Author |
Message |
springmill
New Member
Joined: Dec 07, 2004
Posts: 7
|
Posted:
Sat Dec 03, 2005 11:32 am |
|
Hi All,
There must be a new exploit out. My site and all of my member sites keep getting owned by [ Only registered users can see links on this board! Get registered or login! ]
I have to keep SSH and FTP off so I am guessing that there is an exploit for the password somehow.
We have the latest and greatest. Any help will be greatly appreciated.
I found this lying around and wonder if that is what they are using.
Code:
/modules.php?name=Downloads&d_op=viewsdownload&sid=-1/**/UNION/**/SELECT/**/0,0,aid,pwd,0,0,0,0,0,0,0,0/**/FROM/**/nu ke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*
|
I found it here.
[ Only registered users can see links on this board! Get registered or login! ]
Thanks,
Springmill |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
Posted:
Sat Dec 03, 2005 12:12 pm |
|
NukeSentinel(tm) always has stopped that so that is not the issue. I would look for an uploads module exploit. The patches and NukeSentinel(tm) don't control those. |
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
Posted:
Sat Dec 03, 2005 5:24 pm |
|
|
|
|
djmaze
Subject Matter Expert
Joined: May 15, 2004
Posts: 727
Location: http://tinyurl.com/5z8dmv
|
Posted:
Sat Dec 03, 2005 7:06 pm |
|
springmill wrote: | Hi All,
There must be a new exploit out. My site and all of my member sites keep getting owned |
Server is hacked on the root level.
Check AWStats, Apache and PHP versions.
Check /tmp for malicious files
Change root password |
|
|
|
|
springmill
|
Posted:
Mon Dec 05, 2005 5:22 pm |
|
Hi All,
I would like to clarify my issue. After getting an email from the "CRACKERS" demanding protection Money from Hacking I have a little more insight. They say my server is not secure on it's own and the hacks have nothing to do with PHPNUKE.
I have implemented the hosts.deny file with some luck. But I fear I have not totally fixed all of the issues. FTP and SSH both allowed root login and I fixed that. I changed my root password, all web site owners passwords but the sites have still be owned.
I am a noob so if I am missing somethign please let me know. I have no upload programs in use.
Fedora Core 4, Webmin, Usermin, and Virtualmin
are the software packages in use.
To answer the following questions:
Server is hacked on the root level.
Check AWStats, Apache and PHP versions.
Check /tmp for malicious files
Change root password
Not sure what AWSTATS is: Apache and PHP are standard Fedora Core releases. I believe php is 5.x something.
root password is easy to change again.
In my /tmp folder I have
.ICE-unix
.font-unix
.webmin
backup-config-manifests
Any help would be greatly appreciated. |
|
|
|
|
Raven
|
Posted:
Mon Dec 05, 2005 5:26 pm |
|
You should have stayed with RWH - Sorry, couldn't resist it, especially after ..... |
|
|
|
|
evaders99
|
Posted:
Mon Dec 05, 2005 5:54 pm |
|
AWStats is a common website stat package. Usually it is preinstalled if you're using some package. There was a major vulnerability with the scripts. If you've set up your server yourself, then you'd know if it was installed. |
|
|
|
|
springmill
|
Posted:
Mon Dec 05, 2005 6:53 pm |
|
Gaylen,
I appreciate your grace and timing on the issue. As well as your usual sensitivity.
However, you should know that smarty remarks like that is exactly why I created
freephpnukehosting.com
Greg McAbee
Does anyone have any other insight other than nanner nanner boo boo? |
|
|
|
|
Raven
|
Posted:
Mon Dec 05, 2005 8:23 pm |
|
Now Greg, that's not the whole story and you know it. If you want a public bruhaha we could do that. It's your call. |
|
|
|
|
springmill
|
Posted:
Tue Dec 06, 2005 1:07 pm |
|
|
|
|
|