I got hacked. Yup just recently a player of ours found a SQL Injection point in one of our games. Yes I know I preach a lot about security, the hows and the whys but hey I'm human. Sometimes I just code stuff without thinking and I put up bad code just because it works. This article though isn't about preaching writing good secure code and scubbing your data etc. We have enough of these articles on the web what I want to talk about is what you can do to found out how you were hacked. Something not covered or discussed a lot.
I've been hacked so many times I can't even count them anymore. So it's been over time that I've leaned how to find out how the hack took place and fix it. When your looking at your game there are just so many lines of code and SQL statements its way to daughting to look though every line of code in the game. You need to take action and you need to take it now.
First thing to know is a little htaccess. Why? You need to shut your site down temporarily. You don't know how far the information has traveled. It all depends on when it happened vs when you were told or discovered it. We are going under the assumption now that you need to get the site down so you can investigate. To do this edit or add the following lines to your .htaccess file in the first public directory of your web site.
AuthName "restricted stuff"
AuthType Basic
AuthUserFile "htpasswd.acl"
require valid-user
Normally what this does is the Apache web server prompts you for a user name password. Once entered it looks to a file called htpasswd.acl on your server. This file has a user name and encrypted password but we don't want or even need the file. The file doesn't exist so no one has access to the game via the web, including you. You don't need access right now, what you need is time to look at your log files! Ok so now your site is closed.
Next is to find you Apache log files, there are so many variances on server installations I can't even begin to tell you where they might be located. If you don't know where they are now, find them and commit them to memory, sticky note or anything, just know where they are. On our recent hack we found out that we only had a day's worth of web logs, not good. We have since changed that to store 3 days worth of logs, you should find out and do the same. If you only have one game running I would recommend storing at least 5 days of logs. Just because someone breaches your server on day one doesn't mean they'll exploit it, most know that server logs because of there size rotate out of existence. Luckily our latest hacker couldn't resist exploiting what he had found, which was to our benefit.
This is a point of knowledge now, either download the Apache log files or just ssh into the server. Either way pull up the logs in your favorite text editor. Now we need to find a query string that is way out of the norm for the game in question. Many ways to do this but someone trying to exploit your game via SQL injection is going to try some normal attacks. Search the Apache log file for SELECT, UNION or 1=1. These are the most common ways to probe the database, some more elegant hacks use other methods and if that happens they you are going to have to go line by line to find where it happened. Hopefully though you'll hit upon one of the three things I mention and now you'll have what page and query parameter they are exploiting. Fix it, delete the .htaccess file and your game is up and running (minus any fixing you might have to do to player accounts).
Most player's that have SQL injected on my sites actually tell me they found the hole and never exploit it for personal gain. Unfortunately though you can't always rely on this so knowing the above will hopefully aid you in finding and fixing the exploit.
