter. If you use the same password for a longer time, the risk of data leakage increases significantly.

 Always update the software
Regularly update the antivirus and other related software of your site. If this is not done, anyone, including hаckers, can gain unauthorized access to confidential data due to security vulnerabilities that could be eliminated by upgrading to the latest version of the software.
Also, make sure that your operating systems are updated and supported by the manufacturer. Using an outdated or unsupported OS will make your website
 vulnerable to malware, data leakage and, finally, to loss of functionality.

 Provide backup of your website
Data backup is crucial to ensure the continuity of your business. Backups will allow you to recover quickly after a cyberattack or other unwanted incidents, such as equipment failure, for instance.
The easiest way to provide periodic backups is to choose a web hosting provider that makes backups of their customers' data daily. This way you will always know that your site's data is safe.

 Hide admin directories
hаckers can gain access to your website's data by going directly to the admin directories. They use scripts that scan all directories on your web server in search of directory names such as "admin", "login" and "administrator". Most content management systems (CMS) allow you to rename folders, so choose the names of the administrator directories that are known only to your webmaster to avoid the possibility of data leakage.

You can also protect admin directories from indexing by search engines using the file robots.txt .
  •