Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
salongaopm
Hangin' Around


Joined: Apr 30, 2007
Posts: 41

PostPosted: Sun Sep 23, 2007 4:40 pm Reply with quote

my website was hacked. The main page displays the following:

Hacked by GHoST61
Spyhackerz.com // For Türkiye !!!

Also, whenever you go to any extension that is not available on my site, it will display a 404 error - not found message. Below the message is a website for google adsense ads. When links/contents are clicked, it will be directed to the address below:
Only registered users can see links on this board! Get registered or login!

Any help in restoring my site will be greatly appreciated.

Thanks!
 
View user's profile Send private message
Dawg
RavenNuke(tm) Development Team


Joined: Nov 07, 2003
Posts: 910

PostPosted: Sun Sep 23, 2007 5:58 pm Reply with quote

Do you have any backups?

Do you have access to the site vie FTP?

Do you have access vie SSH?

I would go and change every password on the site/server.

I would take the site offline vie sentinal or by putting up some other page to stop all access.

I would start with looking at the "Last Modified" date in the Only registered users can see links on this board! Get registered or login! That should give you some clue about what got worked over.

Once access to the site/server has been stopped It is time to try and figure out who/why.

Dawg
 
View user's profile Send private message
slackervaara
Worker
Worker


Joined: Aug 26, 2007
Posts: 236

PostPosted: Sun Sep 23, 2007 7:30 pm Reply with quote

To me it sounds as if your index.php or config.php has been changed by the hacker. They can sometimes succeed to upload a new index.php or config.php to the site. This has happened many times for me and especially for Turkish hackers.

My suggestion is that you login by ftp and look at the file date, if index.php or config.php has been changed quite recently. If it is changed upload the original one from your backup and your site should be fixed.
 
View user's profile Send private message
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9456
Location: Arizona

PostPosted: Mon Sep 24, 2007 6:01 am Reply with quote

salongaopm, get the site off-line first and foremost and change your passwords (on everything - don't forget the database). Unfortunately, then you are going to have to figure out how they got in. Likely culprits (not in any particular order):

1. PHP-Nuke 7.7 or greater, especially if it is unpatched (see Only registered users can see links on this board! Get registered or login! for the patches)

2. Not using Only registered users can see links on this board! Get registered or login! (latest always).

3. Using ANY add-on or hack which allows for file uploading. The usual suspects: Coppermine (or other photo sharing type add-ons), chat, phpBB upload hacks.

You should also review your site for files that should not be there. These could be their "kits" that they uploaded which can allow them to do just about anything your host account will allow...

Good luck. This is NOT an easy task. There are other threads here which discuss hack recovery, but YOU really have to be a "sleuth" and might need your host's help as well depending.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
salongaopm
PostPosted: Mon Sep 24, 2007 9:11 am Reply with quote

Thank you guys for all the response.

I am using raven 2.10 with phpbb activated and gallery2 integrated. I also added cnbya 4.2. I am using the NukeSentinel that is included with the raven.

I still have access to the site, via ftp or via the admin page.

"Do you have access vie SSH? "

I am not sure...what is SSH?

In my initial search of the site, it seems that the only new file that I can see is the index.html. It was modified 9/18/07. Where else could they have added or modified a file?

How do i get my site off-line? If i get my site offline, will i loss my files? My site is still new but i can't remember where or what files where i can change the passwords. Any help will be greatly appreciated.

Thanks!
 
salongaopm
PostPosted: Mon Sep 24, 2007 9:25 am Reply with quote

I do not have a back up of my index.html or my files...how do i restore it?
 
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Mon Sep 24, 2007 9:30 am Reply with quote

It's likely that index.html is the culprit. Rename that file, and check your site logs to see how it was uploaded. As montego said, first change all passwords: control panel, database user, Nuke admin, admin authentication. It may have been uploaded through gallery - check the directories that contain photos to see if there are any new ones.

You might also be able to change the order in which your webserver reads index pages. For example, if you tell it to read index.php before index.html, it's likely that this wouldn't have hurt anything. I don't remember how to do that, but it's probably through an htaccess directive.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
montego
PostPosted: Tue Sep 25, 2007 6:14 am Reply with quote

Crap! I wonder if G2 has a hole in it... And you are certain that you have no other add-ons to RN than what you have mentioned?

Is G2 integrated into your forums or do you mean as a module within RN?
 
TAd
Worker
Worker


Joined: Oct 11, 2004
Posts: 123
Location: Oregon, USA

PostPosted: Tue Sep 25, 2007 7:29 am Reply with quote

Montego,

G2 has a hole in it possibly, I am fairly certain that I had "albums directory" set to 755, that is where they dropped off a few tar's. I recently got hit, my G2 I have never placed inside of Nuke. I am not suggesting that is what happened to the OP's site. However as I go through my backups (the compromised ones) I am learning more and more. I have located a Linux root kit that connects to an IRC server as well as several other scripts to perform Ddos attacks, ftp, file serving etc. Somehow they uploaded this data into several of my album folders and the executed from there.

Also Plesk 8.x - has a hole in it as well, 1&1 just sent out a Root server advisory about it.

The Gallery was a Linux/Exploit SmallF Trojan
Plesk was a Perl/Shellbot.B

This happened roughly the same time I was monitoring logs (login attempts, the dictionary brute force type) and decided to update security. I updated some firewall rules, created some new ones, and also installed denyhosts. Then boom, they set off a Ddos attack and within 5 minutes the server was shut down due to 1&1 security measures.

It is not fun, and what is actually ironic is the same people who hacked in and in text messages laughing about it, like they actually have skills, did NOT even write any of the scripts they uploaded. Rolling Eyes
 
View user's profile Send private message Yahoo Messenger
salongaopm
PostPosted: Tue Sep 25, 2007 9:20 am Reply with quote

Hi!

I was told by my host that they can restore my website back. Somehow they have a backup. I hope it is true.

I changed the password on the control panel. I tried to changed my password on the admin...but i was somehow got banned instead. Now, everytime i try to access my site it ask for my username and password. I will enter them but it will just give me a 404 error with the same adsense page.

I only have G2, cnbya 4.2 & phpbb. The G2 was integrated to rn as a module by using the instruction from the link below:
Only registered users can see links on this board! Get registered or login!

I also modified the CNBYA 4.2 using the instruction on post Number 21 in the link below:
Only registered users can see links on this board! Get registered or login!
 
montego
PostPosted: Wed Sep 26, 2007 5:49 am Reply with quote

salongaopm, restoring your site is one thing, but getting rid of everything they added is another one, plus the most important thing of all is finding out how they got in and patching that up.

I am discouraged by TAd's post. I guess the only thing I can offer up is to always keep pace with all software updates on G2 and phpBB and keep your own good backups as well.

Good luck to you.
 
salongaopm
PostPosted: Wed Sep 26, 2007 8:59 pm Reply with quote

Thanks for the reply. I keep looking for any files that was just recently added or coincides with the date that my index.html was changed....but no luck. How can I spot the files that they've added?
 
montego
PostPosted: Thu Sep 27, 2007 6:09 am Reply with quote

Unfortunately, if you do not have SSH access, you may have to find a tool/script which can do this OR use your control panel to back up all your files for your account, then bring that down to your PC, uncompress it, and use a comparison utility such as Winmerge or Beyond Compare 2 to try and spot modified or new files. Of course, this implies that you have clean copy of your production site files on your local PC (if you don't, you should consider getting yourself XAMPP installed on your PC so that you can test site changes before you upload them).
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©