Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
2McAbre
New Member
New Member



Joined: Feb 16, 2005
Posts: 20

PostPosted: Tue Mar 15, 2005 10:32 am Reply with quote

Just thought to drop a note to let everyone know that someone tried to add themselves as a "God" admin at my little old site!

Thanks to Nuke Sentinel they did not get in.

Wanted to pass on the info for those that may wish to take advanced cautionary action. Just in case.

Attempted Author String (broken so if wont scroll)
User Agent: Mozilla 4.0 (Linux)

Code:
2mcabre.com/admin.php?

op=AddAuthor&add_aid=kiegera&
add_name=Goda&add_pwd=playboya&
add_email=r00t_System@hush.com&
add_radminsuper=1&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox


He's not even shy as to what his goal was Smile Look at the email address.

Location: TURKEY (high) [City: Istanbul, Istanbul]
IP 81.213.198.55

Or for the more hard core blockers the CIDR is…

81.213.128.0/17

And Yes I know I could rename my admin.php file, but seriously? Other then as my own added security feature, that is almost admitting to "them" that they win.
 
View user's profile Send private message
Trubador
Regular
Regular



Joined: Dec 28, 2004
Posts: 94

PostPosted: Tue Mar 15, 2005 3:07 pm Reply with quote

Just noticed your post m8.... had the same hack attempt by the same IP. Just made another post.

http://www.ravenphpscripts.com/postt4986.html

Looks like someone's been busy.

Trub
 
View user's profile Send private message
Digital-Overload
Hangin' Around



Joined: May 13, 2005
Posts: 26

PostPosted: Fri May 13, 2005 12:06 pm Reply with quote

He's Hit My Site TWICE.. In the Last 2 Days.

lmao first ime he said update my script..

second time he said install sentinel or he'll take over the site!..

wtf.. why is the douch helping me for???
 
View user's profile Send private message
hitwalker
Sells PC To Pay For Divorce



Joined:
Posts: 5661

PostPosted: Fri May 13, 2005 12:18 pm Reply with quote

well this is just one of the many remote attempts we see all the time so posting this is very useless.
unfortunate they are just strings picked up by dozens of idiots on the web,from turkey to brazil...
all they do is try it out and the luck they have is getting less by the day.
untill they find an idiot that runs phpnuke 5.0.
 
View user's profile Send private message
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Fri May 13, 2005 12:38 pm Reply with quote

The following 4 cidr's are all Turkey and have tried multiple types of attacks. In case you don't understand cidr coding, the /16 means all IP ranges with the last 2 octets covered inclusively (81.212.0.0 - 81.212.255.255). It could also be written to include all with one cidr, but I need to be able to make exceptions.

81.212.0.0/16
81.213.0.0/16
81.214.0.0/16
81.215.0.0/16

I have all of them banned through IPTABLES. That way the Linux Kernel actually rejects their packets from any protocol on my servers. I do have one exception coded, which I will not detail, as there is a legitimate user. You do need Root access to your server to use iptables or ask your support to add them.
 
View user's profile Send private message
Digital-Overload







PostPosted: Fri May 13, 2005 12:56 pm Reply with quote

so installing hte Patch 3.0 for Nuke 7.6 and INstalling Sentinal SHould Stop him from Hacking and modding my site messages?
 
Raven







PostPosted: Fri May 13, 2005 5:11 pm Reply with quote

Yep. The difference is that with iptables he never makes it past the OS kernel. With NukeSentinel (or any web server level protection) it actually makes it to the site and then gets trapped.
 
Digital-Overload







PostPosted: Fri May 13, 2005 7:58 pm Reply with quote

ok,

i tried it install sentinel... and it totally botched hte forums and stuff..

I'll re-upload Nuke 7.6...

will the Nuke Patch 3.0" stop him from injecting SQL entires using that admin.php?add b.s.?
 
Raven







PostPosted: Fri May 13, 2005 8:52 pm Reply with quote

You don't need to reupload anything. You need Nuke patch level 2.9 or high to use the latest version of NukeSentinel or you need to make some coding changes as described in the README and in the forums. Just comment out the mainfile code and NukeSentinel won't affect anything until you get it fixed.
 
Digital-Overload







PostPosted: Sat May 14, 2005 11:19 am Reply with quote

if i comment out the Sentinel Program WillI Be vulnerable?

this guy seems to have my page bookmarked...
 
Raven







PostPosted: Sat May 14, 2005 12:46 pm Reply with quote

Assuming it's the IP's mentioned above, add these lines to your.htaccess file:

Deny from 81.212.0.0/16
Deny from 81.213.0.0/16
Deny from 81.214.0.0/16
Deny from 81.215.0.0/16
 
Digital-Overload







PostPosted: Sat May 14, 2005 4:31 pm Reply with quote

im not that good with the .htaccess file..

i have the "sample.htaccess" on the server...

how would i setup a normal .htaccess file?
 
Raven







PostPosted: Sat May 14, 2005 4:39 pm Reply with quote

Leave sample.htaccess alone. Create a text file on your local pc and call it htaccess.txt. Windows will not allow a file to be named .htaccess - just another stupid windows thing. You will rename it later, once you ftp it. Add those 4 lines to your htaccess.txt file. Save it and ftp it to your root nuke folder. Then using your ftp client, rename it to .htaccess.
 
