Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> Raven's RavenNuke(tm) v2.02.02 Distro
Author Message
posword
Hangin' Around


Joined: May 21, 2006
Posts: 38
Location: Adelaide, Australia

PostPosted: Sun Jul 02, 2006 7:17 pm Reply with quote

Raven, or anyone,

Can I get a quote on getting this fixed on my production server (in its own directory for safety until the admin and security side is fixed)? Post 9878 tells the whole story.

I've been hacked again, and using the same URL as the hackers at least Raven 7.6 full did not let me in. However I want it working properly.

Thanks,
Peter Wade

_________________
C'mon Aussie, c'mon, c'mon! 
View user's profile Send private message
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Sun Jul 02, 2006 7:30 pm Reply with quote

Quote?

Ask Darklord....
im sure he will help,probably for free cause he is still learning and enjoys what he does...
 
View user's profile Send private message
gregexp
The Mouse Is Extension Of Arm


Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Sun Jul 02, 2006 9:07 pm Reply with quote

ohh boy, I have an agent Laughing j/k

actually I didnt respond as I've been really trying to develope something and have my head buried into it, but if I am finished before anyone else offers, then I'd be happy to help.

Hitwalker, like everyone, I'll never stop learning. Laughing

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
hitwalker
PostPosted: Mon Jul 03, 2006 5:51 am Reply with quote

well im not gonna help on this... Sad
as i read posword other topic about this problem and clear that its caused by the configuration of his host and whats installed/or not..

so without spending to much time on this i suggest like others already did to move to another host...
im sure posword can afford a few bucks a month for hosting at ravens....
 
jaded
Theme Guru


Joined: Nov 01, 2003
Posts: 1006

PostPosted: Mon Jul 03, 2006 8:33 am Reply with quote

posword,

It is quite simple after reading over your other posts. You asked for help and advice. You were given it. Get a new host. Raven will host you. I would host you. I am sure many others would host you. If you host cannot configure a server so that its clients are able to secure their websites why would you stay there? No one is gong to spend a huge amount of time trying to help something that cannot be helped. I hope that you will take the advice given to you. You already know that this is an issue with your host as the info that they gave you said as much. I wish you the best of luck.

_________________
Themes BB Skins Only registered users can see links on this board! Get registered or login!
Graphic Tees Only registered users can see links on this board! Get registered or login!
Paranormal Tees Only registered users can see links on this board! Get registered or login!
Ghost Stories & More Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
gregexp
PostPosted: Mon Jul 03, 2006 4:04 pm Reply with quote

ohh boy,

The storm hitwalker was about to get me in killing me

I've also read the latest post to you posword and simply put, Get a new host because the errors you are recieving are nothing and I do mean nothing compared to what your site will look like WHEN(not if) it gets hacked.
 
posword
PostPosted: Mon Jul 03, 2006 6:10 pm Reply with quote

Did nobody read my post of June 12?

~~~~~~~~~~~~~~~~
My host is running phpSUEXEC. "You can't run HTTPAuth on our servers. Because it won't let you write any data into .htaccess file."

This is an explanation of phpSUEXEC from a Google search...

"On most Apache servers, PHP runs as an Apache Module. As such, it runs directly in the user Nobody, but doesn’t require the execute flag. This means that in order to execute a PHP file, it simply needs to be world readable. The problem is that this allows every other users on the server to read your PHP files!

Allowing other users to read your HTML files is not a problem, since they can be displayed in Internet Explorer. However, PHP files are not readable, they are parsed. Many scripts use a PHP file to store a database username and password. This means that on another server every client could read your PHP files, retrieve your password and access your databases.

ISPs close this hole by installing an Apache module called PHPsuexec, which executes PHP scripts under your username. Instead of using everyone’s permissions it uses the owner’s permissions. Thus you can change the permissions of your PHP scripts to 0700 or 0400 and still read and execute them. However, these scripts will no longer be accessible to any other users—PHPsuexec will refuse to execute a script if it is world-writable to protect you from someone abusing one of your scripts. All servers will be running phpsuexec within the near future."

Another site says, "All php values should be commented out or removed from your .htaccess files and placed in a php.ini file. This can be achieved by creating a text file and naming it php.ini and copying all of your php_value_entries in it and then uploading the php.ini to avoid this issue. Placing a php.ini file in its place should solve this issue."

If this is the trend, then how can NukeSentinel get around it. I don't see any php_value_entries in NS .htaccess but it does need to write to it. I could write to it manually but they may be a pain.
~~~~~~~~~~~~~~~~~~
 
gregexp
PostPosted: Mon Jul 03, 2006 7:25 pm Reply with quote

Remember this, ALL statements made about functionality are opinions but statements made about things like php files being readable by anyone, uhh let me tell you this, Sentinel is made to block certain things within the nuke site and therefore better protection then your giving it credit for. I am not a server owner so therefore cannot speak as to PHPsuexec as I have not read up on it, although I can say this, ANYTHING that takes away from being able to write to the .htacess seems LESS secure in my OPINION as .htacess is the BEST(opinion) way to stop and block ips from accessing a site. So take this how you'd like, but I will restate this, a new host is exactly what you need!
 
posword
PostPosted: Mon Jul 03, 2006 8:02 pm Reply with quote

OK, darklord, I understand what you are saying. I'm not being critical about Sentinel... I'm sure it does all it says it will, particularly if you have a dedicated server.

