I've been hacked!

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Thanks for letting me know. We will work this into NukeSentinel™ now that I know it works. Now we'll wait for 64bitguy to try it. BTW, you can add more names, one on each line. You can also assign names to groups. There's much that you can do with it. I just wanted to hammer out the bare necessities Wink

I will post this as a sticky once I get 64bitguy's feedback.

Site Admin Joined: Jun 04, 2004 Posts: 6433

Since I knew the name of the secret file, I entered it in the browser and was able to view it. So, I moved it to a non-viewable directory and changed the .htaccess file accordingly.

Posted: Wed Sep 08, 2004 10:46 am

Absolutely! That's why you use the REALPATH. You can place it outside of the root web folder. You can also chmod the permissions to only allow execute privledges.

Posted: Wed Sep 08, 2004 10:55 am

An even easier way to protect your secret file is to just add another directive to .htaccess Smile

Posted: Wed Sep 08, 2004 2:46 pm

Now THIS is a set of instructions if I ever saw them!

Who's the man? worship

Raven's the man! RavensScripts

Worked like a charm!

EXCELLENT SMITHERS... EXCELLENT! Wave

Thanks bigtime!

Posted: Wed Sep 08, 2004 6:35 pm

Sounds like a new section for the User Guide is in the near future. kguske, 64bitguy, since you both have experience at implementing this, would you mind sharing with me the steps you took?

Posted: Wed Sep 08, 2004 9:26 pm

I'd be glad to send a write up, but if Raven & Co. include it in the next version of NukeSentinel, the write up would be very different. Raven's instructions were pretty straightforward and easy to follow, and his sample and utility code performed flawlessly. It would be pretty easy to build on that and make it more user friendly, but I think that's what Raven has in mind for the next release (I would gladly test / document / do whatever to assist)..

Again - I MUST share my sincere appreciation and gratitude to Raven for proving his logo: quality with simplicity. It may not be rocket science, but the level of detail (now captured in a sticky) shows how carefully he thought this through. THANKS AGAIN!

Posted: Wed Sep 08, 2004 9:39 pm

Thanks, I'd appreciate your help, I'll re-read the sticky tomorrow and get started writing it up. Anything you can provide will help.

And I agree 100%, these guys are GOOD!

RavensScripts

New Member Joined: Jun 10, 2004 Posts: 23

Hey guys I just wanted to note that I'm waiting for the access logs. As soon as I have them I'll post any foundings.

Posted: Thu Sep 09, 2004 1:51 pm

Raven wrote:

So, let's assume that your secret file is named 64bitsecret. I would make it hidden by naming it .64bitsecret. Now, the contents will be a username:password, like 64bitguy:secretpass, except secretpass needs to be encrypted with the crypt() function. I will not attempt an explanation of the function, but I will provide a short script I wrote to help you Smile

. The salt value can be whatever you like.

Code:

<form method='post'>


Enter password to be encrypted using crypt(): <input name='pw'><br /><br />


Enter the 'salt' value for the encryption (2 long): <input name='salt' maxlength='2'><br /><br />


<input type='submit' name='submit' value='Encrypt'><br /><br />


<?


if (isset($_POST['submit'])&&isset($_POST['pw'])&&!empty($_POST['pw'])) {


   echo "Password <b>".$_POST['pw']."</b> translated is <b>".crypt($_POST['pw'],$_POST['salt'])."</b>";


}


?>

I dropped that code snippet into an html file, and uploaded it to my phpnuke directory. When I click on the Encrypt button, I get

Quote:

The requested method POST is not allowed for the URL /encrypt.htm.

Am I missing something?

Also, is there an ETA as to when the next version of NukeSentinel will have this type of HTTP Authentication Using PHP CGI and Apache? I'd rather wait on an "official" NukeSentinel upgrade than place this hack temproraily, then later upgrade anyways. Thanks.

Posted: Thu Sep 09, 2004 2:01 pm

This 'hack' will be the 'official' Wink

Are you somehow blocking POST in .htaccess as a security measure?

