Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
krubach
New Member
New Member


Joined: Jun 15, 2006
Posts: 19

PostPosted: Sat Jul 22, 2006 7:26 am Reply with quote

Hi guys,

I have a phpnuke based portal in Only registered users can see links on this board! Get registered or login! .
About a month ago the site was hacked by some turkish pricks who were able to deface and criple my website, plus mess around with phpnuke's tables and delete some of them.

I upgraded to phpNuke 7.8 and added NukeSentinel(tm) 2.4.2pl9 to it.
I though i was safer, but last night they did it again.

For what i could see they renamed the News modules and Forum module to "Hacked by ...", they were able to mass mail too. All members got 3 or 4 emails saying:
"HACKED By_Komutan

BİZBU VATANI KARŞILIKSIZ SEVDİK I'MSORYY ADMİN FOR TURKEY!"

What can i do? How did they do this?
What measures should i take?

TIA
 
View user's profile Send private message Visit poster's website
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Sat Jul 22, 2006 7:38 am Reply with quote

Good looking site.

You can ban all IP's from Turkey using the IP2Country feature in Sentinel. That might be a start but they can always find a way to fake IP's. I'd do it anyway.

I'd look very carefully at my logs to see how they are getting in. Try to find out what IP they are hacking from and then do searches on the log to try to reconstruct the sequence of their activities. If they are constantly switching IP's then your reconstruction is more difficult but you can probably do it anyway.

I'd also want to make sure that they haven't compromised your web host account and found a way to upload files that way. I'd change my admin password for the web host and any database passwords I had and I'd check my authors table to make sure than they weren't able to insert any false admin id's. Also look for any "strange" files that may have been inserted onto your host lately. YOu should have just the real Nuke files but sometimes the hackers can insert a script that they use to compromise you.

Let us know what you find out.
 
View user's profile Send private message Visit poster's website
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Sat Jul 22, 2006 8:54 am Reply with quote

Maybe the 7.9 version is more secure ? Don ´t know but I would not use 7.7 or 7.8 because there are many known security issues with this versions. Thats also the reason why many people used the downgrade script back to nuke 7.6 from nukescripts.net
However upgrade your forums version to the newest, use always the http auth function, the newest nuke sentinel version and protect your modules/forums/admin files with htaccess:
Only registered users can see links on this board! Get registered or login!

Maybe also an interesting article:
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Sat Jul 22, 2006 12:51 pm Reply with quote

To echo fkellys points, you MUST check no files have been uploaded anywhere on your site (I have found them hiding in image folders etc in the past).
Also check the contents of ALL files in the nuke root e.g. config.php / htaccess / any other single files that have 'write' access against a known, good back up.

Susann posted some excellent links for further information too Smile
 
View user's profile Send private message Send e-mail
krubach
PostPosted: Sat Jul 22, 2006 5:37 pm Reply with quote

files in root are only: rw-r-r, so i guess there's no problem with them.
I checked config.php .staccess and other root files and they seemed ok.

Quote:

you MUST check no files have been uploaded anywhere on your site (I have found them hiding in image folders etc in the past).

you mean check all those hundreds of files?!?!? ... :S ...

I added the "deny from [IP]" using the ip turkish IP addresses that raven posted once...
No unathorized "authors" were found in table.

Quote:

I'd look very carefully at my logs to see how they are getting in.

Where are those logs?
I have a raw access log (in Cpanel) but it's huuuuuuuuuuuuuuuuuge (200MB) i can't even open it... Razz
 
Guardian2003
PostPosted: Sat Jul 22, 2006 6:04 pm Reply with quote

I am working in the assumption that Sentinel is installed and correctly set up which, due to the ease they got in, I think they must have left something on your site to allow them access.

However, it could have been one of the many security problems with 7.7 /7.8 /7.9 which let them in via the tiny_mce editor which Sentinel can only offer so much protection for sloppy code.