What I don't understand is whether the .htaccess file for Sentinel contains "PHP values". Do you know the answer to that? If it is "No" then I logically can't see why it does not work on a hosted platform under Suexec or the like.
 
Tao_Man
Involved
Involved


Joined: Jul 15, 2004
Posts: 252
Location: OKC, OK

PostPosted: Wed Jul 05, 2006 11:07 am Reply with quote

In a standard install there ar no PHP values in .htaccess, so unless you or someone else added them you do not, Nuke does not use php values in .htaccess.

Second I can state for a fact that you can have PHPsuEXEC and suEXEC running on a server and Raven Nuke and Sentinel will work just fine. PHPsuexec can and will let you write to .htaccess. So if they are saying yo can not write to .htaccess then they have done something non standard to suEXEC and or they are not really running the scripts under your ID and or you do not really own .htaccess.

Now your provider is right in on one thing you can not use HTTPAuth with PHPsuEXEC as php needs to run as CGI for it to work, but CGIAuth in Sentinel will work just fine and will wright to .htacess if you have it set up to do so.

So again (not to beat a dead horse) it sound like your provider is doing something funny and unless they will change thier setup I dont know if there is anything anyone can do.

_________________
------------------------------------------
To strive, to seek, to find, but not to yield!
I don't know Kara-te but I do know cra-zy, and I WILL use it! 
View user's profile Send private message Visit poster's website
posword
PostPosted: Wed Jul 05, 2006 6:06 pm Reply with quote

Thanks, Tao_Man,
That's the first response I've had from someone who knows what PHPsuEXEC does.

So I'll beat the dead horse again and see what my provider has to say. I did get conflicting replies from different support people, which is why I kept trying to find the solution.

Thanks again,
posword
 
posword
PostPosted: Thu Jul 06, 2006 7:24 pm Reply with quote

Tao_Man,
I quoted your words exactly to my provider, and the System Administrator responded:

~~~~~~~~~~~~~~~~~~~~~
"All of the above is exactly correct, there is no wrong information in the above quoted text.

> So the question is whether you have a standard PHPsuEXEC setup, are the PHP scripts running under my ID, and do I own .htaccess and .staccess in my root directory.

Yes we have a standard phpsuexec installation, yes the PHP scripts are running as your user ID, and yes you own all of your files within your public_html directory.

There is nothing weird about our configuration that would prevent you from writing to any files you own when using PHP or CGI."
~~~~~~~~~~~~~~

So for the sake of completeness, that puts to rest all the misinformation from my provider and on this forum.

I have added the Nuke Sentinel stuff to my .htaccess including CGIAuth and still have two remaining issues:
It will not accept my admin login at "Enter username and password for "Restricted" on Only registered users can see links on this board! Get registered or login!", and the issues with NukeSentinel: no password asked and no action when clicking on any links in the Sentinel menu (when I got in without the CGiAuth in .htaccess).

Thanks to all who have contributed their ideas. Any further help appreciated.

posword
 
gregexp
PostPosted: Thu Jul 06, 2006 8:03 pm Reply with quote

who wrote the username and password into the .staccess?
 
posword
PostPosted: Thu Jul 06, 2006 8:14 pm Reply with quote

So that's the problem, darklord... the .staccess is empty.

What's the correct syntax for it?

[edited]
Other posts in forums say to let NukeSentinel do it, but since I can't get in to admin I don't know how to let it do it.
 
gregexp
PostPosted: Thu Jul 06, 2006 10:53 pm Reply with quote

Uhhh, Im thinking something is wrong with the edits you made, pleas search these forums for cannot view admin panel in sentinel.
 
posword
PostPosted: Thu Jul 06, 2006 11:26 pm Reply with quote

I've already spent some time doing that search, darklord, but nothing found that seems applicable.

Yesterday I replaced admin.php with the one in the distro. Obviously it didn't change anything.

[Added]

I have manually added my username:password combination to .staccess and now am able to get into Nuke admin. I know this is frowned on but it was the only way in. Still no security code on Nuke admin and some of the links in NukeSentinel don't work, like protected ranges though scan users did work and list admins.
 
hitwalker
PostPosted: Fri Jul 07, 2006 4:42 am Reply with quote

Did you invited raven to work on this yet ?
 
jaded
PostPosted: Fri Jul 07, 2006 11:18 am Reply with quote

I will suggest that you just pay someone like Raven or anyone who is willing to do the work to help you. Rolling Eyes
 
posword
PostPosted: Fri Jul 07, 2006 7:26 pm Reply with quote

It appears to be working, so I'll watch it closely for a while.

Thanks to everyone for their help.

posword
 
hitwalker
PostPosted: Fri Jul 07, 2006 8:36 pm Reply with quote

now it suddenly works?
i think his system got so scared that when the word "pay" was mentioned it spontaneously decided to work...... killing me
 
jaded
PostPosted: Fri Jul 07, 2006 8:38 pm Reply with quote

lmao.. agreed. ROTFL
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> Raven's RavenNuke(tm) v2.02.02 Distro

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©