Simple way to protect ur site fr4 session hack.

**WereWolveZ** · 27.12.09, 04:15

hehe then why dont u make ur site cookie based and dont host an uploader lol....

**subzero** · 27.12.09, 09:48

The best way to stop being hacked is !!!!!

Buy a freelancer !!!!

Ask him to code you a site that no one has it has too be unknown script from notepad.

Never hire one here as they only edit a lavalair script !

**kei_ki7** · 27.12.09, 10:07

Originally posted by GiLL View Post

No one safe if a professional hacker want hack any site (hacking could start from normal to delete full site) he can do it because there are many other way which we dont know and never know before how to safe a site.. its internet world your single but how many people trying to shut down you ?you dont know its just say try to safe as much as you can your site theese normal tarcks wont work such as hide folder etc its just injection things bruteforce attck , DDOS attacks ,mysql attack (which i get know are days ) try to add /update security if you get any clue such as where is hole ...best of luck

Asking others for help that doesnt mean you dont know any thing ....they may be dont know which knowldge you have ...so share ....

And add this to your .htaccess for even further protection against hacking attempts...

Code:

Code:

RewriteEngine on
 
#Prevent SQL injection attempts
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC]
 
#Disable command line hacks via XSS scripting w/ vulnerable PHP options & includes
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)chmod(.*) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)chown(.*) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)wget(.*) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)cmd(.*) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)cd%20(.*) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)scp(.*) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)curl(.*) [OR]
 
#Disable TRACE & TRACK methods
RewriteCond %{REQUEST_METHOD} TRACE [OR]
RewriteCond %{REQUEST_METHOD} TRACK [OR]
 
#Other hack prevention, mostly windows-based
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/winnt/system32/(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/winnt/system/(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/windows/system32/(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/windows/system/(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/cmd\.exe[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/msadc/root\.exe[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)\\\.\.(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/admin\.dll[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/msadcs\.dll[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/ext\.dll[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI} (.*)/\.(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/php\.exe[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)\|(.*) [OR]
RewriteCond %{REQUEST_URI} (.{255,}) [OR]
RewriteCond %{QUERY_STRING} (.{127,}) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} [\x00-\x1f]+ [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} [\x7f|\xff]+
RewriteRule .* - [F]

For what is this?

new in mod Rewrite

**ori** · 27.12.09, 12:27

u could just delete all tools altogether lol that would solve it or as su zero said pay some1 or code yourself ur site then nobody will no how it works cookies can make it harder but its not full proof say i saw ur code even with cookies i could steal sessions going from url to a cookie doesnt protect ur site best way is u being only person that knows how it works

**ranzit2** · 27.12.09, 12:39

.Cookies not a complete substitute for prevention of hacking but much good than having nothing.and definately u will loose some visitor who dont had cookie support.
cookie steal
and
see the main forum boards as example vbulletin.when a user has a cookie support.it does not show session in url.when cookies not supported then session is carried in url.
And why there many many way pmpl can play with ur site.
Just session hack is getting popular.

**GiLL** · 27.12.09, 12:45

Originally posted by kei_ki7 View Post

For what is this?

new in mod Rewrite

its also a security

and if you have own server or can ask to server admin for install and configure mod_security

**ori** · 28.12.09, 11:56

im not an expert on mod_security but i have mod_security2 on localhost and session stealing is not fixed by this at all

**enda** · 10.02.10, 05:40

Nice share

**Loony** · 10.02.10, 08:41

Originally posted by subzero View Post

The best way to stop being hacked is !!!!!

Buy a freelancer !!!!

Ask him to code you a site that no one has it has too be unknown script from notepad.

Never hire one here as they only edit a lavalair script !

pffff only the noobs

**djlee** · 11.02.10, 16:41

theres many ways to secure a site and ive listed a lot on various threads, if people cant secure there sites now.... they never will. Just to recap a few points:

1. htmlspecialchar user supplied data
2. sql escape text supplied by the user before insertion
3. typecast ints and bools for insertion
4. never echo back user input unless its neccassary (i.e. you dont need to tell them user "djlee" doesnt exist, they know what they typed in, user not found is more than enough and safer)
5. use static or near to static headers for authentication
6. use a private user salt rather than a global salt for passwords
7. authenticate cookies via subdomain to stop xss cookie stealing attacks
8. employ whitelisting where applicable, never blacklisting
9. global fixes never work and never will, never rely on them.
10. turn off magic quotes and do it properly
11. turn off the request header or at least never use it
12. turn reg globals OFF
thats all i can recall off the top of my head, but theres plenty more

**need4speed** · 22.04.10, 20:37

Originally posted by subzero View Post

thats is true LMAO

Ppl cant scure a site

My Site is Secured!

**frostymarvelous** · 10.12.10, 14:45

Lol. Cookies are safer than sessions? That's the funniest thing I ever heard.
Ok, so this is the thing, when cookies are stolen, they can be easily figured out especially when the hacker has harvested loads of them. The trend is visible. Believe me, I've tried. Even finding a unique way. Of using a persons UA. Like I have, difficult to figure out, but still possible.

Now comes in sessions. With sessions, saving some sort of ua string, say a substr() salted and hashed, then check against each use page load. Not just

PHP Code:


 if (isset($_SESSION['username']) .......

Take the ua of the user, get your substr and hash with your salt, then compare to session save ua.

If hacker is unable to get ua, or does not know, he gets logged out immediately.

But still. Not proof. Just an extra measure. And as you know, every extra Measure counts.

**frostymarvelous** · 10.12.10, 17:37

Was just thinking and realized a way to make this better.
Well since the session only lasts for as long as a session, you could take the IP as well, but leave out the last 3 numbers as they are likely to change depending on the ISP.
Add it to The UA and hash it.
Unless you share the same ISP or IP range, or the hacker manages to successfully spoof his IP to match hacked users IP, this would be great.
But as it was said, if you want to be 100percent safe, take your server offline. Lmfao.

Simple way to protect ur site fr4 session hack.

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment