Page 1 of 2 12 LastLast
Results 1 to 25 of 27
  1. #1
    Join Date
    Mar 2003
    Posts
    70

    PHP-Nuke... I am sick of dis hacking now

    It has started from the past week. Someone, gets into my phpnuke databse somehow and they remove all the administrators, put some image or some message on the index file and then leave.

    Since I am not a professional or a web geek for that matter, I don't know what else to do then just go to the database and edit it again. But this is really sickening now, I mean, what do they really get by doing this? I have my website up from the past 8-9 months and this is the first time it has happened.

    My website is not about hacking or anything so I don't know how these attention-seeking nobodies found my website. Possibly all they want to do it just play around and amuse themselves by bonking other peoplez websites.

    Please let me know what I can do to stop this. I already told my friend about it and He wasn't able to help me out mainly due to his studies. so PLEASE PLEASE PLEASE, let me know of some ways to make my website more secure against these so-called hackers!

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    do you run your own dedicated server?
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Join Date
    Mar 2003
    Posts
    70
    No, I am not. I am on my friend's reseller account at the moment but we're moving to dedicated in a weekz time or so because the site's traffic has increased immensly. So it's obvious that a website with enormous traffic can't manage on a reseller without overload problems. Are you saying that I am facing all this trouble because I am not on a dedicated server?

  4. #4
    First of all, I would suggest that you make sure you have all of the patches installed as well as strong passwords on your admin accounts.

  5. #5
    Join Date
    Mar 2003
    Posts
    70
    I think they didn't get into the admin panel by guessing the password because my password is pretty hard and complicated (my friend's phone number, lol). Secodnly, I feel they're coming from some IRC channel because every person that comes leaves some reference to IRC in his message.

    I am sorry, what do you mean by patches? Sorry if I am acting stupid here. It's just that I don't know a lot about security issues, etc. Thanks anyway!

  6. #6
    Hate to break it to you, your password isn't very secure.

    A password based on only numbers is trivial to crack, but a password with numbers and letters as well as odd characters, such as "F*eFSmy#T" is nearly uncrackable.

  7. #7
    I would seriously check to make sure that you have all of the patches that have been released by the PHPNuke group.

  8. #8
    Join Date
    Feb 2004
    Location
    India
    Posts
    48
    Originally posted by gamer1888

    I am sorry, what do you mean by patches? Sorry if I am acting stupid here. It's just that I don't know a lot about security issues, etc. Thanks anyway!
    Hi,

    Oops... You should really get a technical person to look into it. I doubt you can do it all alone.


    -Devil

  9. #9
    Join Date
    Jan 2002
    Location
    Ohio
    Posts
    3,155
    There are many posts over at Nuke Cops regarding these hacks (and variants) as well as various patches. Install "Fortress", & UTC. You can get them from nukecops. Dont forget to patch "admin/modules/authors.php".

    Also... One really important fix that will greatly improve the security of your site. Change the table prefix and user prefix to something other than "nuke" in the config.php file!.

    You can also apply this code to your "mainfile.php" file. Put it just below the comments, which usually end at line 14. It will stop the "union" SQL injections in their tracks.

    PHP Code:
    foreach ($HTTP_GET_VARS as $secvalue) {
        if ((
    eregi("<[^>]*script*\"?[^>]*>"$secvalue)) ||
        (
    eregi("<[^>]*object*\"?[^>]*>"$secvalue)) ||
        (
    eregi("<[^>]*iframe*\"?[^>]*>"$secvalue)) ||
        (
    eregi("<[^>]*applet*\"?[^>]*>"$secvalue)) ||
        (
    eregi("<[^>]*meta*\"?[^>]*>"$secvalue)) ||
        (
    eregi("<[^>]*style*\"?[^>]*>"$secvalue)) ||
        (
    eregi("<[^>]*form*\"?[^>]*>"$secvalue)) ||
        (
    eregi("<[^>]*img*\"?[^>]*>"$secvalue)) ||
        (
    eregi("\([^>]*\"?[^)]*\)"$secvalue)) ||
        (
    eregi("./"$secvalue)) ||
        (
    eregi("union"$secvalue)) ||
        (
    eregi("_authors"$secvalue)) ||
        (
    eregi("\""$secvalue))) {
            die(
    "You cant do that");
            exit;
        }

    Good luck.

    The creation of "God" admins is due to a hole in "admin/modules/authors.php". A hacker can pass all the data via address bar to that file to create a god admin that has to be deleted via phpmyadmin. The hole is the lack of admin validation before the data is written into the database. They dont need any passwords to break into your site like this.
    Don't like what I say? Ignore me.

  10. #10
    Join Date
    Aug 2001
    Location
    Bay Area - Ca
    Posts
    302
    What version of PHP-Nuke were you running??

    I would suggest you install all patches per MGCJerry's post above
    or install CPG-Nuke a modified version of PHP-Nuke with integrated security modules.

  11. #11
    Join Date
    Jan 2002
    Location
    Ohio
    Posts
    3,155
    All nuke versions are vaulnerable.

    Hell, my site is based on the core code of 5.6 and I tested this on my site and most of them worked, especially the admin hole. I checked my admin section and had 2 God admins I didnt create. Luckily, I had a mod where admins can only login if they have a valid passcode which so far is written on paper, and physically handed to the admin.

