Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
sensixx_magic
New Member
New Member


Joined: Apr 05, 2006
Posts: 3

PostPosted: Wed Apr 05, 2006 1:46 am Reply with quote

Hello,

Our website has been hacked. looks like they replaced the index.php file.

from what i can see they didn't touched the DB.

how is it possible that someone can replace the index.php ?

im the only one with ftp access (no one knows the codes except me)
nuke sentinal 2.4.1. running.
nuke 7.6 cs patched

looking at the sentinal tracked ip's, i dont see any strange stuff.
log files of the (hosted) server no strange things either.

could someone give me a hint where to look at in the log files / tracked ip's ?

greetings
 
View user's profile Send private message
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Wed Apr 05, 2006 4:33 am Reply with quote

I would check FTP access. But I would also check for modules or other addons that do not use the standard method for accessing the database OR that allow file uploads (e.g. a gallery). If someone could upload a malicious file, they might be able to replace the index file.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
technocrat
Life Cycles Becoming CPU Cycles


Joined: Jul 07, 2005
Posts: 511

PostPosted: Wed Apr 05, 2006 7:40 am Reply with quote

If you are using vwar, coppermine, or spchat they have holes that allow hackers to change files. Are you using any of these?

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! / Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message
sensixx_magic
PostPosted: Wed Apr 05, 2006 2:17 pm Reply with quote

hi,

yes, using virtual war (v1.5 R9 BlackBox V2) and attachement mod for the forum.

maybe its better to switch to the standalone version of vwar instead...
 
sensixx_magic
PostPosted: Wed Apr 05, 2006 3:11 pm Reply with quote

looks like someone from brazil Smile and they used Vwar for it

here is the ip they used
200.163.63.39 - - [03/Apr/2006:23:03:02 +0200]

...i deleted a part of the url they used...

=http://savsak1.sitemynet.com/rst.txt?"
 
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Thu Apr 06, 2006 6:15 am Reply with quote

well turkey is very fast this time..
ive send out a mail to 3 addresses belonging to the host and provider of that domain..
lol...its gone ....
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©