Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
onnig
Hangin' Around


Joined: Jun 15, 2006
Posts: 36

PostPosted: Fri Apr 04, 2008 3:02 pm Reply with quote

I use RN 2.10.01, My site was hacked with an SQL injection that overwrote some title page news messages. Looks like they, turkish hackers, were not able to post with HTML, thankfully, but used a long ASCII stretch of profanities, etc which posted on my main page since the news article were there. Is there a patch that I need to apply?

On a good note, this is the longest time we have gone on without a successful hack, after installing RN.
Smile

I removed the hacked posts and blocked all of Turkey. Also, what should I chmod my htaccess file to be able to autopost blocked ip's to it but without having outsiders edit it? We've had our .htaccess file also hacked once by the same people.
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Fri Apr 04, 2008 3:23 pm Reply with quote

First of all, I would like to know which blockers you had active in Nuke Sentinel and what other none RavenNuke modules you have installed as this will help determine how they got in.
 
View user's profile Send private message Send e-mail
Guardian2003
PostPosted: Fri Apr 04, 2008 3:27 pm Reply with quote

Do you also have any copies of your server log files from when the incident occured?

You should start your htaccess at 644 and work your way up until Sentinel can write to it as sometimes it can vary due to server configuration.
 
onnig
PostPosted: Fri Apr 04, 2008 3:37 pm Reply with quote

Guardian2003 wrote:
Do you also have any copies of your server log files from when the incident occured?

You should start your htaccess at 644 and work your way up until Sentinel can write to it as sometimes it can vary due to server configuration.


non RN modules, Podcast and Kalendar, thanks for the htaccess tip.

Kalendar mod:
Only registered users can see links on this board! Get registered or login!

Its in German but the install will have the English option.

Podcast mod:
Only registered users can see links on this board! Get registered or login!

I turned on all blockers, they're all active. The log files are huge, what should I be looking for?
 
Guardian2003
PostPosted: Fri Apr 04, 2008 3:52 pm Reply with quote

If you can zip your log file and send them to
webmaster
ATcode-authorsDOTcom

I'll take a look at them - might be useful to have a date if you know what day it happened Smile
Interesting the you have Kalendar installed - I'm not aware of any problems with it but it does allow you to post events into the news module if I remember correctly and you say it was the news that got hit?

Was your RN install to upgrade an existing site?

Sorry for the questions, I'm just trying to help Smile
 
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Fri Apr 04, 2008 4:07 pm Reply with quote

onnig did you checked in NukeSentinel the tracked IPs also ?
Is http Auth activated ?
I´m quite sure when you are up-to-date with your calendar version there shouldn´t be a problem with.
 
View user's profile Send private message
onnig
PostPosted: Fri Apr 04, 2008 4:09 pm Reply with quote

Guardian2003 wrote:
If you can zip your log file and send them to
webmaster
ATcode-authorsDOTcom

I'll take a look at them - might be useful to have a date if you know what day it happened Smile
Interesting the you have Kalendar installed - I'm not aware of any problems with it but it does allow you to post events into the news module if I remember correctly and you say it was the news that got hit?

Was your RN install to upgrade an existing site?

Sorry for the questions, I'm just trying to help Smile


I really appreciate your help!! The attack was today, I monitor daily, and so I'll send the zipped log for today, not too big, about 200k. Yes the News was hit. The RN install was a new install.
 
onnig
PostPosted: Fri Apr 04, 2008 4:16 pm Reply with quote

Susann wrote:
onnig did you checked in NukeSentinel the tracked IPs also ?
Is http Auth activated ?
I´m quite sure when you are up-to-date with your calendar version there shouldn´t be a problem with.


Yes httpAuth is activated but one problem, no tracked IPs they were working but I haven't looked for a while. Also other issues with Sentinel, like cannot add IP ranges but can add IP addresses to block. Weird
 
Susann
PostPosted: Fri Apr 04, 2008 4:24 pm Reply with quote

Make sure you are up-to-date with the NukeSentinel version (+ IP2Country) which is 2.5.17 and post your issues with NS in the correct forums.
So going through the log files should be the better way.
 
onnig
PostPosted: Fri Apr 04, 2008 4:25 pm Reply with quote

looks like chmod 666 did the trick, but doesn't that allow "others" to write?
 
Susann
PostPosted: Fri Apr 04, 2008 4:37 pm Reply with quote

Files with a dot before are special protected. I never had issues with that and don´t worry about this.
Quote:
We've had our .htaccess file also hacked once by the same people.
How did they do this ? Better don´t answer my question !
Its seldom.
 
onnig
PostPosted: Fri Apr 04, 2008 4:42 pm Reply with quote

Susann wrote:
Files with a dot before are special protected. I never had issues with that and don´t worry about this.
Quote:
We've had our .htaccess file also hacked once by the same people.
How did they do this ? Better don´t answer my question !
Its seldom.


See you PM for my answer
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Fri Apr 04, 2008 9:06 pm Reply with quote

Do you allow anonymous to post? What 3rd party addons are you using? Do you have admin auth turned on?


