HACKED Dreamweaver Developer Toolbox

Report · Jun 09, 2009

I make the back-end of my websites with Dreamweaver Developer Toolbox. Yesterday for the first time one site got HACKED.

All data entry said HACKED and there was a photo of a guy. What can I do to protect my sites? The host says there is a "gap in the script" which made it possible to hack the website and fill the database.

Thanks for helping me out..

Report · Jun 09, 2009

This was your database?

If so then it is possible that your site suffered from an sql injection problem. Was this from a password protected part of your site?

PZ

Report · Jun 09, 2009

Yes, the back-end to update the website was password-protected. How do they do sql-injection?

How can I protect and is this really a gap in the Developer Toolbox scripts?

All the datas contained where overwritten with things like:

HACKED,Trk_Komando | SYSTEM OWNED| StRiCt Dark , HESABINI VERECEKSINIZ TEKER TEKER ... Benım Vatanımda Ezan Susmaz Bayrak Inmez Ya Sev Yada Terk Et! || NE MUTLU TÜRKÜM DIYENE...!!!! | HACKED SavcıHackTeam ~StRiCt Dark ~ SpeArLine ~ RéoxqinG ~ Mr.BLacK ~ karayipliler ~ starwars ~

etc.

I also have found this entry:

http://img199.imageshack.us/img199/6091/desingedburak.jpg

Thankx for answering!

Report · Jun 09, 2009

It's not specific to the ADDT, but something that can happen on most websites at the moment.

The problem is that many people doing web design/development are completely unaware of the various security issues,

For a description of sql injection try: http://en.wikipedia.org/wiki/SQL_injection

It may also be that they have hacked into the password protected part of the site or 'found' your connection script, this is why simply allowing dreamweaver to do everything for you without a knowledge of security issues can be fatal (as your problem proves)

A good book if you wish to learn more is:

Essential PHP Security (Paperback)

by Chris Shiflett

PZ

Report · Jun 09, 2009

So I changed the password, made it more difficult (does this help?). But how could I protect my connection script?

Xxx

Report · Jun 09, 2009

You could restrict access to the folder and only allow your site access.

Any change from providing a normal type of password is better, always use a combination of random letters and numbers. as many hackers have scripts that can run through a combination of names or variables there of.

Also have you set up the log-in page to only allow three log-in attempts then lock-out that page for (say) 30 mins?

PZ