Everything, Everything

I'm not going to name names, but I was sent the log files from a server that may have been compromised, as a few of the company's customers had information missing from the database and had discovered fraudulent charges on their credit card. It didn't take me long to spot the glaringly obvious activity. It seems one of the pages (although I wouldn't be surprised if other places are potentially affected) allowed SQL injection. This is probably the best example I've seen of why you need to escape and filter user input before performing a query. The attacker(s) had knowledge of the database, probably from previous attacks, and was able to retrieve everything that's required to perform credit card fraud, including the three digit CVV number. That's the type of card, the number, the name on the credit card, the full address, even the home phone number. The logs revealed IP addresses that were predominantly based in Vietnam, but one was based in Texas and appears to be a web server that displays the Fedora Core default page and has presumably been compromised. One of the IPs appears to be a web admin interface for a DSL router that has probably been compromised using default usernames and passwords. They appear to have covered their tracks quite well. The server logs go back for years, so it should be possible to work out when the activity started, but it's too late for the many people that have already had their details stolen. So make sure you always correctly filter and escape user input. If you're expecting an integer, the first thing you should do is make sure you've been given an integer. Imagine if it were your details that were stolen.