Simple way to protect ur site fr4 session hack.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    hehe then why dont u make ur site cookie based and dont host an uploader lol....

    Comment


      #17
      The best way to stop being hacked is !!!!!

      Buy a freelancer !!!!

      Ask him to code you a site that no one has it has too be unknown script from notepad.

      Never hire one here as they only edit a lavalair script !
      Visit: Chat4u.mobi - The New Lay Of being a site of your dreams!
      Visit: WapMasterz Coming Back Soon!
      _______
      SCRIPTS FOR SALE BY SUBZERO
      Chat4u Script : coding-talk.com/f28/chat4u-mobi-script-only-150-a-17677/ - > Best Script for your site no other can be hacked by sql or uploaders.
      FileShare Script : coding-talk.com/f28/file-wap-share-6596/ -> Uploader you will never regret buying yeah it mite be old now but it still seems to own others...
      _______
      Info & Tips
      php.net
      w3schools.com

      Comment


        #18
        Originally posted by GiLL View Post
        No one safe if a professional hacker want hack any site (hacking could start from normal to delete full site) he can do it because there are many other way which we dont know and never know before how to safe a site.. its internet world your single but how many people trying to shut down you ?you dont know its just say try to safe as much as you can your site theese normal tarcks wont work such as hide folder etc its just injection things bruteforce attck , DDOS attacks ,mysql attack (which i get know are days ) try to add /update security if you get any clue such as where is hole ...best of luck

        Asking others for help that doesnt mean you dont know any thing ....they may be dont know which knowldge you have ...so share ....

        And add this to your .htaccess for even further protection against hacking attempts...

        Code:
        Code:
        RewriteEngine on
         
        #Prevent SQL injection attempts
        RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC]
         
        #Disable command line hacks via XSS scripting w/ vulnerable PHP options & includes
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)chmod(.*) [OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)chown(.*) [OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)wget(.*) [OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)cmd(.*) [OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)cd%20(.*) [OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)scp(.*) [OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)curl(.*) [OR]
         
        #Disable TRACE & TRACK methods
        RewriteCond %{REQUEST_METHOD} TRACE [OR]
        RewriteCond %{REQUEST_METHOD} TRACK [OR]
         
        #Other hack prevention, mostly windows-based
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/winnt/system32/(.*) [NC,OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/winnt/system/(.*) [NC,OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/windows/system32/(.*) [NC,OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/windows/system/(.*) [NC,OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/cmd\.exe[$|\?(.*)] [NC,OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/msadc/root\.exe[$|\?(.*)] [NC,OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)\\\.\.(.*) [NC,OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/admin\.dll[$|\?(.*)] [NC,OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/msadcs\.dll[$|\?(.*)] [NC,OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/ext\.dll[$|\?(.*)] [NC,OR]
        RewriteCond %{REQUEST_URI} (.*)/\.(.*) [NC,OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/php\.exe[$|\?(.*)] [NC,OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)\|(.*) [OR]
        RewriteCond %{REQUEST_URI} (.{255,}) [OR]
        RewriteCond %{QUERY_STRING} (.{127,}) [OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} [\x00-\x1f]+ [OR]
        RewriteCond %{REQUEST_URI}?%{QUERY_STRING} [\x7f|\xff]+
        RewriteRule .* - [F]
        For what is this? new in mod Rewrite
        Did I help you?
        You can help me too
        Your donations will help me finance my studies.

        Comment


          #19
          u could just delete all tools altogether lol that would solve it or as su zero said pay some1 or code yourself ur site then nobody will no how it works cookies can make it harder but its not full proof say i saw ur code even with cookies i could steal sessions going from url to a cookie doesnt protect ur site best way is u being only person that knows how it works

          Comment


            #20
            .Cookies not a complete substitute for prevention of hacking but much good than having nothing.and definately u will loose some visitor who dont had cookie support.
            cookie steal
            and
            see the main forum boards as example vbulletin.when a user has a cookie support.it does not show session in url.when cookies not supported then session is carried in url.
            And why there many many way pmpl can play with ur site.
            Just session hack is getting popular.
            Last edited by ranzit2; 27.12.09, 13:53.
            she is beautifull than php.and i love her more than php.
            sigpic

            Comment


              #21
              Originally posted by kei_ki7 View Post
              For what is this? new in mod Rewrite
              its also a security

              and if you have own server or can ask to server admin for install and configure mod_security
              Last edited by GiLL; 28.12.09, 01:30.
              left wap stuff

              Comment


                #22
                im not an expert on mod_security but i have mod_security2 on localhost and session stealing is not fixed by this at all

                Comment


                  #23
                  Nice share

                  Comment


                    #24
                    Originally posted by subzero View Post
                    The best way to stop being hacked is !!!!!

                    Buy a freelancer !!!!

                    Ask him to code you a site that no one has it has too be unknown script from notepad.

                    Never hire one here as they only edit a lavalair script !
                    pffff only the noobs
                    Creator of
                    Epix.Mobi

                    Keep an Eye on us Big things coming soon!!!!
                    Need something for your site hit me up here

                    http://coding-talk.com/forum/main-fo...r-your-wapsite

                    Comment


                      #25
                      theres many ways to secure a site and ive listed a lot on various threads, if people cant secure there sites now.... they never will. Just to recap a few points:

                      1. htmlspecialchar user supplied data
                      2. sql escape text supplied by the user before insertion
                      3. typecast ints and bools for insertion
                      4. never echo back user input unless its neccassary (i.e. you dont need to tell them user "djlee" doesnt exist, they know what they typed in, user not found is more than enough and safer)
                      5. use static or near to static headers for authentication
                      6. use a private user salt rather than a global salt for passwords
                      7. authenticate cookies via subdomain to stop xss cookie stealing attacks
                      8. employ whitelisting where applicable, never blacklisting
                      9. global fixes never work and never will, never rely on them.
                      10. turn off magic quotes and do it properly
                      11. turn off the request header or at least never use it
                      12. turn reg globals OFF
                      thats all i can recall off the top of my head, but theres plenty more

                      Comment


                        #26
                        Originally posted by subzero View Post
                        thats is true LMAO

                        Ppl cant scure a site
                        My Site is Secured!

                        Comment


                          #27
                          Lol. Cookies are safer than sessions? That's the funniest thing I ever heard.
                          Ok, so this is the thing, when cookies are stolen, they can be easily figured out especially when the hacker has harvested loads of them. The trend is visible. Believe me, I've tried. Even finding a unique way. Of using a persons UA. Like I have, difficult to figure out, but still possible.

                          Now comes in sessions. With sessions, saving some sort of ua string, say a substr() salted and hashed, then check against each use page load. Not just
                          PHP Code:
                           if (isset($_SESSION['username']) ....... 
                          Take the ua of the user, get your substr and hash with your salt, then compare to session save ua.

                          If hacker is unable to get ua, or does not know, he gets logged out immediately.

                          But still. Not proof. Just an extra measure. And as you know, every extra Measure counts.
                          Perfection comes at a cost



                          I accept liberty!

                          Comment


                            #28
                            Was just thinking and realized a way to make this better.
                            Well since the session only lasts for as long as a session, you could take the IP as well, but leave out the last 3 numbers as they are likely to change depending on the ISP.
                            Add it to The UA and hash it.
                            Unless you share the same ISP or IP range, or the hacker manages to successfully spoof his IP to match hacked users IP, this would be great.
                            But as it was said, if you want to be 100percent safe, take your server offline. Lmfao.
                            Perfection comes at a cost



                            I accept liberty!

                            Comment

                            Working...
                            X