| Author |
Message |
zaki
New Member
Joined: Oct 12, 2004
Posts: 9
|
 Posted:
Tue Oct 12, 2004 7:28 am |
|
hello all,
my site (php-nuke 7.4) was hacked today, since I installed sentinal it blocked 98 attempt, but the 99 was successfull.
the hackers added a god author to authors DB
with that they managed to change the index.htm file that redirect to the folder where phpnuke is, and they managed to change index.php file, here it is
index.php
Code:<html><head><title>Owned</title>
</head><body><span style="font-family: Trebuchet MS, Verdana, Arial, Helvetica, sans-serif; font-size: 22pt; color: #333333">Kernel_Attack OwnZ Here ! ! !</span><br>
<br><span style="font-family: Trebuchet MS, Verdana, Arial, Helvetica, sans-serif; font-size: 14pt; color: #333333">by MaMa</span>
<img src="http://www.hispanic.com/ka.jpg" align="absmiddle"> <br>
<br><span style="font-family: Trebuchet MS, Verdana, Arial, Helvetica, sans-serif; font-size: 10pt; color: #333333">
Dead_c0de - DeRf- - ZerO4 - MaMa - MaTrIzz - LEONE_PARK - Nickvicq<br>
Help Admin? Connect on <font color="#000000"><strong>irc.gigachat.net</strong></font><br>
Join <font color="#000000"><strong>#Kernel_Attack </strong></font></span></body></html></html>
|
and the hacked index.html seems much like the above,
Code:<body><span style="font-family: Trebuchet MS, Verdana, Arial, Helvetica, sans-serif; font-size: 22pt; color: #333333">Kernel_Attack OwnZ Here ! ! !</span><br>
<br><span style="font-family: Trebuchet MS, Verdana, Arial, Helvetica, sans-serif; font-size: 14pt; color: #333333">by MaMa</span>
<img src="http://www.hispanic.com/ka.jpg" align="absmiddle"> <br>
<br><span style="font-family: Trebuchet MS, Verdana, Arial, Helvetica, sans-serif; font-size: 10pt; color: #333333">
Dead_c0de - DeRf- - ZerO4 - MaMa - MaTrIzz - LEONE_PARK - Nickvicq<br>
Help Admin? Connect on <font color="#000000"><strong>irc.gigachat.net</strong></font><br>
Join <font color="#000000"><strong>#Kernel_Attack </strong></font></span></body>
|
my database / author , had this line beside my first line
Code:`nuke_authors` VALUES ('Kernel_Attack', 'God', '', '', 'e8d95a51f3af4a3b134bf6bb680a213a', 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, '');
|
and of course, the main message in my site was edited, with their own message.
my sentinal is version 2.0.2 (latest as i think), only today i found a new 2.0.2 in your site, but i couldn't open the compressed file, apparently it got some patches or better files.
btw, I got Admin HTTPAuth List disabled in sentinal configuration, i believe that was since the installation, I don't know why !!
can any of you pls give me the newer 2.0.2 so I update my sentinal ?
and, will the site be more protected with this new version ? will hackers manage to add another author (god) again ?
suggestion: why not make a newsletter or alert system for sentinal users, so they know about new updates ? it seems that hackers come and search for security holes in this site (and other sites), and when they see you posting a new security hole, they attack sites hoping they didn't patch yet.
and, I want to report these hackers to their local authority, any ideas where is the best place to start with ?
thanks, |
| |
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Tue Oct 12, 2004 8:35 am |
|
You got hacked because you didn't have http auth set to on. That's how admin.php gets protected. The download is a zip file and works w/o any problem. But, the problem is in your setup. You need to have HTTP Auth on. |
| |
|
|
|
|
zaki
|
| Posted:
Tue Oct 12, 2004 9:10 am |
|
thanks Raven,
How do I turn it on please ?
I also have coppermine, shall I uninstall it ?
I downloaded the zip file several times but when i try to open it, i get a strange error (error while processing 0 entries) from winzip !! |
| |
|
|
|
|
Raven
|
| Posted:
Tue Oct 12, 2004 9:20 am |
|
From here? I just d/l it and opened it w/o any problem.
