On my under development website I am using a standalone SQL database file, users.db, to store user login details.
I am wondering though: Should I be using full MySQL integrated to the server like PHPMyAdmin? Is my current "solution" as risky as I think?
I am handling it this way as it means easy access from a number of utilities, including standalone desktop Python programs, via SQLite3 but is this insecure? The file is in my secured cgi-bin but could someone get their hands on it and just download the whole database?
Any and all advice or clarification appreciated,
Ilmiont
Both SQLite and MySQL store their data in some file(s).
Both are insecure if you allow HTTP users to access these files.
Typically, the default configuration of MySQL puts the database files into a separate, non-public directory, while SQLite has no defaults and allows you to put the file anywhere.
But when you are aware of the possible problem, SQLite is as secure as MySQL.
(Checking is easy; just test if http://www.example.com/cgi-bin/users.db works from the outside.)
First of all, if you're on a linux machine, not sure about windows, you can set users and file permissions who are allowed access to that file, but you should know what you're doing when it comes to permissions. The other thing that you want to make sure of is the file location. Don't place the file in the web root, place it somewhere else not accessible from the web, but accessible to your app.
Related
My Laravel database got hacked for the second time. the hacker deleted all tables and left a table threatening to delete it If I didn't send bitcoin. That's not a problem since I do have a backup but what can I do to prevent it?
This is for Laravel 6. the first time I had debugging mode ON in the .env file so I thought this might be the problem. after turning debugging off I still got hacked am I missing anything?
Hello Mohamed Elmoniry,
I would check your server database configuration for the following security settings I mean this is pretty basic and normally done automatically if you are not self hosting and using a service like forge or digital ocean, but here you go:
Update the password plugin
Change the root password
Remove anonymous users
Disallow remote root login
Remove test database
If you are new to this and you are using MYSQL on your server you can run the following command/script that will automatically guide you through that process
sudo mysql_secure_installation
Additionally:
If you are using a web server I would also enable SSH and deactivate password login.
If you are using a firewall I would check that only the necessary ports to your application are allowed by the UTM (Unified threat management) if it is a hardware firewall. (same applies to a software firewall)
It would be great if you know how the hacker got into the database. Maybe you have an old database version? Maybe you have an easy-to-crack password and have exposed your database to the internet. Laravel by default blocks SQL injection, so that can't be it.
If you have exposed your database, a good first step is to block all requests and allow only ones from certain IP addresses, like your server and IP addresses where you often work. This way, hackers can only get to your database if they are on one of those IP's.
Do you publish your code to GitHub? Maybe the hacker got the password from your repository (this is only possible if this is public). You should make sure you NEVER EVER publish your .env file to the internet and only keep local copies.
But the best solution would be to find out how he got in. Then you can block that entrance. You should certainly check your database version and update it if necessary.
it seems your website has some shell (malware) stored. Virus take palace with following reasons :
Old version framework (but you are using v6, that is updated)
A shell/virus already in code (check if a php shell exist, & scan with antivirus)
You have public git repo, where attacker placed his malware
You have credentials hardcoded that leaked, either through git repo or JS files.
You have unrestricted file upload option in your code, which allow hacker to upload shell.
your database server is publicly exposed,allowing anyone to access.
If you are using older jenkins or other automation tool, which exploit used.
SQL injection, (check logs)
Thanks, Jaikey
Check whether your .env or .env.sample files expose to public for some reason?
https://yourdomain.com/system/.env
If yes, block the public access of .env by adding the code below to the .htaccess file.
<FilesMatch "^\.env">
Order allow,deny
Deny from all
</FilesMatch>
quick question to day. I've done a little digging around on the net and i can't really find a very definitive answer.
Basically, I run my own server on a redundant dual core, 4gb ram 2Tb pc (server1)
And on here, i would like to make an FTP partition. Reason being, i would very much like to be able to transfer files back and forth work, uni and home as i please.
I also run a website from my server which allows me to stream media from my hard drive to any laptop, tablet, desktop, iphone, android.. you name it!
I would LIKE to be able to add a section on my website where by I can log in and access my files as a sort of HTMF5 Front end.
I am aware and know how to create a login with a database which has md5 hash and store cookies to stop un-authorised people accessing my ftp.
Any help or a shove in the right direction would be much appreciated! Thanks in advance :D
Yes it's possible. but that won't be HTML5 ftp server etc that you mentioned.
