HI All,

After my previous article named – When I was phished – which was based on a real life experience, I am writing a similar articled named – When my website was defaced – which is again based on a true life experience.

I am running a web site named The Admins – http://www.theadmins.info – . One fine morning, when I opened the site, I noticed that the title bar of the web site changed to some pseudo code like sentences. I realized that my site was defaced. Now what? The pseudo code was indicating that my site is vulnerable to some SQL injection. I did some research and I got the answer immediately. I thought I would like to share it with the EH-Net community so that we all are aware of the latest happenings. The message of the story is

• The importance of patch management,
• The importance of a contingency plan,
• The importance of backup,
• The importance of secure coding practices, and
• The truth that there is nothing known as 100 percent security.

Lets get into the real life example. Some info – Vulnerable Application – PHP 7.8

Go to the Search Module as shown in the below screen shot:



Enter the below mentioned string and press enter


You will get the result which will show you the encrypted password and the admin user name as shown in the screenshot.



Go to http://gdataonline.com/seekhash.php and enter the encrypted password. You should will get the password in plain text (decrypted format). That’s all, go to http://www.targetsite.com/admin.php and enter the obtained login credentials – you are inside the website control panel.

Preventive measures

1.   If you cannot upgrade to the latest version, disable the search module.
2.   Upgrade to PHP Nuke 7.9 or 8.0

Conclusion

The above example shows how a person can get into the admin panel without any programming or technical knowledge in just less than 1 minute. This brings us to the very important concept of Information Security and its related domains. Had the programmer and the project manager followed the secure coding standards, such critical errors could have been avoided.

Please comment on your similar experiences.

Regards,

Morpheus

What I've realized is the huge tradeoff you make by going with a popular product like wordpress, phpnuke, mamba, etc. You pick it because of the good support and large userbase, however then you are constantly forced to upgrade month after month or else be subject to attack from the skriddies. It becomes a major headache once you make customizations to your site, which may or maybe not be wiped out by an upgrade. Just something to think about. I made my choice, however if I had to do over again, I may have gone with something less popular so I wouldn't have to upgrade constantly. I may have had to spend more time getting it configured, but only had to update it once a year or even 2 years. I had to upgrade 6 times in 1.5 years with my product and I hated it, because many of the upgrades break stuff and you have to roll back and wait for the next upgrade. And the one time you slack or go on vacation, you come back and your site is p0wn3d.