Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
utssace
Worker
Worker


Joined: Feb 18, 2006
Posts: 155
Location: Virginia

PostPosted: Thu Oct 11, 2007 8:13 am Reply with quote

Well it looks like I have some type of javascript exploit on my site. It started
with users having problems with their IE browser on the site. After looking
closer I have found an IFRAME line in all of my index.php files sitewide.
My nuke is running in a subfolder but I even have this corruption in my root
index files.

here is the gist of the line:

IFRAME name...StatPage src...http://www.911traff.com/trf/traf.php123

I put a 123 at the end so the link won't work. I wouldn't visit the link but
I need suggestions on how to proceed. My site has IFRAMEs that we put
in it and it has several javascripts running. Any suggestions.

We are a gaming clan site and have had this site for 2 years. I am running
the latest NukeSentinel and RN 2.10.01.


Last edited by utssace on Fri Oct 12, 2007 8:18 pm; edited 2 times in total 
View user's profile Send private message Visit poster's website
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Thu Oct 11, 2007 9:11 am Reply with quote

In order to change your PHP files, they must have access to your site. I'd start by changing all my admin passwords and make sure your have the CGI auth running in Nuke Sentinel. Then I'd reload my files from a backup after checking to make sure that the backup hasn't been exploited. Also, if you have any modules other than the standard ones that come with RN then I'd suspect that someone might be exploiting them to upload files. Also look thru the files on your server and make sure they have not added any ... this could be how your site is being exploited.

Look at your authors table too and make sure no new records have been added. And change your passwords in there.
 
View user's profile Send private message Visit poster's website
PHrEEkie
Subject Matter Expert


Joined: Feb 23, 2004
Posts: 358

PostPosted: Thu Oct 11, 2007 9:49 am Reply with quote

You should have a fairly good estimate on when this breach most likely occurred. You need to contact your webhost support and ask them to go through their raw logs and find out which script was initially exploited, and then what they did afterwards (if anything). If your webhost is worth .02's, this will be extremely easy for them to find and provide to you.

PHrEEk

_________________
PHP - Breaking your legacy scripts one build at a time. 
View user's profile Send private message
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Thu Oct 11, 2007 9:51 am Reply with quote

I'd look in your config table with phpMyAdmin. They often slip iframe's into the footer lines in the database.

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
utssace
PostPosted: Thu Oct 11, 2007 1:27 pm Reply with quote

Thanks for the tips.

I do have CGI Auth running. One thing I am not sure how to do is changing
the CGI Auth & GOD passwords.
 
utssace
PostPosted: Thu Oct 11, 2007 2:22 pm Reply with quote

This sucks. I did a WinMerge and compared my most recent file backup (fortunately a clean backup)
and I must have about 200 index files...and every one has this IFRAME
line in the file. However, I don't see any evidence of database corruption.
I checke the Auth and Config tables and they look normal.
 
fkelly
PostPosted: Thu Oct 11, 2007 2:29 pm Reply with quote

Just a guess, but I'm betting they have somehow planted an exploit file on your server that is in turn corrupting the rest of the files. You might want to look for any extraneous files ... I know this can be a p.i.t.a.
 
utssace
PostPosted: Thu Oct 11, 2007 2:58 pm Reply with quote

I did a WinMerge on my entire root and found no Unique files that are not
in my backup. I did also find a corrupted index file in my server's
private_html folder. I would have expected to find a rogue file or
something. Could such a file be hidden on my server when I can't
see it? By hidden I mean "not-visible" in my ftp program...like htaccess
files are hidden.

Due to the extensive number of files involved, I will prob have my server
host re-establish the server and reupload everything. The only module
I installed since my backup is Multiheadlines. This infection has happened
more recently.

Can a hacker use a javascript or IFRAME that I already have installed on
the site to do this? If so, I want to find the script with this hole and get rid of it.
 
utssace
PostPosted: Thu Oct 11, 2007 3:27 pm Reply with quote

Another observation....an index.htm file has been created in every folder
where there was no index file already. The only line in these rogue index files in that same
IFRAME line.
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Thu Oct 11, 2007 6:22 pm Reply with quote

Do a Google search for traf.php. You are definitely not alone!
 
View user's profile Send private message
Raven
PostPosted: Thu Oct 11, 2007 6:25 pm Reply with quote

Also, see
Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login!
 
utssace
PostPosted: Thu Oct 11, 2007 7:04 pm Reply with quote

I read through everything but did not see a remedy to the problem. It sound
like some scary stuff. from what I understand, it uses websites to infect
personal PC's to obtain personal info.

I have asked my server host to reinstall my server and change my server
password. I have also asked our members to do a virus, spyware, and
adware scan. Does this sound like the right things to do?

I don't know what else to do.
 
Raven
PostPosted: Thu Oct 11, 2007 7:29 pm Reply with quote

Through just a random reading it appears it might have been a cPanel exploit. I would advise you to let your host know that the entire server may have been compromised and give them the links to have them check the server.
 
