Servers hacked. How to protect it?

@@Arei

But how they could know the tables of my script to make an SQL Injection?

I also paid SiteLock to protect my website against SQL Injection, Malwares, virus...but they still hacked somehow.

 
@@Yoh Asakura

Well, I personally don't believe that a server provider could offer you a service to protect you from SQL injections, I might be wrong, but I really don't see how someone could do that unless they would look into your code and fix SQL injections exploit themselves.

As I said I'm not a security expert (I hope actual security experts won't hesitate to correct me if I'm wrong
default_tongue.png
), but an SQL injection is not really related to the tables you are using in your scripts.

Let's pretend you have the following code in one of your RO scripts :

input .@mob_id$;query_sql("select iName from mob_db where ID=" + .@mob_id$ + "", .@mob_name$);
Now let's pretend the user pronpting this scripts enters "1;drop table inventory;" (without the quotes) the query would become :

select iName from mob_db where ID=1;drop table inventory;
Which is valid SQL code to select from mob_db where ID=1 AND drop table inventory. Someone hacking an Athena-related database can easily assume table names and execute code to his liking accordingly.

Sure this code won't allow the hacker to get your account list with passwords, but it still allows him to drop your inventory table.

This code is for example sake and a SQL exploit won't always be *that* big, but it is still a good practice to filter user input when you are about to use it for a SQL query.

Good luck with your server.
default_smile.png


 
@@Arei

I just called SiteLock and they've told me that I might have a Firewall, and they can provide me a good one, that helps to protect against SQL Injections, and they also have the deep scan...malwares, virus, malicious codes. SQL Injection Scan, etc. But it's like between $50~$140/month.

 
@@Arei

I just called SiteLock and they've told me that I might have a Firewall, and they can provide me a good one, that helps to protect against SQL Injections, and they also have the deep scan...malwares, virus, malicious codes. SQL Injection Scan, etc. But it's like between $50~$140/month.
Mostly its due to SQL injection, but that site don't help a lot, you need to check your script, and all things that connect to SQL from web.Or it might also be some password guessing.

 
@@Arei

I just called SiteLock and they've told me that I might have a Firewall, and they can provide me a good one, that helps to protect against SQL Injections, and they also have the deep scan...malwares, virus, malicious codes. SQL Injection Scan, etc. But it's like between $50~$140/month.
@@Yoh Asakura

In that case yes, they may have automated scripts that would look into your sources and detect potential SQL injection exploits, but the code must still be fixed since there is just no way for the MySQL server or any firewall AFAIK to guess if a given query is legit or containing a malicious injection.

Personally I really don't think it's worth the price since you can fix these issues yourself relatively easily (and probably will have to do it yourself even with a script warning you). All you have to do is use a function to escape special characters from user input before passing it to a query. So :

Hercules :

.@escaped_string$ = escape_sql(.@input_string$);
PHP :

$escaped_string = $mysqli_instance->real_escape_string($input_string);

I understand digging into your scripts sounds tedious, but if your problem really comes from SQL injections in RO scripts, you probably won't have any other choice.

 
Last edited by a moderator:
@@Arei

Follow some screenshots of my server email.

These things also appeared on my login table from my server database.

It was definetly SQL Injection through my website contact page and also through my website donation confirmation page.

email.jpg

injected.jpg

injected2.jpg

 
Last edited by a moderator:
These of course are SQL injections + XSS (Cross-Site Scripting) exploit attempts. If these appeared on your login DB I would say again that your CP is at fault (or at the very least a PHP script with an unprotected login/account form); I really, really doubt these injections could have been done via your client login screen.

Another possibility would be some kind of account "protection" or "security" RO script using unfiltered user input inside a query on your login table, but when looking at your screens it reeks like an unprotected login/account form lying somewhere...

 
Last edited by a moderator:
@@Arei

Maybe the registration form from my website...

Anyway I won't use any CP/FluxCP as recommended by @@Dastgir

 
Last edited by a moderator:
At least it can't hurt to disable these tools until you locate the precise source of the problem if it puts a stop to these attacks.