You can achieve this by installing a web server on your machine like apache and then make directories public - run Apache on some port and you will be able to access the directory. if your server is running on port 8080, URL will be like: domain.com:8080 - You can style directory using this simple script & make this password protected as well using .htaccess .
osFileManager
The other option is to use some php script. Many commercial scripts are available and as well as open source. i recommend you trying osFileManager - it has a lot of features like:
Browse the directory structure
Create files
Upload files
Rename files
Move files
Delete files
Edit files
Change permissions
Change password
Create users
Here is it's installation instructions: http://www.osfilemanager.com/osfilemanager-docs.html
or a paid HTML5 & AJAX based script can be bought for 14$ from here:
http://codecanyon.net/item/file-manager-and-backup-system/5177206
Three weeks ago, I found a list of my website's users and info on Paste Bin giving away all privacy. I ran updates and protected against SQL Injections. I also added a pre-request to save the SQL in text format in a LOG table whenever user input is required to be able to analyse any injection if my protection wasn't enough.
Then today the same post was on Paste Bin again with recent entries so I checked the LOG table to find only clean entries. Is there anything else than injections I should worry about? The web seems to give info about Injections only!
Could they have had access to the dbpassword in a php file on the server and could they have connected from and external server?
Should I change the dbpassword frequently?
Are there any solution non-script wise like hosting security plan or something like that which should be efficient enough?
I am receiving physical threats from hacked users and would really like to close this quickly...
If you're implementing your own protection against user input, you're probably doing it wrong. Most standard database libraries will give you a way of passing in parameters to queries where it will be sanitised properly, and these will have been coded with more things in mind than you're probably aware of. Reinventing the wheel in anything security-related is a bad idea!
Other things to worry about:
Password policy (strong passwords)
Access to your database server (is it firewalled?)
SSH access to your server (again, firewalled?)
Keeping all of your software up-to-date
Just to add to the other answers that you've had so far. If someone is posting the contents of your database online then you need to assume that the server(s) running the application and database have been compromised, as once they've gained initial access, it's likely that they'll have placed root-kits or similar tools onto the server to keep access to it.
As to how they got in there's a number of potential options, depending on the architecture of your solution, and it's imposssible to say which is the case without more details. Some of the more likely options options would be
SSH passwords
Administrative web apps (e.g. PHPMyAdmin) with common passwords or vulnerabilities
Access via hosting service (e.g. weak passwords on administrative login panels)
If the site is PHP based Remote File Inclusion issues are a distinct possibility
If you can I'd recommend engaging a forensics or incident response company to help you recover the data and rebuild, but failing that I'd recommend getting a backup from before the compromise and using that to rebuild the server, then ensure that all software is updated and patched and passwords are not the same as the compromised system, before bringing it online.
The best protection for this is to allow connections to the mysql database only from the machine where your application runs.
First of all, make sure, network access to the MySQL database is "need to know" - in most cases this is a simplye bind-address 127.0.0.1.
Next change the DB password, just because yes, you can (C)
Now think of this: If somebody got your DB passwd from your PHP files, you already are in deep s***t: Nothing stops him or her from just repeating that stunt! You need to audit your application for backdoors (after the fact problem) and how the guys got in there (before the fact problem). Check your apache logs for requests with unusual GET parameters - a filename in there mostly is a dead givaway.
I agree with Razvan. Also if you're running any CMS or prepackaged web pages, make sure they're the latest version. They most likely access as localhost from the web server. Hackers follow the change logs of those and every time a security patch is released, they attack published vulnerabilities on servers running the older version. It's often performed in bulk by crawlers. Odds are they have a database with your server listed as running old versions of things.
First you need to ensure that this "php file" containing the DB password(s) is not within the web root directory, otherwise they could simply access it like: http://mydomain.com/dbpassword.php.
Second, immediately change the passwords used to access your database.
Third, ensure that mysql will only accept connections from 'localhost', vs allowing connections from anywhere; '%'. And if it is a dedicated server, then you should "harden" the box and add an IP rule to IPTables where mysql access is only allowed from the server's IP. These changes would ensure that if they did get your db username/password creds, they can not access the database from a remote computer, instead they would have to exploit your application, or ssh into your server to gain access to your database.
Next, you should disable all user accounts to your site, and force them to update their passwords using a closed loop verification process. This will ensure no ongoing malicious activity is occurring with your users or their accounts.