Do you have any other modules installed like vWar, Gallery, Squery, SPChat that ave known security ptoblems/
 
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Sat Jul 22, 2006 9:44 pm Reply with quote

AFAIK, there is no way to disguise the change date on the directories, so looking through hundreds of file is really not that difficult - just look at the change date on the directories.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
krubach
PostPosted: Sun Jul 23, 2006 4:18 am Reply with quote

Guardian2003 wrote:
Do you have any other modules installed like vWar, Gallery, Squery, SPChat that ave known security ptoblems/


Nope...
Just a parallel instalation of CoperminePG.

Quote:

so looking through hundreds of file is really not that difficult - just look at the change date on the directories.


Ok. Wink
Thanks for the tip. I'll do that.
 
gregexp
The Mouse Is Extension Of Arm


Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Sun Jul 23, 2006 4:38 am Reply with quote

Just an FYI, I believe coppermine is seriously exploitable and is risky at best to use it (IMO).

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
krubach
PostPosted: Mon Jul 24, 2006 7:09 am Reply with quote

darklord wrote:
Just an FYI, I believe coppermine is seriously exploitable and is risky at best to use it (IMO).


CPG and phpNuke use different databases in the same MySQL DBMS, so i guess that even using CPG to exploit phpNuke would be doable (please correct me if i'm wrong).

I've been looking in the "raw access log" cpanel provides me. Al i can see are lines like:
Code:


85.241.25.183 - - [21/Jul/2006:09:46:52 +0100] "GET /modules.php?name=Forums&file=viewtopic&t=4895&start=60 HTTP/1.1" 200 92098 "http://www.f1portugal.com/modules.php?name=Forums&file=search&search_id=egosearch" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.7.12) Gecko/20050919 Firefox/1.0.7"


I searched for "SELECT", "UPDATE","Hacked" and found nothing.
Does that mean that SQL injection is out of the question?

Downgrading to 7.6 will give me a hell of a job, since i performed so many tweaks...
Is it possible to get where the security measures were taken in 7.7 and 7.8 and use them again?

P.S.- I searched for "hacked" since that word was used when modifying the modules' titles.
 
fkelly
PostPosted: Mon Jul 24, 2006 7:46 am Reply with quote

The line from the log you quoted is typical and it is all you have to go by in looking at the log. I took the IP (85.241.25.183) from it and looked it up and found it was in Portugal for instance. What I've done in the past is find an IP that I'm suspicious of (you have to identify at least one attack to do that) and then use the browser search features to trace the sequence of activities for that IP. Or download the log and use an editor to search for all occurrences of that IP and trace it that way. You probably won't see the individual SQL statements in the log so searching for select, insert, update won't do much for you. Sometimes you will see the hackers trying to execute a script on another server or exploit a vulnerability in something like Coppermine to insert a file onto your server. I wish I could give you a more surefire recipe for examining the logs but I can't.

As to making Nuke 7.7 or 7.8 secure you really can't do it. You could and should apply the 3.1 or even 3.2 level patches by Chatserv but if you've "tweaked" the code even that will have to be done with care. I don't know what your tweaks consist of but you might want to see if you can isolate them and list them and then explore how difficult it would be to "upgrade" to Ravennuke. Once you are on board with it you will have a fully functioning installation that includes Sentinel and you can then look at reapplying your "tweaks" on a selective basis.
 
krubach
PostPosted: Mon Jul 24, 2006 7:56 am Reply with quote

fkelly wrote:
list them and then explore how difficult it would be to "upgrade" to Ravennuke. Once you are on board with it you will have a fully functioning installation that includes Sentinel and you can then look at reapplying your "tweaks" on a selective basis.


I'm seriously considering that option. Wink
I'll just have to get some free time to do it. Wink

As to search the log:
The attack was made somewhere in 21st July, and the log for that day is 8MB long... Razz
It will be tough to search everything... Wink

[EDIT]
Is it easy to migrate from phpNuke 7.8 to RavenNuke keeping all current data?
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©