I would dump Coppermine and go with Gallery or Menalto. Turn the HTTP Auth on in your NukeSentinel Administration panel. |
| |
|
|
|
|
zaki
|
| Posted:
Tue Oct 12, 2004 12:48 pm |
|
I can assure you I am getting the error "error reading heading after processing 0 entries" when i try to open the file with winzip, with winrar it expands into one file only.
and the HTTP Auth is just disabled, i cannot enable it!! i sent an Email to my hosting service asking them about the PHP, will tell you their answer. |
| |
|
|
|
|
Raven
|
| Posted:
Tue Oct 12, 2004 12:59 pm |
|
If it is disabled then your host has PHP compiled as a CGI module and I address how to protect yourself in this article [ Only registered users can see links on this board! Get registered or login! ] . As to your unzipping issue, I just this moment [again] d/l it and it unzipped perfectly [ Only registered users can see links on this board! Get registered or login! ] |
| |
|
|
|
|
zaki
|
| Posted:
Tue Oct 12, 2004 1:19 pm |
|
Raven, i also have secure admin, the parameter $nsnsecureadminacces = true, yet when i go into the administration of secure admin it tells me it is not protected, any ideas ? I have version 1.3 installed
and something else very strange, when i go into the administration of secure admin, the whole block of administration as we normally see it in admin.php is shown twice!! why is that ?
as for the zip file, i was trying to download it from a totally different URL!! this one
[ Only registered users can see links on this board! Get registered or login! ]
now it is ok, i will upgrade my 2.0.2 into this new 2.0.2, thanks |
| |
|
|
|
|
Raven
|
| Posted:
Tue Oct 12, 2004 1:29 pm |
|
Yes, Bob packages his stuff [usually] as a tar.gz file and winblows XP SP2 breaks it. As to admin secure (which apparently it wasn't) I have no idea. |
| |
|
|
|
|
cprompt
Regular
Joined: Jun 08, 2004
Posts: 64
|
| Posted:
Sun Oct 17, 2004 2:46 pm |
|
I've attempted to apply theis method Raven, adn I just don't get it I guess.
[ Only registered users can see links on this board! Get registered or login! ]
I have no idea how to generate a cpypt pass or where in the script to put the username and password.
I was also hacked by the same exact hacker as the poster of this topic. |
| |
|
|
|
|
zaki
|
| Posted:
Sun Oct 17, 2004 3:34 pm |
|
it worked fine with me
thanks Raven |
| |
|
|
|
|
cprompt
|
| Posted:
Sun Oct 17, 2004 3:46 pm |
|
zaxi, How did you get rid of the crap the hacker left. I replaced my index.php file and all affected files, I thought, but I still get this on the main page:
[ Only registered users can see links on this board! Get registered or login! ] |
| |
|
|
|
|
cprompt
|
| Posted:
Sun Oct 17, 2004 3:59 pm |
|
Ok I figured it out. I forgot about the Main message on the main page. They edited it as well as deface my index file.
As for the HTTP AUTH, Rave, I figured it out.
I ended up having to use a .htpasswd file instead in my subdomain, but your other method worked for my main site. |
| |
|
|
|
|
Raven
|
| Posted:
Sun Oct 17, 2004 4:09 pm |
|
|
|
|
|
zaki
|
| Posted:
Sun Oct 17, 2004 7:33 pm |
|
what can we do to these hackers ?
any suggestions ? i really want to punish them |
| |
|
|
|
|
Raven
|
| Posted:
Sun Oct 17, 2004 7:50 pm |
|
Add the pckiller templates to your NukeSentinel redirect page. |
| |
|
|
|
|
cprompt
|
| Posted:
Mon Oct 18, 2004 3:01 pm |
|
hmm..where can we get PC killer? |
| |
|
|
|
|
zaki
|
| Posted:
Mon Oct 18, 2004 3:51 pm |
|
i was going to ask the same question  |
| |
|
|
|
|
Raven
|
| Posted:
Mon Oct 18, 2004 4:38 pm |
|
[ Only registered users can see links on this board! Get registered or login! ]
Always search the forums before asking  |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