These are just a few steps to take, there are others such as tracking local users login activity. It is possible that one of your system's user accounts has been compromised (rooted). The point is, you need to consider all points of access to your system and services therein, if you are unable to do it, it may be time to hire or contract a seasoned sysadmin to help you.
If this is shared web hosting, and another user is logged in with shell access and is able to guess the path to your web root, and the password configuration (PHP or other script) file is world readable, then the user can read it.
This is one of the most common vulnerabilities and is very easy to exploit.
If this is the case:
To correct the issue, you need to move the configuration file out of your web root folder and/or change the permissions on it so that it's not world readable, and then change your database password.
Most likely, the user would not be able to inject anything into your application.
Changing the database server so that it's only accessible locally or to your web server would do no good, since the malicious user would be on the same web server and still be able to access it.
If you did not see any malicious queries, then they are probably accessing your db via the MySQL command line (or PHPMyAdmin or other tool), and not through your application.
Enabling the general query log would allow you to see all queries in plain text in the log, but if this is shared web (and MySQL server) hosting, you probably won't be able to enable this.
This is something you may wish to report to your web host. They may be able to find the attacker and suspend their account or provide you with evidence.
For my websites I use Dreamhost. Dreamhost requires you to create a hostname (ex: mysql.mclindigital.com) that the database will reside on. For me it's simple, if I want to access phpMyAdmin, I simply navigate to mysql.mclindigital.com, and it enters into phpMyAdmin automatically.
Apparently Dreamhost is in the minority using this method, because most people seem to use "localhost". So, how do I access phpMyAdmin for these websites? Will I need to get their Web Panel login info to browse around for this info?
As an example, I had a past client and I had to go here: http://216.120.237.104:2082/3rdparty/phpMyAdmin/index.php to get into their phpMyAdmin. I never really understood what I was doing, but it just worked. Now I am in the same situation, but this time the client isn't as tech-savvy and is unable to give me the URL I need to go to.
Also, I should point out I am not 100% certain that they have phpMyAdmin installed. I do know they have a database however, because they are running a Wordpress Blog.
There is nothing magic or special about phpMyAdmin. It is just
a bunch of php scripts.
Some webhosts(Such as dreamhost) may install it as standard
similary to formmail and a bunch of other tools they may install.
Your problem is most likely that you client don't have
phpMyAdmin installed, and the easy solution(If you have ftp access)
is to go to http://www.phpmyadmin.net/home_page/index.php download
phpMyAdmin, configure it and then just upload it to their ftp server
your self. Then you can acces it similary to any other php script.
Is there a way to encrypt the data file that mysql uses? I have a mysql server on an open machine, and I would like to encrypt the data file so even if someone copies the data files, they cannot read the data.
Thanks
To anyone researching a transparent MySQL encryption solution for Linux, there's a relatively new product on the block that we've been working with:
http://www.gazzang.com/
I am not affiliated with Gazzang... just a happy customer.
I am not sure what do you mean when you say that your machine is open. If people have access to the console, or to your account it is much harder of a task to encrypt the file.
Did you look at Truecrypt? It works for most popular operating systems and allows to create a virtual encrypted partition, lock down a hard drive partition,an external drive or a usb device.
MySQL doesn't support data file encryption natively. There are 3rd products out there such as:
http://www.vormetric.com/products/vormetric_database_encryption_expert.html
There's a 'white paper' on the topic here:
http://www.vormetric.com/documents/FINALPart2DatabaseEncryptionCoreGuardvsColumnLevelWhitePaper7.pdf
To be honest, if the database content has any commercial value or contains personal data about individuals, you should really control who has access to the datafiles (whether encrypted or not). In the UK, leaving such data files open to casual passers-by, would be a data protection no no.
You can use an encrypted filesystem, like the native one for NTFS on Windows or one of the various options for linux. In addition you can store the data encrypted.
If you are using windows EFS and starting MySQL as a service, you will need to do the following:
go to Services and find the MySQL service
stop the service
right-click -> properties -> LogON TAB
check "This account"
fill your windows account name eg. ".\username"
provide your password
start the service
The MySQL service should now start without errors.
To use the windows EFS encryption:
http://windows.microsoft.com/en-us/windows/encrypt-decrypt-folder-file#1TC=windows-7
Read more obout it:
http://www.petri.co.il/how_does_efs_work.htm#
!!! Don't forget to export the certificate !!!
you could encrypt the data within mysql using the built in encryption functionality.
as for the files, any file solution should work fine.