Archive for myfreeforum.org Before posting please check the "stickies" in the support forums.
Please ask questions in real English and not "txt". You will get a better response.
Please do not ask support questions via PMs.
 

The free forums are now under new ownership, a full announcement will be made shortly

       myfreeforum.org Forum Index -> Off Topic
CodyT07

Think they would learn already...

I'm talking about the people that manage my school's county web server. Our school site (mind you I put in 10 hours worth of content adding to it, + the other 30 hours from the other members of the team plus the hours of cleaning up the last hack) was hacked* FOR THE 5TH TIME THIS YEAR.
For the same reason it was hacked the last time, misconfiguration of HTTP (or so we are told). The times before was cause of misconfigured PHP and ASP.

Here's the best part about backups,
they are done every day the catch
the current day overwrites the last day
the hacking was done on the weekend (was hacked twice by 2 different sites this time)
So by the time we get to the school the backup would be useless as it would contain the hacked site. (since they didn't learn from the last times)


I ran my server for 2 years and the worse I got was a SQL injection due to me not updating Joomla in a month for a dead site. I had many attempts (all logged) and yet none successful.


*-The word 'hacked' in this posting refers to injecting MSSQL data into an unsecure MSSQL database.
while()

That's the fault of the people who developed the website, not the people who manage the web server. If the admin here left fields that weren't validated and someone used them to drop the contents of the database, would it be the hosting companies fault? No, it'd be the admins for not validating his input. In regards to "misconfiguration of php" I assume this means they had register_globals on, once again the fault of the site developers for not considering this. Furthermore, you trust anyone to guard your work? I wouldn't trust anyone besides myself, if I cared about it I'd make sure I had my own physical backups.
myff admin

A web backup strategy that overwrites daily is criminally bad.

There is no way that a php misconfiguration can be solely responsible for a hacking issue.

Whilst register globals should never be set on, all code should assume that it might be and be safe against such issues.

There would be no point to any php setting that by itself left a site vulnerable.
CodyT07

while(); wrote:
That's the fault of the people who developed the website, not the people who manage the web server. If the admin here left fields that weren't validated and someone used them to drop the contents of the database, would it be the hosting companies fault? No, it'd be the admins for not validating his input. In regards to "misconfiguration of php" I assume this means they had register_globals on, once again the fault of the site developers for not considering this. Furthermore, you trust anyone to guard your work? I wouldn't trust anyone besides myself, if I cared about it I'd make sure I had my own physical backups.


Our title for the school's website is 'content adders'
Think of us as the 'posters' on the forum and that is all we do and all we are allowed too. Think of Admin (only example I can think of) as the 'county', he manages the server and configurations and he made the site we post on. So it isn't my team's fault.

I do have some backup articles I wrote but team roster and such all I can do is pray the county has them, we can't back up those due to power limitations. (pictures, information about the player, it needs a database for backups)

I am just going by what our teacher was told what has happen.
while()

Then the problem is not a server problem, it's a problem with very poor php, nothing more.
myff admin

I'd dispute the word "very" it is hard to name a major php application that has not had security issues The problem is not simply bad programming, the problem is security still lacking in standards since neither php or the database layer were designed with security in mind. As such secure programming is still tough.
while()

admin (no pm's please) wrote:
I'd dispute the word "very" it is hard to name a major php application that has not had security issues The problem is not simply bad programming, the problem is security still lacking in standards since neither php or the database layer were designed with security in mind. As such secure programming is still tough.


Heh, well, I was basing the "very" off of the fact that they've been "hacked" 5 times now. If you're unable to handle a bit of mysql_real_escape_string(); I wouldn't expect the other code to be any good
CodyT07

while(); wrote:
admin (no pm's please) wrote:
I'd dispute the word "very" it is hard to name a major php application that has not had security issues The problem is not simply bad programming, the problem is security still lacking in standards since neither php or the database layer were designed with security in mind. As such secure programming is still tough.


Heh, well, I was basing the "very" off of the fact that they've been "hacked" 5 times now. If you're unable to handle a bit of mysql_real_escape_string(); I wouldn't expect the other code to be any good

Php was disabled after the 3rd hacking, This time it had to go with ASP as the problem.
CodyT07

They managed to get a backup as they changed weekend backup which is good. We narrowed it down to a flaw in the ASP programming (which we are going to change). Now it is just a matter of finding out 'how' (but I have a pretty good idea how it was done)

       myfreeforum.org Forum Index -> Off Topic
Page 1 of 1
Create your own free forum | Buy a domain to use with your forum