Last edited by Raven on Sat Apr 05, 2008 7:14 pm; edited 1 time in total 
View user's profile Send private message
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Sat Apr 05, 2008 6:01 am Reply with quote

onnig, it might help too if you can give Guardian what the data looked like within the database before you removed it. It might help him while searching through the logs. Just PM it to him if you have it...

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Guardian2003
PostPosted: Sun Apr 06, 2008 2:47 am Reply with quote

I checked the logs several times.
There was one failed attempt at the usual phpbb root path exploit (r57 . txt) and the only other thing that is out of place was this line which I cannot make sense of (GET request)
Code:
/w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 414 "-" "-"

That IP for that GET request does not appear any where else.

I have also checked every image path that appears in the logs to ensure they were genuine images so I'm stumped.
 
montego
PostPosted: Sun Apr 06, 2008 7:56 am Reply with quote

onnig, some additional questions:

You have not responded in a while to some questions, what is the state of things now?

You mentioned that your .htaccess file hacked by the "same guys". When was that and was it RavenNuke at that time?

What, exactly, did the data look like prior to you deleting it? Feel free to PM me if you have those details.

Unfortunately, if this is a shared hosted environment, it is possible that you were compromised via another account. But, given that only the news was affected and not a bunch of other stuff, I am guessing that it is not that.

Around the same time (earlier actually), were there any UNION blocks seen by NukeSentinel? (I.e., they might have been probing an exploit, but using proxies or other ways to cover their tracks.)
 
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Sun Apr 06, 2008 7:02 pm Reply with quote

Sorry to jump in late on this - were any new files added or files changed?

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
onnig
PostPosted: Mon Apr 07, 2008 1:26 pm Reply with quote

montego wrote:
onnig, it might help too if you can give Guardian what the data looked like within the database before you removed it. It might help him while searching through the logs. Just PM it to him if you have it...

Sorry Montego, I deleted the text they posted, I was in panic mode.
 
onnig
PostPosted: Mon Apr 07, 2008 1:35 pm Reply with quote

montego wrote:
onnig, some additional questions:

You have not responded in a while to some questions, what is the state of things now?

You mentioned that your .htaccess file hacked by the "same guys". When was that and was it RavenNuke at that time?

What, exactly, did the data look like prior to you deleting it? Feel free to PM me if you have those details.

Unfortunately, if this is a shared hosted environment, it is possible that you were compromised via another account. But, given that only the news was affected and not a bunch of other stuff, I am guessing that it is not that.

Around the same time (earlier actually), were there any UNION blocks seen by NukeSentinel? (I.e., they might have been probing an exploit, but using proxies or other ways to cover their tracks.)


All I have done so far is block all of Turkey, I hope, maybe some remote village still has access Wink.

Anyway, I will PM you the hacker site it came from. I did a search on the logs myself, I remember, and nothing came up with their name they pasted. I just hope there are no lingering files on the site that they are waiting for an opportune time to use to hit us with.

I've been having problems just recently with NukeSent, even upgraded to latest a couple of days ago and still, not tracking IP's even though it is set to track. I want to upgrade the entire site to latest RN. HTTPAuth is turned on, so everything is good, how do I see if there are any attacks? I get emails about abuse being blocked. They are always "Abuse-Filter". I don't see UNION.

Can I get help with the tracking issue and maybe I haven't setup something right with Nuke Sentinel. I followed the instructions, great instructions, as much as I could.
 
onnig
PostPosted: Mon Apr 07, 2008 1:36 pm Reply with quote

kguske wrote:
Sorry to jump in late on this - were any new files added or files changed?


How can I tell?
 
onnig
PostPosted: Mon Apr 07, 2008 1:37 pm Reply with quote

Raven wrote:
Do you allow anonymous to post? What 3rd party addons are you using? Do you have admin auth turned on?


Kalendar mod:
Only registered users can see links on this board! Get registered or login!

Its in German but the install will have the English option.

Podcast mod:
Only registered users can see links on this board! Get registered or login!
 
onnig
PostPosted: Tue Apr 08, 2008 11:59 am Reply with quote

anyone, anyone?
 
Susann
PostPosted: Tue Apr 08, 2008 5:52 pm Reply with quote

The podcast mod is for Nuke 1.8 quess the meant 8.1 so its not directly for your version. I don´t anything about this module so I can´t comment.
For you as webmaster it should be quite easy to find out weird things because only you know your site and the uploaded files.
As long as there is a security hole its only a matter of time and you ´ll get the same issue again and a banned country means nothing it isn´t a real handicap.

About the scan tool:
Only registered users can see links on this board! Get registered or login!
Do a search and you ´ll find out more about this.

Related to NukeSentinel there isn´t much to set up because its preconfigured.
I would check the settings in the NS administration and also the settings of the NSN blockers. Make sure they are activated. I´ve not seen a site where the tracking function doesn´t work. Don´t know what you did.Excluded ranges will not be tracked. But I quess you know this already.
 
onnig
PostPosted: Tue Apr 08, 2008 11:20 pm Reply with quote

Thank you
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©