Posted: Thu Sep 09, 2004 2:04 pm

It should be a .php file. e.g. encrypt.php not encrypt.html

Posted: Thu Sep 09, 2004 3:39 pm

I couldn't get Raven's encrypt sample to work so a quick search on google, and I found the following alternative:

Code:

<?php





// Get string to encrypt


$string = 'mypassword';   // password to encrypt





// Hash string


$hash = 'XX';   // two character salt





// Encrypt string


$output = crypt($string, $hash);





// Send to browser


print('Input: ' . $string . "\n");


print('Output: ' . $output);





?>

Nice!

Now to get HTTP Authentication implemented on the rest of websites that I maintain! Thanks again, Raven!

Posted: Thu Sep 09, 2004 4:01 pm

GeekyGuy wrote:

Sounds like a new section for the User Guide is in the near future. kguske, 64bitguy, since you both have experience at implementing this, would you mind sharing with me the steps you took?

Are you talking about Raven's Enhanced Admin.php Protection? I'm calling it REAP for short!

I simply followed his instructions:
1) Use encrypt.php to create new encrypted password:

Code:

<form method='post'>


Enter password to be encrypted using crypt(): <input name='pw'><br /><br />


Enter the 'salt' value for the encryption (2 long): <input name='salt' maxlength='2'><br /><br />


<input type='submit' name='submit' value='Encrypt'><br /><br />


<?


if (isset($_POST['submit'])&&isset($_POST['pw'])&&!empty($_POST['pw'])) {


   echo "Password <b>".$_POST['pw']."</b> translated is <b>".crypt($_POST['pw'],$_POST['salt'])."</b>";


}


?>

2) I then created the hidden file (in this case, a level that is not under the path of the /public_html/ folder, (so nobody can get to it) containing the username that I wanted to use, followed by a colon : and then the output results of encrypt.php.

I then place my .secretfile in the hidden folder I called /home/USERNAME/.htpasswords/. Again, in this case, it is located outside of my user accessible path of /home/USERNAME/public_html so nobody can get to it.

This also eliminates the need for Raven's new part of the script that must protect the password file itself.

Anyway, my /home/USERNAME/.htpasswords/.secretfile looked just like Raven said it should:

Code:

username:encrypted_password

To get it there, I uploaded the file saved simply as "secretfile" (without the period) to my /home/USERNAME/ directory using my FTP software. I then moved it (using my host provide Cpanel function, "File Manager") to my hidden .htpasswords folder (at /home/USERNAME/.htpasswords/).

Finally, I then used Cpanel's "File Manager" once more to rename the file from secretfile to .secretfile

3) Next, (again using Raven's instructions) I modified my .htaccess file (located at /home/USERNAME/public_html/) to reflect the new information:

Code:

<Files admin.php>


   <Limit GET POST PUT>


      require valid-user


   </Limit>


   AuthName "Restricted"


   AuthType Basic


   AuthUserFile /home/USERNAME/.htpasswords/.secretfile


</Files>

Again, you would simply modify the /USERNAME/ section to accurately reflect the username assigned to you by your host.

TADA!

That's it! Works like a charm!

Posted: Thu Sep 09, 2004 4:27 pm

Thanks for all the info guys. In the next couple of days, I'll get this written up and send it to you to proof read, then it will go in the Official NukeSentinel REAP User Guide Laughing

Posted: Thu Sep 09, 2004 5:43 pm

oprime2001 wrote:

I couldn't get Raven's encrypt sample to work so a quick search on google, and I found the following alternative:

Code:

<?php





// Get string to encrypt


$string = 'mypassword';   // password to encrypt





// Hash string


$hash = 'XX';   // two character salt





// Encrypt string


$output = crypt($string, $hash);





// Send to browser


print('Input: ' . $string . "\n");


print('Output: ' . $output);





?>

Nice!

Now to get HTTP Authentication implemented on the rest of websites that I maintain! Thanks again, Raven!

