How hackers crack your site part 1

The best security specialist is a hacker, and the best hacker is a security specialist. Before breaking into the system, hackers will investigate the attack subject. If hackers want to break into a server, they will try to find out under what operating system the sever is running and the service installed on it.

Next, attempt to learn the site’s structure – namely, the directories used, the script files used and their location, and so on. This information can be used in various ways, especially after the break-in, when you have to know what parts of the site to explore. Before the break-in, hackers pursue at least four avenues, which are the following.

Find a publicly-available script, either commercial or freeware. For example, owners of most noncommercial sites do not develop their own forum scripts and instead use open-source products such as phpBB (www.phpbb.com).
If hackers discover that a site uses an open-source service, they will mark this site as a potential attack target. The more popular a program, the more hackers all over the world dissect it looking for vulnerabilities. There are no-bug free programs; it’s only a matter of time before bugs are discovered. When a vulnerability becomes known, hackers enter into a race with administrators, with the former attempting to use the vulnerability to break into sites and the latter looking for defenses against it.

Programmers often save old script versions on a site. For example, a programmer has written a new improved version of index,php file. Before replacing the old file with the updated one, the old index.php file is renamed into something like index.old or index.bak; only then the new version is copied in. This is done just in case the new version does not perform as intended in the production mode and has to be debugged. In this case the old version can be placed back into service.
Hacker will not have hard time finding such files because they will use a specialized program to take care of this. One those sites are accessed the content of the script can be downloaded to hacker’s local hard disk.

During the preparatory investigation, hackers look for all forms that take user input and send it to the server. Sending parameters is always a dangerous affair. Hackers can collect information about parameters sent by the form and then start experimenting by sending different parameters, trying to find a script that does not check data entered by users.

Knowing the directory structure, hackers can concentrate on looking for vulnerabilities in places where they expect to obtain the best result. It is logical to assume that the directories kept away from indexing contain something interesting. So what is to prevent hackers from taking a look at the robots.txt file and find out what the administrator or site developer does not want to be available to the general public? The only limitation is the extent of their knowledge on how to formulate a Google request to do this.
Having collected publicly available information, hackers move on and try to find out more about the system. They enter invalid data into all forms and analyze the messages issued by the server response, hoping to obtain information about the database structure and the files it contains.
A real lucky strike can be a message an incorrect request for data accompanied by the SQL request. This sort of information would be invaluable for hackers and increase their chances of a successful break-in.

How hackers crack your sites 2

During the in-depth analysis, hackers examine the source code of the site’s pages. They cannot see the source codes of PHP scripts because these are executed on the server side and are not sent in the page code to the client. However, even the HTML code the client receives may contain interesting tidbits. At this stage, hackers concentrate on the following areas:

Comments – these may contain valuable information about the way the code works or the purpose of in the parameters. Sometimes, programmers comment out code fragments, which may allow hackers to locate potential code vulnerabilities more rapidly.

Hidden forms and parameters – the latter may be sent as the parameters of the GET or POST methods and may contain important information.

Names – This includes the names of all parameters used in the program and the names of the scripts, to which these parameters are passed.

When the maximum available information has been collected, hackers start testing scripts to see if they process the input data correctly. This can be done by sending trash in parameters, that is, such characters as hyphens, underscores, semicolons, slashes and backslashes. Many of these characters are reserved in certain cases – for example, when opening files or working with data bases. When some character causes a script to issue an error message, this message most likely will contain the code line, in which the error occurred, and the name of the function or SQL request. This gives the hacker additional information on how to proceed with breaking into the server, based on the function that issued the error. The most critical functions are the following.

System-access functions, such as system() and exec() – If no check for reserved characters is performed when these functions are called, hackers will try to use them for executing system commands, for example, ls to view the contents of the current directory in UNIX. If the Web server’s access privileges are high enough for executing important commands, they can easily do at least the following two things to the site:

Deface it, that is, replace the home page. All they have to do is replace the main page script with one of their own.
Destroy the entire site. If hackers have access to the command for deleting files (rm in UNIX systems), they will have the rights for deleting script files.

File-handling functions, such as include() and readfile() – These allow hackers to read the configuration files, for example, the etc/passwd file and, even better, the etc/shadow file, which store the user names and their encrypted passwords, respectively, in UNIX systems. They will not be too bothered that the password are encrypted, because experience shows that at least 25% of passwords can be broken using the dictionary method.

SQL requests- Hackers can use these to delete or change database data or obtain access to confidential information for example, a password table.
The main vulnerability of scripts occurs when they do not check whether the parameters or data received from users meet the requirements. When calling system functions in your scripts, you should prohibit slashes, backslashes and semicolons in the parameters passed to these functions. But parameters are not the only things used by hackers in their attacks. The can also resort to the cross-site scripting and flooding attacks.