Notice of Potential Active Hacker

2McAbre · New Member Joined: Feb 16, 2005 Posts: 20

Just thought to drop a note to let everyone know that someone tried to add themselves as a "God" admin at my little old site!

Thanks to Nuke Sentinel they did not get in.

Wanted to pass on the info for those that may wish to take advanced cautionary action. Just in case.

Attempted Author String (broken so if wont scroll)
User Agent: Mozilla 4.0 (Linux)

Code:

2mcabre.com/admin.php?
op=AddAuthor&add_aid=kiegera&
add_name=Goda&add_pwd=playboya&
add_email=r00t_System@hush.com&
add_radminsuper=1&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox

He's not even shy as to what his goal was Smile

Look at the email address.

Location: TURKEY (high) [City: Istanbul, Istanbul]
IP 81.213.198.55

Or for the more hard core blockers the CIDR is…

81.213.128.0/17

And Yes I know I could rename my admin.php file, but seriously? Other then as my own added security feature, that is almost admitting to "them" that they win.

Trubador · Regular Joined: Dec 28, 2004 Posts: 94

Just noticed your post m8.... had the same hack attempt by the same IP. Just made another post.

Only registered users can see links on this board!
Get registered or login to the forums!

Looks like someone's been busy.

Trub

Digital-Overload · Hangin' Around Joined: May 13, 2005 Posts: 26

He's Hit My Site TWICE.. In the Last 2 Days.

lmao first ime he said update my script..

second time he said install sentinel or he'll take over the site!..

wtf.. why is the douch helping me for???

hitwalker · Sells PC To Pay For Divorce Joined: Posts: 5661

well this is just one of the many remote attempts we see all the time so posting this is very useless.
unfortunate they are just strings picked up by dozens of idiots on the web,from turkey to brazil...
all they do is try it out and the luck they have is getting less by the day.
untill they find an idiot that runs phpnuke 5.0.

Raven · Posted: Fri May 13, 2005 12:38 pm

The following 4 cidr's are all Turkey and have tried multiple types of attacks. In case you don't understand cidr coding, the /16 means all IP ranges with the last 2 octets covered inclusively (81.212.0.0 - 81.212.255.255). It could also be written to include all with one cidr, but I need to be able to make exceptions.

81.212.0.0/16
81.213.0.0/16
81.214.0.0/16
81.215.0.0/16

I have all of them banned through IPTABLES. That way the Linux Kernel actually rejects their packets from any protocol on my servers. I do have one exception coded, which I will not detail, as there is a legitimate user. You do need Root access to your server to use iptables or ask your support to add them.

Digital-Overload · Hangin' Around Joined: May 13, 2005 Posts: 26

so installing hte Patch 3.0 for Nuke 7.6 and INstalling Sentinal SHould Stop him from Hacking and modding my site messages?

Raven · Posted: Fri May 13, 2005 5:11 pm

Yep. The difference is that with iptables he never makes it past the OS kernel. With NukeSentinel (or any web server level protection) it actually makes it to the site and then gets trapped.

Digital-Overload · Hangin' Around Joined: May 13, 2005 Posts: 26

ok,

i tried it install sentinel... and it totally botched hte forums and stuff..

I'll re-upload Nuke 7.6...

will the Nuke Patch 3.0" stop him from injecting SQL entires using that admin.php?add b.s.?

Raven · Posted: Fri May 13, 2005 8:52 pm

You don't need to reupload anything. You need Nuke patch level 2.9 or high to use the latest version of NukeSentinel or you need to make some coding changes as described in the README and in the forums. Just comment out the mainfile code and NukeSentinel won't affect anything until you get it fixed.

Digital-Overload · Hangin' Around Joined: May 13, 2005 Posts: 26

if i comment out the Sentinel Program WillI Be vulnerable?

this guy seems to have my page bookmarked...

Raven · Posted: Sat May 14, 2005 12:46 pm

Assuming it's the IP's mentioned above, add these lines to your.htaccess file:

Deny from 81.212.0.0/16
Deny from 81.213.0.0/16
Deny from 81.214.0.0/16
Deny from 81.215.0.0/16

Digital-Overload · Hangin' Around Joined: May 13, 2005 Posts: 26

im not that good with the .htaccess file..

i have the "sample.htaccess" on the server...

how would i setup a normal .htaccess file?

Raven · Posted: Sat May 14, 2005 4:39 pm

Leave sample.htaccess alone. Create a text file on your local pc and call it htaccess.txt. Windows will not allow a file to be named .htaccess - just another stupid windows thing. You will rename it later, once you ftp it. Add those 4 lines to your htaccess.txt file. Save it and ftp it to your root nuke folder. Then using your ftp client, rename it to .htaccess.

Digital-Overload · Hangin' Around Joined: May 13, 2005 Posts: 26

so.. I Should

1. Make a blank htaccess.tct
2. Add the 4 Deny IP Lines,
3. Upload to Server
4. Rename To .htaccess

I Know my server is a WINDOWS server...
Im also gonna have my Provider ban those 4 ips from the site as well..
well they are looking into the attacks..

but if the guy is using a admin.php?add SQL insertion... then I'd Have to just block that..