Since you got the password encrypted it's moot, but that script works. Rename it as kguske said (a .php file) and report back please.

Posted: Thu Sep 09, 2004 6:20 pm

I renamed Raven's sample code below to encrypt.php (instead of encrypt.html), and the script works Very Happy

!

Code:

<form method='post'>


Enter password to be encrypted using crypt(): <input name='pw'><br /><br />


Enter the 'salt' value for the encryption (2 long): <input name='salt' maxlength='2'><br /><br />


<input type='submit' name='submit' value='Encrypt'><br /><br />


<?


if (isset($_POST['submit'])&&isset($_POST['pw'])&&!empty($_POST['pw'])) {


   echo "Password <b>".$_POST['pw']."</b> translated is <b>".crypt($_POST['pw'],$_POST['salt'])."</b>";


}


?>

Posted: Thu Sep 09, 2004 6:57 pm

- Sorry, I thought it was understood that all scripts with php code should be named *.php. I'll be more explicit from now on.

Posted: Fri Sep 10, 2004 8:53 am

What confused me was this part

Code:

<?


if (isset($_POST['submit'])&&isset($_POST['pw'])&&!empty($_POST['pw'])) {


   echo "Password <b>".$_POST['pw']."</b> translated is <b>".crypt($_POST['pw'],$_POST['salt'])."</b>";


}


?>

I am used to seeing this

Code:

<? 





?>

in embedded php in HTML

Posted: Fri Sep 10, 2004 9:20 am

Now you're confusing me Laughing

That code starts with <? and ends with ?>. What makes it different from your code that you are used to seeing?

Posted: Fri Sep 10, 2004 11:05 am

Let me clarify myself. Your code as originally posted was

Code:

<form method='post'>


Enter password to be encrypted using crypt(): <input name='pw'><br /><br />


Enter the 'salt' value for the encryption (2 long): <input name='salt' maxlength='2'><br /><br />


<input type='submit' name='submit' value='Encrypt'><br /><br />


<?


if (isset($_POST['submit'])&&isset($_POST['pw'])&&!empty($_POST['pw'])) {


   echo "Password <b>".$_POST['pw']."</b> translated is <b>".crypt($_POST['pw'],$_POST['salt'])."</b>";


}


?>

This did not start with <?php as most php files that I've seen. Instead, we don't see the <? until line 5. Is the <? on line 5 even necessary if the entire file is a php file?

Posted: Fri Sep 10, 2004 12:28 pm

Yes. PHP can handle embedded HTML - if the file has a .php extension (or a mod rewrite causes the server to treat other extensions like .shtml or even .html as PHP). The <? tells PHP where the PHP code starts.. But, as far as I know, HTML servers can't handle embedded PHP.

Posted: Fri Sep 10, 2004 1:14 pm

Actually they can. You can tell Apache to treat all.htm* as .php and so it will parse the .htm* files looking for php code

Code:

AddType application/x-httpd-php .phtml .php .php3 .htm .html

That is overhead, as all files must pass through the php parser, but it is a popular method. That aside, the fact that code snippets have <? and ?> in them alert you to the fact that it must be a .php file type. As I said, I made a bad assumption on that and I am wiser for it Wink

Client Joined: Apr 15, 2003 Posts: 466 Location: FL

Believe me--you need the http authentication. I made the same mistake and left a hole open--and they got me. Thanks to Raven I am back up and running again. (I got some serious ring kissing to do here--I am running over to make a donation to this site for the help I received, anyone wanna come along???)

Posted: Sat Sep 11, 2004 8:55 pm

I'll be tossing a few nickels Raven's way here in a bit myself. I came in here to get the latest tidbits of info from this thread to add to the completely reworked and reformatted NukeSentinel™ User Guide FAQ. Raven tossed out a few tidbits of code, and I think it was in this thread. Gonna look great, and help out a lot of people when I finish the rewrite. And I have to admit, I've really enjoyed all this coding