Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
drenalin
New Member
New Member


Joined: Mar 07, 2008
Posts: 10

PostPosted: Thu Mar 13, 2008 5:19 pm Reply with quote

My own stupidity for not learning and just going at it.
but - now for the question and (this is the part where your participation comes in) your answers
Ok - so I was dumb and did something wrong.
I don't know what - but something.
I had just uploaded the Sentinal last night and started getting that in line to put into opperational status but - I got tired.
Is there any way to salvage what I have right now?
How should I move forward from this moment?
What should my next move be?
Give a Noob a hand - or a smack in the mouth and an I told you so!
one way or the other - lend a hand here please.

I know - read.
but read what?
I have yet to find something that has a title of -

"So you have been hacked and you use PHP"

Chapter 1 - Dumb ass you should have read this before.

Check the site out - you'll get a kick out of it

Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message Visit poster's website
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Thu Mar 13, 2008 5:55 pm Reply with quote

I'm not quite sure what your question is. If you uploaded the NukeSentinel files last night you should be able to resume the installation following the instructions in the readme files. I looked quickly at your site and don't see any evidence that you were hacked.

Nobody here is interested in smacking a noob. But you need to state your problem more clearly and give more specifics on what exactly you did to get to the point of thinking you had a problem. What version of Sentinel did you upload for instance? Did you have Sentinel before? Things like that. And what version of Nuke are you running? Do you have custom modules?
 
View user's profile Send private message Visit poster's website
drenalin
PostPosted: Thu Mar 13, 2008 6:06 pm Reply with quote

Sorry - I feel like a dumb-arse
I finally got the site more or less the way I wanted it and now this -
OK when I logged on today after work - there was a large banner posted as a news article on the front page which showed a picture and the following text
"Welcome to h4x0r3d By XTech Inc - Pablin77 Was Here - IvisSs Te QuieroOo!"

Then I noticed the top tab on the browser was reading as the following:
"Welcome to h4x0r3d By XTech Inc - Pablin77 Was Here - IvisSs Te QuieroOo!"

Then I went to log in as admin and go to delete the news article and I noticed the same text on the log in page.

I thought oh crap. So I went back to the front page and noticed the Forum Scroll at the end it reads the same text as above.

So now I am thinking - uhoh

then I look down to see who is in my team speak and I see accross the top of the TeamSpeak block the same text.

thats a member only item - then it dawns on me - so is the forum scroll - now I am really thinking uhoh.

So I log into my main box - and I can't find a thing changed in any file or in any block?

what has happened?
I don't understand - I think that is the main point here - I don't understand what to do to fix a problem that I can't see what has been changed.

I'm sorry - I just should have known this was going to happen.
 
drenalin
PostPosted: Thu Mar 13, 2008 6:17 pm Reply with quote

sorry - so I go to the front page and do a "View Source"

and I see this:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>h4x0r3d By XTech Inc - Pablin77 Was Here - IvisSs Te QuieroOo </title>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
<META HTTP-EQUIV="EXPIRES" CONTENT="0">
<META NAME="RESOURCE-TYPE" CONTENT="DOCUMENT">
<META NAME="DISTRIBUTION" CONTENT="GLOBAL">
<META NAME="AUTHOR" CONTENT="h4x0r3d By XTech Inc - Pablin77 Was Here - IvisSs Te QuieroOo">
<META NAME="COPYRIGHT" CONTENT="Copyright (c) by h4x0r3d By XTech Inc - Pablin77 Was Here - IvisSs Te QuieroOo">

I'm starting to think I'm a ding bat but -

You asked if I had custom modules - I have one custom module and several blocks - some from here and some I built from other PHP blocks I found. I am sure I messed something up in one of them and left an open door or window somehow.

You asked what version of nuke I am running:
ready for another ding bat question?
How do I find out? I know I found a post in the forums on how - but I can't remember where right now.

