Results 1 to 25 of 27
-
05-19-2004, 09:39 AM #1Junior Guru Wannabe
- Join Date
- Mar 2003
- Posts
- 70
PHP-Nuke... I am sick of dis hacking now
It has started from the past week. Someone, gets into my phpnuke databse somehow and they remove all the administrators, put some image or some message on the index file and then leave.
Since I am not a professional or a web geek for that matter, I don't know what else to do then just go to the database and edit it again. But this is really sickening now, I mean, what do they really get by doing this? I have my website up from the past 8-9 months and this is the first time it has happened.
My website is not about hacking or anything so I don't know how these attention-seeking nobodies found my website. Possibly all they want to do it just play around and amuse themselves by bonking other peoplez websites.
Please let me know what I can do to stop this. I already told my friend about it and He wasn't able to help me out mainly due to his studies. so PLEASE PLEASE PLEASE, let me know of some ways to make my website more secure against these so-called hackers!
-
05-19-2004, 10:05 AM #2Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
do you run your own dedicated server?
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
05-19-2004, 10:32 AM #3Junior Guru Wannabe
- Join Date
- Mar 2003
- Posts
- 70
No, I am not. I am on my friend's reseller account at the moment but we're moving to dedicated in a weekz time or so because the site's traffic has increased immensly. So it's obvious that a website with enormous traffic can't manage on a reseller without overload problems. Are you saying that I am facing all this trouble because I am not on a dedicated server?
-
05-19-2004, 10:48 AM #4Newbie
- Join Date
- Oct 2002
- Posts
- 19
First of all, I would suggest that you make sure you have all of the patches installed as well as strong passwords on your admin accounts.
-
05-19-2004, 10:54 AM #5Junior Guru Wannabe
- Join Date
- Mar 2003
- Posts
- 70
I think they didn't get into the admin panel by guessing the password because my password is pretty hard and complicated (my friend's phone number, lol). Secodnly, I feel they're coming from some IRC channel because every person that comes leaves some reference to IRC in his message.
I am sorry, what do you mean by patches? Sorry if I am acting stupid here. It's just that I don't know a lot about security issues, etc. Thanks anyway!
-
05-19-2004, 10:57 AM #6Newbie
- Join Date
- Oct 2002
- Posts
- 19
Hate to break it to you, your password isn't very secure.
A password based on only numbers is trivial to crack, but a password with numbers and letters as well as odd characters, such as "F*eFSmy#T" is nearly uncrackable.
-
05-19-2004, 11:01 AM #7Newbie
- Join Date
- Oct 2002
- Posts
- 19
I would seriously check to make sure that you have all of the patches that have been released by the PHPNuke group.
-
05-19-2004, 12:06 PM #8Junior Guru Wannabe
- Join Date
- Feb 2004
- Location
- India
- Posts
- 48
Originally posted by gamer1888
I am sorry, what do you mean by patches? Sorry if I am acting stupid here. It's just that I don't know a lot about security issues, etc. Thanks anyway!
Oops... You should really get a technical person to look into it. I doubt you can do it all alone.
-Devil
-
05-19-2004, 12:50 PM #9is a threadkiller
- Join Date
- Jan 2002
- Location
- Ohio
- Posts
- 3,155
There are many posts over at Nuke Cops regarding these hacks (and variants) as well as various patches. Install "Fortress", & UTC. You can get them from nukecops. Dont forget to patch "admin/modules/authors.php".
Also... One really important fix that will greatly improve the security of your site. Change the table prefix and user prefix to something other than "nuke" in the config.php file!.
You can also apply this code to your "mainfile.php" file. Put it just below the comments, which usually end at line 14. It will stop the "union" SQL injections in their tracks.
PHP Code:foreach ($HTTP_GET_VARS as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
(eregi("./", $secvalue)) ||
(eregi("union", $secvalue)) ||
(eregi("_authors", $secvalue)) ||
(eregi("\"", $secvalue))) {
die("You cant do that");
exit;
}
}
The creation of "God" admins is due to a hole in "admin/modules/authors.php". A hacker can pass all the data via address bar to that file to create a god admin that has to be deleted via phpmyadmin. The hole is the lack of admin validation before the data is written into the database. They dont need any passwords to break into your site like this.Don't like what I say? Ignore me.
-
05-19-2004, 12:55 PM #10Bula!
- Join Date
- Aug 2001
- Location
- Bay Area - Ca
- Posts
- 302
What version of PHP-Nuke were you running??
I would suggest you install all patches per MGCJerry's post above
or install CPG-Nuke a modified version of PHP-Nuke with integrated security modules.
-
05-19-2004, 01:00 PM #11is a threadkiller
- Join Date
- Jan 2002
- Location
- Ohio
- Posts
- 3,155
All nuke versions are vaulnerable.
Hell, my site is based on the core code of 5.6 and I tested this on my site and most of them worked, especially the admin hole. I checked my admin section and had 2 God admins I didnt create. Luckily, I had a mod where admins can only login if they have a valid passcode which so far is written on paper, and physically handed to the admin.
Edit:
Just for some clarification, and more info...
Here is a fine example of something from 200.147.102.179... Yes, I get an email from all hack attempts.
modules.php?name=Web_Links&l_op=viewlink&cid=2 UNION select counter, pwd, aid FROM nuke_authors
The sad thing... These 1337 h4x0rs do not do any homework. The above hack is for the standard nuke download module which I'm not using.
