0

The website for a client of mine continues to be "hacked" (I didn't do the website).The hacked pages contain a js script that loads an image and audio from youtube (Lol). Every page was modified and every page has a "news banner" .I'm pretty sure the problem is this part

    <?php 
$ul = new NewsList; 
$ul->Load(3); 
if($ul->Current() == null){ ?> 
<?php   } 
else{ 
for(; $ul->Current() != null; $ul->Next()){ 
$new = $ul->Current();

the complete implementation of this NewsList : http://pastebin.com/WuWjcJ4p

I'm not a php programmer so I don't get where the problem is....I'm not asking that someone going to explain every line, maybe only an advice , thank you

Improve this question
5
  • This does not look like the source of the described behavior. It’s accessing the database – or has that been compromised, too? Commented Mar 8, 2014 at 9:31
  • probably the script got inserted into the database. you'll need to check the database Commented Mar 8, 2014 at 9:32
  • scripts can get inserted if you don't clean your content before inserting into the db Commented Mar 8, 2014 at 9:33
  • @Gumbo Yes,I know it's totally crazy but the "web designer" thought that storing news into db is a good idea. The website was hacked Commented Mar 8, 2014 at 9:54
  • Gumbo Yes,I know it's totally crazy but the "web designer" thought that storing news into db is a good idea. The website was hacked 3/4 times,in the first one I found junk news into db; after that I commented the php part (what a desperate noob I am...) and changed password of everything: db ,ftp ,webspace ecc @Loïc thank you so much, I wasn' expecting someone write code,thank you again! News cannot be commented, simply the news is a longtext in db,so if you add to db the php page shows it (here's db) imgur.com/4uChIyV Commented Mar 8, 2014 at 10:02

1 Answer 1

Reset to default
1

Sounds like an SQL injection.

I believe the loadById() method is injectable (depending on how you call it).

Here is a way to strengthen it :

    function LoadById($id){
            $this->news = array();
            $this->current = 0;
            $this->total = 0;

            $ndb = new NewsDB('news');
            $result = $ndb->_query("SELECT * FROM ".$ndb->table." WHERE id = " . intval($id));
            $new = mysql_fetch_assoc($result);
            $n = new News($new['id'], $new['titolo'], $new['data'], $new['contenuto'], $new['img']);
            array_push($this->news, $n);
            unset($n);

            $this->total = 1;
    }

Someone might have stolen the passwords from administration using this security flaw and edited the articles from the back-office.

So I suggest you change this code, then change the passwords, delete all php sessions, and finally edit your articles to remove this "news banner".

Note that it might as well be a stored XSS. Do you have a system which allows to comment the news?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.