PHrEEkie
PostPosted: Thu Oct 11, 2007 8:16 pm Reply with quote

Yep, that information is best in the hands of your webhost's security and support center. Hopefully they have qualified people to get to the bottom of it. That's why I suggested you tell them what time frame you suspect the problem started, and they can begin by looking at the logs and go from there. You shouldn't go this alone, and you should not have to 'guess' about what precautions to take. You pay for a service, and that should include security issues and resolution. If you don't get that, you need to change hosts. Good luck and good hunting!

PHrEEk
 
Captain_Computer
Hangin' Around


Joined: May 30, 2004
Posts: 46

PostPosted: Thu Oct 11, 2007 9:04 pm Reply with quote

I had the same problem happen to me about a month ago where index files with the iframe where in every directory. Search google I found an exploit the the cpanel has where your password can be found.

Check in you cpanel -> FTP Accounts for any unauthorized accounts. Also check cpanel -> Weblizer FTP for any unauthorized ip and/or user accessing Only registered users can see links on this board! Get registered or login!

Change ALL your passwords.

_________________
Captain Computer Said It !!!! 
View user's profile Send private message Visit poster's website
utssace
PostPosted: Fri Oct 12, 2007 1:14 pm Reply with quote

Only my site was affected on the server. Host pinpointed the date of the
breach. My PC system is clean of any viruses/trojans etc. My host does
not use cpanel. It must have been a password breach. I had the user
and pass for 2 years and never changed it and it was not a strong password.
They are reinstalling my site and I am about to restore from a backup.

1 Question.....Is there a way that I can change the password for my GOD
account and a subadmin account directly in the database before installing?



I tried experimenting how to change the password on the infected site using
the admin backend...but I got the black screen of death. I guess the infection
prevented me from changing it then.
 
Raven
PostPosted: Fri Oct 12, 2007 1:51 pm Reply with quote

Only registered users can see links on this board! Get registered or login!
 
utssace
PostPosted: Fri Oct 12, 2007 3:28 pm Reply with quote

Embarassed

Thank you Raven...and everyone here for your help. I am working on
restoring the site now. Things should be back to normal soon.
 
Gremmie
PostPosted: Fri Oct 12, 2007 4:19 pm Reply with quote

Raven wrote:
http://www.ravenphpscripts.com/faq-2-.html#9


Off-topic...

Wow...that works? Nuke doesn't use a salt? What the heck is that site key string in config.php for anyway?
 
fkelly
PostPosted: Fri Oct 12, 2007 5:35 pm Reply with quote

I have found that you can just put the text of what password you want into PHPmyadmin and then apply the md5 function to it (that's in the next column over to the left from the value column and it's called function and there's a dropdown and md5 is one of the choices). You will then wind up with a md5'd password which is what Nuke uses.
 
Gremmie
PostPosted: Fri Oct 12, 2007 6:50 pm Reply with quote

Wow, yeah, I just looked at Your_Account and Nuke doesn't use a salt. Not cool. And now back to the topic at hand.... Wink
 
Raven
PostPosted: Fri Oct 12, 2007 7:55 pm Reply with quote

Gremmie wrote:
Raven wrote:
http://www.ravenphpscripts.com/faq-2-.html#9


Off-topic...

Wow...that works? Nuke doesn't use a salt? What the heck is that site key string in config.php for anyway?


The sitekey was never used to build the password. It was used as part of the code creation for the original numeric "captcha'.
 
PHrEEkie
PostPosted: Fri Oct 12, 2007 8:09 pm Reply with quote

If you read up on some topics over at Waraxe, you'll see that all Nuke passwords are straight md5 hashes, and that they (the hacking community) have a few different software solutions for cracking md5 hashes. Using injection to add an entry to the authors tables is just one way to gain access. The other is to hijack an admin cookie (which contains the information about the hashed password), then use their brute force software to crack the hash. Then they simply login with your username and pass.

If you educate yourself on the available server-side security options, you can create additional layers that a hacker would need to get through, even if he had a nuke admin login/pass. There is no such thing as 100% authorization until we can do a fingerprint or retina scan over the internet Wink Therefore, all you can do is make it an extreme hassle and waste of time for a hacker to get in.

Understand this... a VAST majority of all Nuke sites just contain content. Most hackers only want to tag your site with their banner or whatever. The TRUE motivated hacker seeks personal information like credit card numbers or what have you... these hackers will spend the time to try and breach additional layers, because there is a real potential monetary goal involved. Hackers who just want to hang graffiti on your site will NOT spend the days or weeks getting through extra layers, and will move on to an easier site. So, the moral to the story is, the use of an extra layer or two tends to discourage about 99% of any attacks, and that's a good number to have in your corner.

PHrEEk
 
Gremmie
PostPosted: Fri Oct 12, 2007 9:03 pm Reply with quote

Agree, just can't believe Nuke isn't using a salt. That would make these dictionary attacks on the passwords a little harder. Harder enough to discourage the kiddies, but not the determined ones as you mention.
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Fri Oct 12, 2007 11:51 pm Reply with quote

I have all the changes to "salt" the cookie password so that it doesn't contain the original MD5 hash stored in the database. While I would like to "salt" the database passwords, it would require all users to re-input their passwords. The conversation is not an easy step for any existing site right now.

Once I finish testing these changes, I will release them as a part of the security patches

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©