Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
ardmhacha
Hangin' Around


Joined: Jan 26, 2004
Posts: 30
Location: Ireland

PostPosted: Sat Feb 04, 2006 4:25 am Reply with quote

My website has been hacked this morning. The homepage being defaced by Biyo-Security-Team. The url is Only registered users can see links on this board! Get registered or login! I have phpnuke 7.6 patched with 3.1 - I had a quick search on Google but there is not a lot of reference to this. I have replaced the index.php file which has resolved the issue on a temp bases although a few things are missing.
 
View user's profile Send private message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Sat Feb 04, 2006 4:48 am Reply with quote

Whilst the 'patched' series goes a long way toward securing the code there are some vulnerabilities that may still be exploited.
I take it from this attack that you did not have Nuke Sentinel installed?
 
View user's profile Send private message Send e-mail
sting
Involved
Involved


Joined: Sep 23, 2003
Posts: 456
Location: Somewhere out there...

PostPosted: Sat Feb 04, 2006 7:29 am Reply with quote

First thing I would tell anyone is to take advantage of renaming your admin.php file. I have a suspicion that goes a long way towards preventing a number of these hacks, especially generic script kiddie ones.

-sting
 
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
ardmhacha
PostPosted: Sat Feb 04, 2006 7:34 am Reply with quote

I'm running NukeSentinel 2.4.2 but they still got in. i haven't time to look further into it at the moment.
 
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Sat Feb 04, 2006 7:53 am Reply with quote

well im having a hard time believing this...
it should mean that they bypassed sentinel for the first time..and directly towards the admin?
 
View user's profile Send private message
sting
PostPosted: Sat Feb 04, 2006 7:59 am Reply with quote

Have any log file entries of the hack? What happened - how did they hack your site (what was changed, etc?)

-sting
 
sting
PostPosted: Sat Feb 04, 2006 8:00 am Reply with quote

What version of the phpBB forum are you using?

I noticed the tagline
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:

which seems like it was an older version. . .

-sting
 
Guardian2003
PostPosted: Sat Feb 04, 2006 8:32 am Reply with quote

Also, although you are using Sentinel, you might want to check all your 'blocker' settings.
 
ardmhacha
PostPosted: Sat Feb 04, 2006 9:00 am Reply with quote

index.php was replaced defacing the homepage by pointing it to Only registered users can see links on this board! Get registered or login!

I had Sentinel set to email, block and forward in all areas except scripting blocker settings and flood blocker settings which were set to email admin. I only changed the scripting one to this the other day having read something on it, saying this was sufficient. I overwrite Sentinel files recently as i was having problems with AOL users being blocked but i doubt this was the cause. i will look into the forum version.
 
hitwalker
PostPosted: Sat Feb 04, 2006 9:34 am Reply with quote

well i have my doubts ardmhacha .
the only qualified person who can say anything about this or what happend is raven and bob(but he's not arount at this moment).
still i dont believe this cause it would mean that they beat sentinel,and thats never happend before...and never will...
but from what your saying is that your index.php is edited,and that can only happen if it was writable..
 
Guardian2003
PostPosted: Sat Feb 04, 2006 1:16 pm Reply with quote

There have been similar cases in the past where the index.php file has been amended / over written but of all the cases I have seen, none of them were using Sentinel.
 
ardmhacha
PostPosted: Sat Feb 04, 2006 1:18 pm Reply with quote

I checked the CHMOD on index.php and it's 644. With regards to phpbb I was running 2.0.18 but I have since upgraded to 2.0.19 (is there a way of changing the tagline?) I looked at the logfiles and to be honest I can see anything obvious although I'm not sure exactly sure what I'm looking for. I have also applied the latest sentinel patch so now running NukeSentinel_v2.4.2pl3

Just one other thing, am I right in saying that it is OK to remove the nsnst_installer directory after Sentinel has been installed/upgraded?

I appreciate all your help and advice on this.
 
Guardian2003
PostPosted: Sat Feb 04, 2006 2:23 pm Reply with quote

Yes you can remove that directory.
Would you be willing to give me admin access to your site/cpanel?
Please PM me.
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Sat Feb 04, 2006 2:26 pm Reply with quote

ardmhacha, yes, yes, yes... remove the installer AND directory immediately upon successful install!

I, too, have a difficult time thinking they got passed Sentinel. It is usually some form of chat tool or a tool / mod which allows uploading files to your site.

HOWEVER, if you find more specific information regarding this hack (such as the exact URL they used to initiate the original break-in), please PM the information instead of posting it out in the open here. Any one of the moderators and/or admins here will pass the info along to those who are very experienced at analyzing these and plugging the holes.

Thanks!

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
hitwalker
PostPosted: Sat Feb 04, 2006 2:36 pm Reply with quote

lol...montego,they use or did used a chat...
btw..remember spchat?
Look here:http://www.spchat.org/modules.php?name=Content&pa=showpage&pid=1
 
ardmhacha
PostPosted: Sat Feb 04, 2006 3:03 pm Reply with quote

Guardian,

I have pm'd you.

