issue now resolved

Hangin' Around Joined: Mar 07, 2006 Posts: 45 Location: UK

Hi

Ok I have resolved that issue now of not being able to get onto my site.

However, is it possible please when you next upgrade the nuke sentinel to add something in there so that hackers can not link your IP to theirs if you put a ban on their IP? Just a thought.

I resolved the issue by asking my site hosts to help out going into admin but also I was able to delete my IP entry from the mysql table in the main site admin.

many thanks
dragonies

Site Admin Joined: Jun 04, 2004 Posts: 6433

You can exclude IP addresses today. Just add your IP address to the excluded range.

Posted: Sun Apr 02, 2006 7:28 am

Dragonies,

Quote:

However, is it possible please when you next upgrade the nuke sentinel to add something in there so that hackers can not link your IP to theirs if you put a ban on their IP? Just a thought.

My appologies, but I do not understand this statement. I may have missed another thread where you were talking in more detail about your issue. I am just not understanding your statement above. Can you explain it a bit more for me?

Thank you

Posted: Sun Apr 02, 2006 7:32 am

Ah, never mind, just saw it here: [ Only registered users can see links on this board! Get registered or login! ]

You definitely needed to set your login as Protected as Kguske has said.

I think what may have happened is when you went to admin.php, you may have used a link that was "deeper" than just admin.php and you were not already logged in as admin. You cannot go directly to one of the administration modules without being logged in as admin first. Since there is no way NukeSentinel to know who you are, because you were not logged in first as admin, it has no other choice than to think you are doing an "admin exploit".

Posted: Sun Apr 02, 2006 8:45 am

Hi

Ahhh K.

I was already logged in as admin as I would have had to add in the IP in through the admin panel. I am just not sure what type of hack attempt it is.

I cant get in again today as I am asking my host to ban this IP address off my site, but it is blocking me again. Sigh. I got in again yesterday after we cleared it but I still do not understand about htaccess and find it very confusing being new to php and all.

The IP address is a USA one where as mine is a UK IP address but it still changes to mine when I try to block this IP in sentinel. It works ok in the IP ban in the phpnuke itself.

my log in is already protected by sentinel, however since I caught this person I am not sure that it is protected any longer.

many thanks Dragonies

Posted: Sun Apr 02, 2006 9:02 am

Several things could have happened:

The IP address could have been spoofed to be your IP address. But this wouldn't block you if you protected your IP address. It would redirect the attacker to a blocked page and the attack would still be unsuccessful.

A union attack may have been used to insert the block on your address. This is doubtful if you were using NukeSentinel, unless you have an addon module that circumvents Nuke database access (i.e. NukeSentinel can't protect against).

The last possibility is that attacker somehow has legitimate access to your site - i.e. he can load a file somewhere or knows your admin and / or control panel passwords.

Without seeing the logs (which you should definitely check), my guess is that either there is an unsecure module or the attacker has legitimate access. I would check for recent file changes on the server AFTER changing the control panel and Nuke admin passwords.

.htaccess is used in some cases to block access to a site at the server level. If this happens, you get an Apache error message instead of a NukeSentinel message that you are blocked.

It doesn't make sense that NukeSentinel changes a blocked IP address when manually adding. It simply stores it in the database.

It also doesn't make sense that the log is already protected by sentinel. NukeSentinel has no knowledge of or access to the log, unless you're referring to the history of banned IPs inside NukeSentinel.

Posted: Sun Apr 02, 2006 9:44 am

I believe they had registered as a legitamate user because it stated clearly on the site that it was sentinel protected.

This person then asked me to active their account for them when I had deleted their user name from our site. If they had nothing to hide they would have used a normal name like we all do etc. I then told them no I wont activate their account for them they can do it themselves, at which they replied I had just confirmed stuff for them in a reply email to me.

as a note to all other people new to this like me, do not reply to emails like this as it confirms details for that attacker Very Happy

.

However, the good thing was, I was able to get their IP address from the email they sent to me and was trying to add it to sentinel but for some reason they had managed to do the attack so that when I tried to ban their IP it also banned mine.

We have now managed to ban that attacker successfully and I am able to access my site. But am thinking now might be a good idea to change my admin name and password.

To change my admin name and password, do I do this in the normal way or do I have to change in sentinel as well.

sorry to be a pain. Like I said I am completely new to all of this.

many thanks dragonies

Posted: Sun Apr 02, 2006 9:51 am

If you're using admin auth, you should change that password and your nuke admin password.

Posted: Sun Apr 02, 2006 10:09 am

yes I am using admin auth.

Can you point me in the right direction please where to change it in the nuke.

do I do this within the nuke panel itself or in the htaccess file. If its the htaccess file do I download it from the site, change and re upload, or just add something in htaccess from the nuke in my documents, and then re upload it?

many thanks dragonies

Posted: Sun Apr 02, 2006 10:21 am

I have called up the nuke sentinel and protected my Ip as suggested in the Ip protected range.

I have now called up the admin auth in nuke sentinel, do I change it in there?

thanks dragonies