Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
izone
Involved
Involved


Joined: Sep 07, 2004
Posts: 354
Location: Sweden

PostPosted: Fri Jul 07, 2006 8:06 am Reply with quote

Hello.

My friend's site got hacked today by a (for me) unknown group.

They have left an script on the server and have changed permissons for many catalog and files on the server.

I have this script now and I just wanted some help to know if they came in by hacking Nuke or Server.

Of security reason I will just send this file to Raven or some of Admins here. It is a .php file on the server and I copy and paste it to a new doc. in DreamWeaver, but when I save this file on my computer, the AntiVirus remove it and show me info about this file is a trojan by name phpbackdoor!

I can send you a text ver. of it by email if you give me you email please.

Best Regards
 
View user's profile Send private message
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Fri Jul 07, 2006 8:43 am Reply with quote

Only registered users can see links on this board! Get registered or login!

Many hacker groups work this way I believe it isn´t new. Did you already changed the owner rights and deleted all files ?

See this also:
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
izone
PostPosted: Fri Jul 07, 2006 9:08 am Reply with quote

Susann wrote:
http://www.ravenphpscripts.com/postx10264-0-0.html

Many hacker groups work this way I believe it isn´t new. Did you already deleted all files ?
Susann, thank you. No there is no way to delete it.

They have deleted the .trash dir. and some how the account is over quota so I have no chance to make another one.

Disk usage 214.17 Megabytes
SQL Disk usage 13.70 Megabytes
Disk space available -14.17 Megabytes
Bandwidth usage (current month) 85.05 Megabytes

When I look under Disk usage in Cpanel there is no large file or directory and everything seems to be right. the biggest directory he have is about 16.40 mb and the total is about 100 mb. so I cann't delete or made another file or dir.
 
Susann
PostPosted: Fri Jul 07, 2006 9:32 am Reply with quote

Wait what Raven or his moderators suggest.
 
izone
PostPosted: Fri Jul 07, 2006 10:55 am Reply with quote

I wait for them to send the script to one of them.

I solved the problem by changing the name of one catalog to .trash. then I could delete the unwanted files and upload my backups file. Now the site is back. Thank you for you help.
 
izone
PostPosted: Fri Jul 07, 2006 10:56 am Reply with quote

By the way, does the name "RootShell Security Group" known for you or anyone. The script is writed by them.
 
Susann
PostPosted: Fri Jul 07, 2006 11:21 am Reply with quote

I ve never heard about this group.

But there are many entries at secunia.com
From wikipedia:

Quote:

"
Root@Shell~# Security Group ,RS is an acronym for Root@Shell~# Security Group.A Grey Hat Hacking group,popular in discovering exploits in software and websites.Founded by Preddy and SilentNuke.Listed as one of the top 10 Security groups in the world."
 
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Fri Jul 07, 2006 11:45 am Reply with quote

Funny... Listed by whom as one of the top 10 security groups in the world?

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
Susann
PostPosted: Fri Jul 07, 2006 11:53 am Reply with quote

Kguske there are possible two different groups with a similar name.
 
kguske
PostPosted: Fri Jul 07, 2006 12:20 pm Reply with quote

OK. I was just commenting on the top 10 claim. Who maintains this list? On what criteria is it based? It seems Wikipedia needs to do better with editing...
 
izone
PostPosted: Fri Jul 07, 2006 2:25 pm Reply with quote

kguske, Do want me to send the script to you? if yes please pm me your email. thanks.
 
kguske
PostPosted: Fri Jul 07, 2006 2:29 pm Reply with quote

No need to send the script, thanks.

My guess is that they used a common exploit to load it on the server. Check in the website logs for attempts to access /modules/Forums/admin. Tell your friend to upgrade to the latest version of NukeSentinel and put HTTP admin auth on both admin.php and on the /modules/Forums/admin directory. Also, check for scripts that allow uploads (e.g. a gallery). These can allow bad files to be uploaded.
 
izone
PostPosted: Fri Jul 07, 2006 3:03 pm Reply with quote

kguske, thank you for your advise. But a question here, I know how to put HTTP admin auth on Admin.php but not how to do this in Sentinel for /modules/Forums/admin directory? or you mean doing the second one in the Cpanel?
 
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Fri Jul 07, 2006 3:20 pm Reply with quote

hi,

kguske means :

In your forum/admin / folder put a .htaccess with this in it:

Easy sample......

<Files .staccess>
deny from all
</Files>

<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted Forum Area"
AuthType Basic
AuthUserFile /your-whatever-site-root/modules/Forums/admin/.staccess

then create a .staccess file and put your name with pass encrypted in it and also put that in the forum admin folder..
 
View user's profile Send private message
kguske
PostPosted: Fri Jul 07, 2006 3:28 pm Reply with quote

Or...see this sticky: Only registered users can see links on this board! Get registered or login!
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Fri Jul 07, 2006 10:33 pm Reply with quote

This option from hitwalker/Raven is probably best, by I have also seen success with using cpanel's protection of the directory. It might be HTTPAuth. You could try it and see if you can access that directory directly.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
izone
PostPosted: Sat Jul 08, 2006 9:17 am Reply with quote

Thank you all.

OffTopic

Hello montego, long time no see! (acctually we haven't seen yet Very Happy )

We are all waiting for your new ver. of HTML Newsletter. Good luck.
 
montego
PostPosted: Sun Jul 09, 2006 7:38 am Reply with quote

Quote:

We are all waiting for your new ver. of HTML Newsletter


Me too! Been a bit busy since the last release. But, been thinking about it a ton... just need to figure out how to set aside the time. Regards!
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©