(Probably under the - faq)

What version of Sentinel did you upload for instance:
Nuke Sentinal 2515 66-81
Does that help? I didn't get it here - but incidentally - it is how I found my way here last week.
 
drenalin
PostPosted: Thu Mar 13, 2008 6:36 pm Reply with quote

Ok - Rebuilt from a back up
so - now - I need to know how to put up sentinal and go forward from here.
I know I know RTFM
 
fkelly
PostPosted: Thu Mar 13, 2008 7:14 pm Reply with quote

If you can look in the nuke_config table using phpmyadmin it will tell you what version of Nuke you are using. There is a field called Version_number (or something similar) to look at.

However, you have to figure that the hackers have access to your id's and passwords and the ability to put files and alter files on your server. So you really need to go back and change every administrative password both in the author's table for nuke but also at your server level and for Only registered users can see links on this board! Get registered or login! They may also have planted a file that gives them the ab ility to write to your server so you need to look thru your files or just delete everything and reload the server from scratch. Because if they have a file like that they can hack you anytime they want.

The latest version of Sentinel is 2.5.16. You can get that at nukescripts.net. However, you might be better off installing Ravennuke 2.20.01 which is available on this site. It comes with the latest Sentinel plus many other security enhancements. I'd suggest you get that running. There are many posts here about upgrading to it.

I'd also suggest that you leave your custom blocks out of the picture until you have the base Ravennuke up and running for a week or so. Then maybe post them here and we can look to see if there are vulnerabilities. But first things first.

Right now you can't trust anything on your site. They may have access to your CPANEL or whatever tool it is you use to manage your server. They may have planted files. You really need to make sure that any of that stuff is wiped clean and that all admin id's and passwords are reset or you may very well wind up in the same situation a week or two from now.
 
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Thu Mar 13, 2008 7:51 pm Reply with quote

You need also to activate http auth. Check your NukeSentinel administration.
 
View user's profile Send private message
drenalin
PostPosted: Thu Mar 13, 2008 7:58 pm Reply with quote

thank you folks - I have a feeling I am going to become a regular pest around here

Thank you for the quick responses

I can't find a thing showing what version I am running - I only find copyright 2005 on almost everything
 
Susann
PostPosted: Thu Mar 13, 2008 8:04 pm Reply with quote

The Nuke version is usally in db table nuke_config.Maybe you removed it. In older Nuke versions its also in the statistic overview and database table.
E.g. in Nuke 6.5
 
drenalin
PostPosted: Thu Mar 13, 2008 8:21 pm Reply with quote

Not in statistics - already checked that one.
For some reason I think it is 7.6
but - can't find nuke_config
however - have been in ever config file I have seen and again only see copyright 2005
 
Susann
PostPosted: Thu Mar 13, 2008 8:41 pm Reply with quote

Your site is the first site without a config database table I´ve heard about. Smile
Anyway activate all blockers and read about how to do the rest to protect your site with http auth and what to do with .htaccess and stacess .

So long
 
drenalin
PostPosted: Sat Mar 15, 2008 8:26 am Reply with quote

Found it - it took 2 days - but I found it
Not where anyone said it would be
it's version 7.8

I was handed this site by the former admin in the state it is.
I do not know how it was originally setup so finding things is not the easiest to do.
 
Susann
PostPosted: Sat Mar 15, 2008 8:58 am Reply with quote

For safety reasons better switch over to RavenNuke. We do not recommend Nuke Version 7.8, 7.9 etc.
 
Dawg
RavenNuke(tm) Development Team


Joined: Nov 07, 2003
Posts: 910

PostPosted: Sat Mar 15, 2008 9:17 am Reply with quote

There are issues with TeamSpeak as well. As much as I like TS....I would not run it. Susann told you right. RN is the way to go. Nothing above 7.6 is secure.

Dawg
 
View user's profile Send private message
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Sat Mar 15, 2008 10:37 am Reply with quote

The TeamSpeak block or a TeamSpeak server?

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
Susann
PostPosted: Sun Mar 16, 2008 11:27 am Reply with quote

You only need to search for Team speak security I believe and you ´ll find a lot of interesting search results.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©