Raven · Posted: Sat May 14, 2005 10:40 pm

Are you sure it's a windows web server (IIS) or is it a windows server (as opposed to *nix) but using Apache? If you are on Apache then you can still use .htaccess as described above.

Digital-Overload · Hangin' Around Joined: May 13, 2005 Posts: 26

Its a Windows Server 2003,

(www.webhost4life.com)

I've asked Tech Support to Ban the 4 IP Ranges On the Ticket I Have Open About hte Hacking.. they said they'd Forward it to Magement For Evaluation,

I've Completely Lost PHP Nuke as Of Right now, I Have a Fresh Core Uploaded But Im Not Going to Configure It Until Im Sure the Bozo Cant Come Back..

After he hacked me the First time on Wednesday Morning, I Took the Site Offline for a day to Clean up hte Code and Put it on 2 Am Friday Morning and by 10 AM Friday He had already hacked it again changing messages.. and he told me to update hte script (I was Running Nuke 6.5 at the time), I Dont know how he got in the 2nd time, there was no added Admins in the Admin list.. unless he deleted himself. But Both times All he has Done is Edit a Message, Add a Message and then Edit a News Article, Its Possible he aquired another Admins password, which is why i Really dont care about wiping hte members list and starting over..

I Have th 7.6 Core uploaded Now, Im not sure if its the "Nukle Patch 3.0" or the Sentinel Program thats Killing hte Forums, But I Couldnt Access the Main Forums, the ADmin Panel, Or even Register A New User..

So If theres a Way to Stop him without Using Sentinel Then Great.. I Dont have the Time to Sit a Play with the Code after every debug for the next 2 months...

I just dont wanna spend the time import all the blocks/modules back and have the dude come back and hack the site again...

Raven · Posted: Sun May 15, 2005 2:00 pm

Since you don't run Apache, you can't use .htaccess (I went to their site and they run IIS6.x - good luck my friend). I would recommend that you upgrade to nuke v7.7pl3.0 and install NukeSentinel(TM). Really, there should be no issues. Rename admin.php to something else and modify config.php $admin_file to reflect the new name. That should give you adequate time to get NS working. Frankly, I would change hosts to an Apache based web server. That way you help control your own destiny.

Digital-Overload · Hangin' Around Joined: May 13, 2005 Posts: 26

Ok,
Thanks For the Help, I'll Prolly just do Old Fasioned HTML INdex with Inline Frames for a bit, and work on the Nuke Install In a Sub Dir..

I'll Prolly be back soon, cause i know .. I'm Gonna Have issues.. .

Question..

For Sentinel.. Whats the Best method for PHP-NUke 7.6?
Is this the best method..

1. Upload PHP-Nuke Core, Set The Admin and Stuff.
2. Upload/Overwrite Patch Files (ASCII For .PHP Right? )
3. Load the PHPUpgrade.php File to Install the Patch 3.0 SQL Entries
4. Upload the Sentinel ../ Override Files....
5. Goto the ADmin.php Login.. Launch the Sentinel Install .php

Thats what I Did Last Time... ANd the Forums wouldnt fucntion even after editing the files in the readme's..

Like I Said though.. I think something might have uplaoded wrong or the SQL Table was not right... I'll try again but i'll prolly be asking for help with messages from teh debug..

Digital-Overload · Hangin' Around Joined: May 13, 2005 Posts: 26

Raven.. Your a Big Help!!..

So Far I've been working on my 7.6 In a Subdir..

Got it installed and patched.. No Sentinel Yet

But I Still Can't Access the forums..

I Get This:
phpBB : Critical Error

Error creating new session

DEBUG MODE

SQL Error : 1054 Unknown column 'session_admin' in 'field list'

INSERT INTO nuke_bbsessions (session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in, session_admin) VALUES ('e033c4306322b617bfe43ca0e827a4c3', '1', '1116274409', '1116274409', '4463a5b0', '0', '0', '0')

Line : 203
File : sessions.php

Raven · Posted: Mon May 16, 2005 2:22 pm

Only registered users can see links on this board!
Get registered or login to the forums!

Digital-Overload · Hangin' Around Joined: May 13, 2005 Posts: 26

Thanks..

I Did Run the Upgradedb.php..

Running the SQL QUery Fixed it..

now to install sentinel!!

Raven.. Your the Bomb Dude!

Nuke 7.6 is Tons Better than 6.5 So Far..

Only had to do a few changes ... none of the endless .php editing because i run it on a Windows Server...

Is there a way i can add previous klnown IPs of the "kiegera" dweeb as soon as i get sentinel installed??..

And Whats the Best Reccemended Settings to prevent the admin abuse and stuff

And Are the "HEADER.PHP File Edits" Required?, For some reason when i add the data that it tells me to my site either goes blank.. or it gets all wierd looking...

Digital-Overload · Hangin' Around Joined: May 13, 2005 Posts: 26

Well... I was about to post ...

Seems i was locked out of my own site.. Smile

, didnt know caps lock was on.. so had to reset password thru Nuke Snetinel.. 15 minutes of hassle... but least i know its working!

Thanks a Million Raven!