Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
mrix
Client


Joined: Dec 04, 2004
Posts: 757

PostPosted: Sat Feb 05, 2005 5:11 am Reply with quote

Hello all, I am very disapointed today to find my phpnuke 7,6 site hads been hacked. I have the latest Sentinal and I have even renamed the admin.php and have the latest phbb forums????? anyway I find that somebody has changed all my modules to display their images etc and also changed the front page. this has all been done thtough ftp access???
how could this of been possible???? I am totally lost ?? no admin was changed seems to be all ftp access there is no way they got hold of my user id and pass. how could it of been possible to hack my hosts????
Thanks for any help
mrix
 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Sat Feb 05, 2005 8:26 am Reply with quote

Do you have Coppermine or My_eGallery? Or some other software that allows uploading of files?
 
View user's profile Send private message
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Sat Feb 05, 2005 8:54 am Reply with quote

Yes I just saw another warning about Coppermine CMS but there was no specific exploit attached just a warning.

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
mrix
PostPosted: Sat Feb 05, 2005 11:44 am Reply with quote

Yes I do run coppermine do you think this is the problem? if so how much info have they got of mine do they know my server id / passwords etc?
as they have access to my files?
Thanks for you help
mrix
 
Raven
PostPosted: Sat Feb 05, 2005 11:56 am Reply with quote

Several of my clients were exposing my servers because of Coppermine. It has been a long time problem and I always recommend Menalto now.
 
sixonetonoffun
PostPosted: Sat Feb 05, 2005 12:01 pm Reply with quote

For sure any info stored on the website could be accessed. Your website info (username and password) may or may not have been. It is less likely especially if it is unique from your mysql info and admin info, but not impossible. But for sure I'd clean out the database of any new author entries and change the MySQL username and password.

But the issue could very well be with Coppermine and it would be wisest to backup the module and delete all the files. You can leave the photos if you've linked them thoughout your site it would pretty messy to delete those.
 
mrix
PostPosted: Sat Feb 05, 2005 12:24 pm Reply with quote

thing is I didnt have any authors added to my actual phpnuke site most if not everything was intact on the site. I just cant understand how this guy managed to gain access to my hosted files and change the module info and index.php details tp place his hack images throughout all my modules it must of took him some time to do it also. fortunately I have made up to date backups of everything. I have also deactivated coppermine and will give Menalto a try as Raven explained.
Thanks again
mrix
 
sixonetonoffun
PostPosted: Sat Feb 05, 2005 1:01 pm Reply with quote

Yeh then its likely the Coppermine module. But deactivating it is not enough protect at the very least rename the directory until you have time to remove the files.
 
mrix
PostPosted: Sat Feb 05, 2005 1:41 pm Reply with quote

Ok will do thanks
mrix
 
PHrEEkie
Subject Matter Expert


Joined: Feb 23, 2004
Posts: 358

PostPosted: Sat Feb 05, 2005 2:12 pm Reply with quote

mrix wrote:
thing is I didnt have any authors added to my actual phpnuke site most if not everything was intact on the site.


Most likely your server files were not accessed (based on your description). You were probably just hacked with an 'sql injection' which alters entries in the database that holds content for news articles and blocks, as well as footer msgs.

If the attack on your site had gained them either an entry in the author's table or your actual server access user/pass, you'd know it... the damage you'd be describing would be tenfold.

Please remember that having the latest Chatserv patches and Sentinel will NOT protect you from other 3rd party software you've installed that has security flaws in it, especially injection vulns (which are by far the most common).

Please contact your Hosting support team and have them scan your webspace for any IRC bots or any other nasty things they might have left behind if they did in fact get server or FTP access. Other than that, change your FTP password through CPanel or your Hosting Support. Change your MySQL password, and your Nuke Admin password.

Oh, and ditch Coppermine. This software is -rediculously- past the point where their dev team should have it patched against such simple injection hacks. There's no excuse for this in Feb of 2005. Sorry for your troubles, but trust me here, you got off cheap and it will be fairly easy to restore order. Learn from this, or be destined to re-live it. Wink

PHrEEk
 
View user's profile Send private message
mrix
PostPosted: Sat Feb 05, 2005 5:11 pm Reply with quote

Hi to restore my site I only had to re-upload my website files the database was ok
Cheers
mrix
 
mrix
PostPosted: Mon Feb 07, 2005 7:23 am Reply with quote

Hello all, finally managed to contact my host to find out their whole host server had been hacked "ouch" anyway I have had enough of this and all the other problems I have had ie lots of down time and have moved host to Raven Web hosting at least you guys know what your talking about lol
Thanks
mrix
 
sixonetonoffun
PostPosted: Mon Feb 07, 2005 8:04 am Reply with quote

Welcome aboard so to speak! I don't think you'll find any regrets over the choice to relocate. Raven goes to a lot of trouble to inform people of known risks and will go so far as to ban a script so as not to compromise others sharing the environment. When there is a simple solution to a problem he's usually one of the first to verify if not create the fix for it.

In the case of Coppermine in particular it is just too large an application for any of one of us to take on the task of making it safe. Though it is a nice looking gallery it was based on a simple application and with each added feature on top of the original weak code its grown harder and harder to secure the thing. Then throw in PHP, ImageMagic and NetPBM changes and issues it gets even harder to address.

I know there is an effort to find someone qualified to take on the Coppermine port but to date no one has come forward. I have looked at it and compared it to the current stand alone version and frankly I was surprised to find that while active the CPG Nuke team had made more progress with improving the application then the Coppermine core team had. Thats not a slam but it is a fact and points out what a large under taking a fresh port would be to create from the current stand alone Coppermine version. IMO it would be as great if not a greater task then the phpbb port or OsCommerce. So there is the challenge for a new team to take on responsibility for.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©