Hitwalker/Montego,

You may not be too far off the mark. i have spchat installed but I never use it, although there was no reference to it in todays logs. i will remove it but only after Guardian has had a look.

Thanks for everything.

Barry
 
montego
PostPosted: Sat Feb 04, 2006 3:05 pm Reply with quote

ardmhacha, you're in good hands...
 
hitwalker
PostPosted: Sat Feb 04, 2006 3:06 pm Reply with quote

yeah i figured that...i looked and searched in your forum is chat was mentioned and it was.
you should realy delete it,that doesnt have to be verified by anyone....
 
sting
PostPosted: Sat Feb 04, 2006 3:29 pm Reply with quote

Quote:
I, too, have a difficult time thinking they got passed Sentinel. It is usually some form of chat tool or a tool / mod which allows uploading files to your site.


To paraphrase...

"Don't be so proud of this technological terror you've constructed... the ability to protect a website is insignificant next to the power of bored script kiddies."

Sentinel is the best package I have seen to date at blocking out the wannabes, but there are some things even Sentinel won't protect against. To say a site will never be hacked with Sentinel is certainly wrong - especially if they go behind the scenes at the *nix level.

Don't get me wrong. I LOVE Sentinel. You MUST have Sentinel if you have Nuke.

I would be very interested in seeing the log files from the box itself...

-sting
 
montego
PostPosted: Sat Feb 04, 2006 6:06 pm Reply with quote

sting, I was just "playing the odds" here in that we usually find some other module, like spchat, coppermine, etc. that is "vulnerable" and "active"... as you can see, we were, most likely, dead on.

However, as sting says, there is nothing better than slinging through your raw logs and finding out exactly how they got in!
 
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Sun Feb 05, 2006 9:37 am Reply with quote

ardmhacha wrote:
index.php was replaced


Can you explain how this was done? Was the index.php file itself altered? Was some data (e.g. a footer message) changed?

Also, I noticed you are using admin authentication, which has proven to be very effective against attacks on admin.php. Was this on prior to the attack?

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
ardmhacha
PostPosted: Sun Feb 05, 2006 12:14 pm Reply with quote

kguske,

Sorry I don't know how it was done. I had the admin authentication in place before this happened.

The content of the index.php file following the hack was as follows:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0056)http://www.zone-h.org/defaced/2005/01/02/www.nap.org.pk/ -->
<HTML><HEAD><TITLE>[Biyo-Security] Group</TITLE><!--asd -->
<META http-equiv=Page-Enter content=RevealTrans(Duration=5,Transition=12)>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2722" name=GENERATOR></HEAD>
<BODY text=#777777 bgProperties=fixed bgColor=#000000 topMargin=0 rightMargin=0>
<CENTER><BR>
<P></P><BR>
<P></P><BR>
<P></P><BR>
<P></P><BR>
<P></P><BR>
<P></P><BR>
<P></P><BR></CENTER>
<P>
<CENTER><FONT face=verdana color=#555555 size=5>[Biyo-Security-Team]</FONT></CENTER>
<P>
<CENTER><FONT face=verdana color=#555555
size=2>bst@bsdmail.com</FONT></CENTER>
<CENTER><FONT face=verdana color=#00ff00 size=2>CodeXpLoder'tq<BR></FONT></CENTER></BODY></HTML>
<CENTER>www.biyosecurity.be<BR>
<P></P><BR>
<P></P><BR>
<P></P><BR>
<P></P><BR>
<P></P><BR>
<P></P><BR>
<P></P><BR></CENTER>
<P>

I just replaced this with the index.php file from chatserv's 7.6, 3.1 patched and everything was back to normal.

Guardian,

I emailed the zipped log files to you but they bounced back.
 
kguske
PostPosted: Sun Feb 05, 2006 1:23 pm Reply with quote

Without seeing the logs, it looks like FTP / cPanel access. I'd suggest changing your cPanel, database passwords and make sure you have an additional database user and pw for Nuke - don't use the account user and pw.

It doesn't appear to be database access, which is what NukeSentinel protects (unless, as others have pointed out, there are modules / functions that do not use standard PHP-Nuke database access.
 
kguske
PostPosted: Sun Feb 05, 2006 1:27 pm Reply with quote

Also, check to see if other files were changed (look at file dates).

Did you contact the "team" to see if they would tell you how they did it? It looks fairly benign (i.e. not the typical immature script kiddie), except possibly to drum up some security business. Depending on the response, you can deteremine whether or not to contact the appropriate authorities with the information you have from your logs and the file itself.
 
kguske
PostPosted: Sun Feb 05, 2006 1:29 pm Reply with quote

Sorry for the multiple replies, but I was rereading the earlier discussion and noticed SPCHAT... It's quite possible that they could have accessed it that way. Check your referers to see if anyone found your site by searching on that...
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©