    Edit:
    Just for some clarification, and more info...

    Here is a fine example of something from 200.147.102.179... Yes, I get an email from all hack attempts.

    modules.php?name=Web_Links&l_op=viewlink&cid=2 UNION select counter, pwd, aid FROM nuke_authors
    This will return a list of all nuke admins, and an attacker could forge a cookie using this info to gain admin privelages. This is the older hack. changing your prefixes will negate these completely. Notice the "nuke_authors in the address bar". If you change the prefix, this will not work...

    The sad thing... These 1337 h4x0rs do not do any homework. The above hack is for the standard nuke download module which I'm not using.

    Also, if you're using My_eGallery or coppermine, be sure to patch up as there are serious holes in these for "Cross Site Scripting" (XSS) that allows an attacker to upload scripts to your gallery directory and run them. PAtches are on nukecops, and the devs sites.
    Don't like what I say? Ignore me.

  12. #12
    Join Date
    Aug 2001
    Location
    Bay Area - Ca
    Posts
    302
    Yes, indeed all versions are vaulnerable. My site was hacked through MyGallery just recently and the last time I had been hacked was through Admin.

  13. #13
    Might want to ask the host to install mod_security and put some sql injection attack protection in
    http://www.baddabinghosting.com
    info@baddabinghosting.com
    MSN - Support@baddabinghosting.com
    AIM - Badda Bing 0003

  14. #14
    Join Date
    Mar 2003
    Posts
    70
    I went to my phpnuke and there was another news posted. I never get what do these people get by doing this. Just outta my head to figure this out.

    Thanks a lot for all your help. I'll start with all the work tonight and see if I can get rid of these hackers. Thanks again!

  15. #15
    Join Date
    Mar 2003
    Posts
    70
    Hey, I just want to know this. The link about the nukecops that you provided gives two downloads NukeSQL 6.5 and 7.0... are these the versions? If these are, then my phpnuke is 6.8. Which one do I download out of the two?

  16. #16
    Join Date
    Jan 2002
    Location
    Ohio
    Posts
    3,155
    I dont understand what you're asking.

    Can you provide a link of the item in question?
    Don't like what I say? Ignore me.

  17. #17
    Join Date
    Mar 2003
    Posts
    70
    No. It got sorted out. Thanks anyway.
    I'll just hope they never get in it again.
    Thanks everyone!

  18. #18
    Just make sure that you have applied the latest version to your site and you should be fine.

  19. #19
    I never did like PHPNuke very much, seems like too much of a giant hack to me.

  20. #20
    Join Date
    Jan 2002
    Location
    Ohio
    Posts
    3,155
    Even if you have the latest version, they still have the holes since "FB" is oblivious to all the holes that we keep patching every version. Just make sure you keep an eye on nukecops.

    BTW, any script can be a hacker magnet if it is a popular open-source program, especially if it is as popular as PHP-nuke.

    Glad you got it all up and running again.
    Don't like what I say? Ignore me.

  21. I have a client who recently got hacked and they removed his admin access and defaced the front middle section of the site, thankfully not the entire thing. My question is, do any of you gurus know how I can go in and restore his admin access via PHPMyAdmin or from shell, as well as removing this hack's priveledge? He posted this message on the forum about what he did:

    I didn`t do it cause i dont like ur page or something like that. Im comming for the first time here. But with this i just want to make u know that this can happen when u use 'universal' portals. They have a lot of bugs, so this can happen...
    Any help appreciated.

  22. #22
    Join Date
    Sep 2003
    Posts
    48
    CreationNation --

    Yah you just have to remove the accounts in the nuke database, drop them out of there via phpmyadmin or CLI in mysql. Mysql insert your old god account and encrypted or make a new password and you have control again. Check in the earlier post for the code to insert into authors.php; that is where the script kitties are doing mysql injection. Pretty big hole, but this will block them. Also check the domlogs of your server compare that to the time the database was changed (i.e. when they added their god account), get there ip and drop them off the face of your server with iptables or ipfw depending on your OS.

  23. #23
    Join Date
    Jan 2002
    Location
    Ohio
    Posts
    3,155
    Empty the "authors" table, and restore it from a backup, or just have him create a new one.

    Also for the love of christ, satan, god, buddah, allah, whoever, change the prefix to something other than "nuke"! Or this will likely happen again with possible future exploits.

    After that, patch up... There are a couple packages available for nuke to stop these. "Admin Secure" & "Fortress".

    I cant comment specifically on their features and accuracy as I use a custom mod to stop this even when they do have the prefix wrong in their "attack".
    Don't like what I say? Ignore me.

  24. #24
    I'm curious why no one mentioned PostNuke in this thread? Their whole focus has been on security. They run every variable through a filter and send email to the admin if something doesn't seem right.

    After getting defaced twice, I kicked PHPNuke to the curb. I don't have time to deal with all the holes FB refuses to fix in his code.
    Atomm Nihilo | GamersRadio.com | Joomla Game Templates
    Arcade Games Directory |RTFG.net - Read The Fing Google!

  25. #25
    The cult following around php-nuke has always surprised me having read about the numerous hacks that are still working today to deface the sites of people using it.

    Why then do people keep using it? Its not even that cool...
    "The only difference between a poor person and a rich person is what they do in their spare time."
    "If youth is wasted on the young, then retirement is wasted on the old"

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •