next »

[elser]

     This morning, someone, somehow introduced dozens of banners in the script, also added millions of impressions to it. The weird part is they did not have any username attached, so they were introduced from outside. BTw, the links of the banner were:

http://www.libertyreserve.com/?ref=U9035749  (belongs to Shiful Mamun)
http://www.inovabux.com/register.php/noone.html
http://www.upbux.com/r?r=noone

Sorry for reff links, just want to discover who is this guy ? 


     Can anyone tell me how he did it? Script bug or msql injection ?

[roshan]

noone


masud.che@gmail.com
   
some ip from rec   

207.211.82.34
64.255.180.45    

[administer]

do you have this code in mysql
REAL_ESCAPE_STRING

Code:

//NOTE: you must be connected to the database to use this function!
// connect to MySQL

$name_bad = "' OR 1'";

$name_bad = mysql_real_escape_string($name_bad);

$query_bad = "SELECT * FROM customers WHERE username = '$name_bad'";
echo "Escaped Bad Injection: <br />" . $query_bad . "<br />";


$name_evil = "'; DELETE FROM customers WHERE 1 or username = '";

$name_evil = mysql_real_escape_string($name_evil);

$query_evil = "SELECT * FROM customers WHERE username = '$name_evil'";
echo "Escaped Evil Injection: <br />" . $query_evil;

[tixepower]

Do you have password protected admin folder? ;<

[jjohnson777]

Your site is tacky with those 4-6 banners I would never join due to it.  Unless making alot from them I would see if things improve without all those banners on your site.

And why would you password protect the admin dir?

[elser]

do you have this code in mysql
REAL_ESCAPE_STRING

Code:

//NOTE: you must be connected to the database to use this function!
// connect to MySQL

$name_bad = "' OR 1'";

$name_bad = mysql_real_escape_string($name_bad);

$query_bad = "SELECT * FROM customers WHERE username = '$name_bad'";
echo "Escaped Bad Injection: <br />" . $query_bad . "<br />";


$name_evil = "'; DELETE FROM customers WHERE 1 or username = '";

$name_evil = mysql_real_escape_string($name_evil);

$query_evil = "SELECT * FROM customers WHERE username = '$name_evil'";
echo "Escaped Evil Injection: <br />" . $query_evil;

Where do I look for that ?

[elser]

Your site is tacky with those 4-6 banners I would never join due to it.  Unless making alot from them I would see if things improve without all those banners on your site.

And why would you password protect the admin dir?

   Nobody is forcing you to join. And yeah, have plenty of banners and I'm aware it looks unprofessional; helps me to get some income, since I have very few sales. I'm not rich like you. 

[maderitescripts]

Your site is tacky with those 4-6 banners I would never join due to it.  Unless making alot from them I would see if things improve without all those banners on your site.

And why would you password protect the admin dir?

hmmm i remember when someone else used to pack all them banners on there like that      pot and kettle bro pot and kettle.

not sure what administer meant with that post sort of lost on that myself

[MUSHY]

Other usernames smopel - email smopel@hotmail.com and is from Bangledesh. Do you want address and phone number too? But really no answers to how he did it - mysql perhaps?

[Delusional]

Where do I look for that ?

he don't know what he is takling about.

you need to sanitize all forms

[maderitescripts]

it was just s imple admin hack actually if you leave username admin theyre gonna getin