Also, if you're using My_eGallery or coppermine, be sure to patch up as there are serious holes in these for "Cross Site Scripting" (XSS) that allows an attacker to upload scripts to your gallery directory and run them. PAtches are on nukecops, and the devs sites.Don't like what I say? Ignore me.
-
05-19-2004, 01:12 PM #12Bula!
- Join Date
- Aug 2001
- Location
- Bay Area - Ca
- Posts
- 302
Yes, indeed all versions are vaulnerable. My site was hacked through MyGallery just recently and the last time I had been hacked was through Admin.
-
05-19-2004, 02:16 PM #13WHT Addict
- Join Date
- Sep 2003
- Posts
- 134
Might want to ask the host to install mod_security and put some sql injection attack protection in
http://www.baddabinghosting.com
info@baddabinghosting.com
MSN - Support@baddabinghosting.com
AIM - Badda Bing 0003
-
05-19-2004, 02:22 PM #14Junior Guru Wannabe
- Join Date
- Mar 2003
- Posts
- 70
I went to my phpnuke and there was another news posted. I never get what do these people get by doing this. Just outta my head to figure this out.
Thanks a lot for all your help. I'll start with all the work tonight and see if I can get rid of these hackers. Thanks again!
-
05-19-2004, 02:27 PM #15Junior Guru Wannabe
- Join Date
- Mar 2003
- Posts
- 70
Hey, I just want to know this. The link about the nukecops that you provided gives two downloads NukeSQL 6.5 and 7.0... are these the versions? If these are, then my phpnuke is 6.8. Which one do I download out of the two?
-
05-19-2004, 03:20 PM #16is a threadkiller
- Join Date
- Jan 2002
- Location
- Ohio
- Posts
- 3,155
I dont understand what you're asking.
Can you provide a link of the item in question?Don't like what I say? Ignore me.
-
05-19-2004, 04:49 PM #17Junior Guru Wannabe
- Join Date
- Mar 2003
- Posts
- 70
No. It got sorted out. Thanks anyway.
I'll just hope they never get in it again.
Thanks everyone!
-
05-19-2004, 05:17 PM #18Newbie
- Join Date
- Oct 2002
- Posts
- 19
Just make sure that you have applied the latest version to your site and you should be fine.
-
05-19-2004, 05:42 PM #19Newbie
- Join Date
- Oct 2002
- Posts
- 19
I never did like PHPNuke very much, seems like too much of a giant hack to me.
-
05-19-2004, 08:37 PM #20is a threadkiller
- Join Date
- Jan 2002
- Location
- Ohio
- Posts
- 3,155
Even if you have the latest version, they still have the holes since "FB" is oblivious to all the holes that we keep patching every version. Just make sure you keep an eye on nukecops.
BTW, any script can be a hacker magnet if it is a popular open-source program, especially if it is as popular as PHP-nuke.
Glad you got it all up and running again.Don't like what I say? Ignore me.
-
05-29-2004, 06:44 PM #21Newbie
- Join Date
- May 2004
- Posts
- 8
I have a client who recently got hacked and they removed his admin access and defaced the front middle section of the site, thankfully not the entire thing. My question is, do any of you gurus know how I can go in and restore his admin access via PHPMyAdmin or from shell, as well as removing this hack's priveledge? He posted this message on the forum about what he did:
I didn`t do it cause i dont like ur page or something like that. Im comming for the first time here. But with this i just want to make u know that this can happen when u use 'universal' portals. They have a lot of bugs, so this can happen...
-
05-29-2004, 08:05 PM #22Junior Guru Wannabe
- Join Date
- Sep 2003
- Posts
- 48
CreationNation --
Yah you just have to remove the accounts in the nuke database, drop them out of there via phpmyadmin or CLI in mysql. Mysql insert your old god account and encrypted or make a new password and you have control again. Check in the earlier post for the code to insert into authors.php; that is where the script kitties are doing mysql injection. Pretty big hole, but this will block them. Also check the domlogs of your server compare that to the time the database was changed (i.e. when they added their god account), get there ip and drop them off the face of your server with iptables or ipfw depending on your OS.
-
05-29-2004, 08:35 PM #23is a threadkiller
- Join Date
- Jan 2002
- Location
- Ohio
- Posts
- 3,155
Empty the "authors" table, and restore it from a backup, or just have him create a new one.
Also for the love of christ, satan, god, buddah, allah, whoever, change the prefix to something other than "nuke"! Or this will likely happen again with possible future exploits.
After that, patch up... There are a couple packages available for nuke to stop these. "Admin Secure" & "Fortress".
I cant comment specifically on their features and accuracy as I use a custom mod to stop this even when they do have the prefix wrong in their "attack".Don't like what I say? Ignore me.
-
05-29-2004, 09:24 PM #24Junior Guru Wannabe
- Join Date
- Mar 2002
- Posts
- 80
I'm curious why no one mentioned PostNuke in this thread? Their whole focus has been on security. They run every variable through a filter and send email to the admin if something doesn't seem right.
After getting defaced twice, I kicked PHPNuke to the curb. I don't have time to deal with all the holes FB refuses to fix in his code.Atomm Nihilo | GamersRadio.com | Joomla Game Templates
Arcade Games Directory |RTFG.net - Read The Fing Google!
-
05-29-2004, 11:31 PM #25Web Hosting Master
- Join Date
- Dec 2002
- Posts
- 1,304
The cult following around php-nuke has always surprised me having read about the numerous hacks that are still working today to deface the sites of people using it.
Why then do people keep using it? Its not even that cool..."The only difference between a poor person and a rich person is what they do in their spare time."
"If youth is wasted on the young, then retirement is wasted on the old"