CI hacked - C99madShell

[eluser]mattpointblank[/eluser]
I think it was the authentication; it seems my methods aren't as secure as possible. I'm still a little stumped though as my upload script only allows image files and the shell was .txt - do you think there's a flaw in the upload library as well?

[eluser]Unknown[/eluser]
Are we sure it wasn't a local (directory traversal) attack? I mean, I've seen it happen. Stolen FTP passwords are a constant danger, too, so local virus protection should be a priority.

[eluser]Boztown[/eluser]

I set a “logged_in” session userdata cookie and check for that

I would at very least make sure you have database sessions turned on. Otherwise anyone could just edit this value in their local cookie. I think so anyways... (?)

Maybe using one of the authentication libraries out there would give you a little more piece of mind as well. I've been using DX_Auth and it's been working out well.

[eluser]physicsdave[/eluser]
CI includes support for database storage of session data. As it is not particularly difficult to alter the data of an unencrypted cookie, if you're storing "is_logged_in" or something similar in a basic cookie, anyone can easily fake a log in into your site. If you switch your storage engine to something that keeps the actual data somewhere besides the users browser, only the session ID is stored in the cookie, greatly increasing the difficulty of faking an authenticated session.

I really like the idea of hashing some of the users fields for extra security. I've never done that myself but I'll try it in the future (thanks Mike!).

I think the most important part of this is just to understand why your current scheme may be insecure (if you don't already).

[eluser]atno[/eluser]
[quote author="Michael Wales" date="1265246300"]If all you are doing is checking for the value of logged_in, then yes - that's definitely weak and should be changed.

I like to store the user's unique ID in the session as well as a hash of some key fields within their record - then encrypt the entire session. On every page load, validate the hashed fields against their database record.[/quote]

Hey Michael,

Can you please provide some more info like code about this?

Thanks in advanced,
atno

[eluser]skunkbad[/eluser]
[quote author="bOkI" date="1265257181"]There is possibility that your computer is infected with some trojan virus or similar.
I suggest that you ALWAYS use master password in FTP client to protect saved FTP passwords, and web passwords as well in your web browser.

I would like to see that hook file so if you have content...[/quote]

This is what I was thinking. Change the FTP and control panel login, and make sure to use an ecrypted type FTP connection. Even an infected computer on your network could be sniffing network traffic and stealing your regular FTP connection... It happened to me....

[eluser]Tom Schlick[/eluser]
[quote author="atno" date="1265910488"][quote author="Michael Wales" date="1265246300"]If all you are doing is checking for the value of logged_in, then yes - that's definitely weak and should be changed.

I like to store the user's unique ID in the session as well as a hash of some key fields within their record - then encrypt the entire session. On every page load, validate the hashed fields against their database record.[/quote]

Hey Michael,

Can you please provide some more info like code about this?

Thanks in advanced,
atno[/quote]

if you dont know how to implement a secure login system i would highly suggest looking at the 10+ auth systems fellow CI coders have come up with. i know Michael Wales just released one which i cant remember the name of. also there is Ion auth, dx auth, redux..... etc

[eluser]Ivan A. Zenteno[/eluser]
What does your server permissions hooks, your password is safe, you are sure nobody stole the ftp password.

It is a shared server with other people.
And analyzing web server logs.

There is any application that have the same permissions as your DocumentRoot you have written your hooks