I assumed FluxCP would be relatively safe from injection due to PDO prepared statements, but then again, no software is 100% secure AFAIK

Last thing: it might be also worth looking if you are not using FluxCP addons/themes that would allow such an exploit to exist. It would actually be extremely easy to put such an exploit for malicious intents, I guess it also might happen accidentally as well.

Good luck
default_smile.png


 
Last edited by a moderator:
A lot of things that are open source can -potentially- get hacked. Hence the words "open source". FluxCP, although open source, is still -relatively- updated compared to Ceres. Your best bet is to really check any NPCs that use SQL queries. And, any poorly produced website scripts that connect to your SQL table.

 
@@Arei

I appreciate the support you gave me.

I didin't use any FluxCP custom themes nor even custom addons.

I believe they did the SQL Injection because of my website...the coder just told me that the php of my website was very old and he will update all now and make it better.

 
Last edited by a moderator:
What if they hacked your first CP, then uploaded a shell to your server somewhere (as separated file or by modifying some other php file), and it stays here? Even if you reinstall CP or change it, shell-script would still be there, and hacker could still access your server with it.

In that case, i would fix the security issue (if i know where it is), then reinstall webserver from scratch by reuploading fresh files again, so no other not needed/suspicious script left here.

 
Last edited by a moderator:
a warning from me to all Brazilian users (and to op):

DON'T EVER EVER USE ANY BR CODE IF YOU DON'T HAVE ANY KNOWLEDGE TO REVIEW IT OR YOU WILL BE HACKED!

 
Thank you everyone in this topic that tried to help. I believe with all these informations everyone can protect more their servers.

I'm going to change to another company. I'm still deciding between GoDaddy and OVH. Besides the fact that GoDaddy is much more expensive than other companies but their Managed VPS comes with DDoS protection and also SiteLock Firewall protection, daily backups and cPanel. OVH just comes with the DDoS Protection and we have to pay for the daily backups, but it would still be more cheap than GoDaddy.

 
Last edited by a moderator:
Thank you everyone in this topic that tried to help. I believe with all these informations everyone can protect more their servers.

I'm going to change to another company. I'm still deciding between GoDaddy and OVH. Besides the fact that GoDaddy is much more expensive than other companies but their Managed VPS comes with DDoS protection and also SiteLock Firewall protection, daily backups and cPanel. OVH just comes with the DDoS Protection and we have to pay for the daily backups, but it would still be more cheap than GoDaddy.
OVH have web hosting plans with additional stuff included too: https://www.ovh.ie/web-hosting/

By itself, changing hosting not going to help if there would be the same security holes. AntiDDoS protecting from overloading site, not from security issues.

To prevent huge consequences of hacking site, I strongly recommend to tune up SQL access rights between site and game. Allow only that stuff that you need, and prevent anything else, like deleting or reading data that site or site user probably don't need.

Hope you'll manage to solve your case. Wish you best!

 
Last edited by a moderator:
@@Nebraskka

As I said the problem was because my website was old, and the guy who made the website at that time he was not so good. But now he is updating all to me already.

Thank you anyway.

 
@@Yoh Asakura bro. My server now have been hacked too. WTF. I'm so sad.

huhu. Due to the lack strength of password. hmm.. after this I need to use the SSH keys. 
default_ohmy.png


The hacker using my server for ddos and brute attack 
default_unsure.png


 
@@mrlongshen

These people must have a horrible life. I believe they have nothing better to do. It`s a shame.

Try using symbols like $%{* and big and small letters and also numbers, for example D#w01^Csx*(W2@{am

 
@@Yoh Asakura yes its true. Maybe they dont have life. Now I have rebuilt my server again. Yeah,I have use ssh key authorization. So far only my laptop and pc can login. Other device cant, and also a combination of symbol, alphabet, big and small letter. By the way, is possible to get hack again? Since use the ssh key authorization now ?

 
Back
Top