Digital-Overload







PostPosted: Sat May 14, 2005 7:08 pm Reply with quote

so.. I Should

1. Make a blank htaccess.tct
2. Add the 4 Deny IP Lines,
3. Upload to Server
4. Rename To .htaccess

I Know my server is a WINDOWS server...
Im also gonna have my Provider ban those 4 ips from the site as well..
well they are looking into the attacks..

but if the guy is using a admin.php?add SQL insertion... then I'd Have to just block that..
 
Raven







PostPosted: Sat May 14, 2005 10:40 pm Reply with quote

Are you sure it's a windows web server (IIS) or is it a windows server (as opposed to *nix) but using Apache? If you are on Apache then you can still use .htaccess as described above.
 
Digital-Overload







PostPosted: Sun May 15, 2005 1:11 pm Reply with quote

Its a Windows Server 2003,

(www.webhost4life.com)

I've asked Tech Support to Ban the 4 IP Ranges On the Ticket I Have Open About hte Hacking.. they said they'd Forward it to Magement For Evaluation,

I've Completely Lost PHP Nuke as Of Right now, I Have a Fresh Core Uploaded But Im Not Going to Configure It Until Im Sure the Bozo Cant Come Back..

After he hacked me the First time on Wednesday Morning, I Took the Site Offline for a day to Clean up hte Code and Put it on 2 Am Friday Morning and by 10 AM Friday He had already hacked it again changing messages.. and he told me to update hte script (I was Running Nuke 6.5 at the time), I Dont know how he got in the 2nd time, there was no added Admins in the Admin list.. unless he deleted himself. But Both times All he has Done is Edit a Message, Add a Message and then Edit a News Article, Its Possible he aquired another Admins password, which is why i Really dont care about wiping hte members list and starting over..

I Have th 7.6 Core uploaded Now, Im not sure if its the "Nukle Patch 3.0" or the Sentinel Program thats Killing hte Forums, But I Couldnt Access the Main Forums, the ADmin Panel, Or even Register A New User..

So If theres a Way to Stop him without Using Sentinel Then Great.. I Dont have the Time to Sit a Play with the Code after every debug for the next 2 months...

I just dont wanna spend the time import all the blocks/modules back and have the dude come back and hack the site again...
 
Raven







PostPosted: Sun May 15, 2005 2:00 pm Reply with quote

Since you don't run Apache, you can't use .htaccess (I went to their site and they run IIS6.x - good luck my friend). I would recommend that you upgrade to nuke v7.7pl3.0 and install NukeSentinel(TM). Really, there should be no issues. Rename admin.php to something else and modify config.php $admin_file to reflect the new name. That should give you adequate time to get NS working. Frankly, I would change hosts to an Apache based web server. That way you help control your own destiny.
 
Digital-Overload







PostPosted: Sun May 15, 2005 9:32 pm Reply with quote

Ok,
Thanks For the Help, I'll Prolly just do Old Fasioned HTML INdex with Inline Frames for a bit, and work on the Nuke Install In a Sub Dir..

I'll Prolly be back soon, cause i know .. I'm Gonna Have issues.. .

Question..

For Sentinel.. Whats the Best method for PHP-NUke 7.6?
Is this the best method..

1. Upload PHP-Nuke Core, Set The Admin and Stuff.
2. Upload/Overwrite Patch Files (ASCII For .PHP Right? )
3. Load the PHPUpgrade.php File to Install the Patch 3.0 SQL Entries
4. Upload the Sentinel ../ Override Files....
5. Goto the ADmin.php Login.. Launch the Sentinel Install .php

Thats what I Did Last Time... ANd the Forums wouldnt fucntion even after editing the files in the readme's..

Like I Said though.. I think something might have uplaoded wrong or the SQL Table was not right... I'll try again but i'll prolly be asking for help with messages from teh debug..
 
Digital-Overload







PostPosted: Mon May 16, 2005 2:12 pm Reply with quote

Raven.. Your a Big Help!!..

So Far I've been working on my 7.6 In a Subdir..

Got it installed and patched.. No Sentinel Yet

But I Still Can't Access the forums..

I Get This:
phpBB : Critical Error

Error creating new session

DEBUG MODE

SQL Error : 1054 Unknown column 'session_admin' in 'field list'

INSERT INTO nuke_bbsessions (session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in, session_admin) VALUES ('e033c4306322b617bfe43ca0e827a4c3', '1', '1116274409', '1116274409', '4463a5b0', '0', '0', '0')

Line : 203
File : sessions.php
 
Raven







PostPosted: Mon May 16, 2005 2:22 pm Reply with quote

[ Only registered users can see links on this board! Get registered or login! ]
 
Digital-Overload







PostPosted: Mon May 16, 2005 2:33 pm Reply with quote

Thanks..

I Did Run the Upgradedb.php..

Running the SQL QUery Fixed it..

now to install sentinel!!


Raven.. Your the Bomb Dude!

Nuke 7.6 is Tons Better than 6.5 So Far..

Only had to do a few changes ... none of the endless .php editing because i run it on a Windows Server...

Is there a way i can add previous klnown IPs of the "kiegera" dweeb as soon as i get sentinel installed??..

And Whats the Best Reccemended Settings to prevent the admin abuse and stuff

And Are the "HEADER.PHP File Edits" Required?, For some reason when i add the data that it tells me to my site either goes blank.. or it gets all wierd looking...
 
Digital-Overload







PostPosted: Thu May 26, 2005 3:46 pm Reply with quote

Well... I was about to post ...

Seems i was locked out of my own site.. Smile, didnt know caps lock was on.. so had to reset password thru Nuke Snetinel.. 15 minutes of hassle... but least i know its working!

Thanks a Million Raven!
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©