Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
netgoodies
Regular
Regular



Joined: Sep 26, 2005
Posts: 63
Location: Oxfordshire. United Kingdom.

PostPosted: Mon Dec 18, 2006 8:27 am Reply with quote

Hi

I have been visited by a numbnut who has managed to deface a file but I have not got a clue how he did it and also cant find his IP.

File effected: /signature.php

I have Nuke version 7.6 pl31, NukeSentinel v2.5.03

Can anyone help me find out how it was done and his identity?

Regards

Martyn
 
View user's profile Send private message Visit poster's website
hitwalker
Sells PC To Pay For Divorce



Joined:
Posts: 5661

PostPosted: Mon Dec 18, 2006 9:25 am Reply with quote

signature of what ?
 
View user's profile Send private message
netgoodies







PostPosted: Mon Dec 18, 2006 9:28 am Reply with quote

Hi Hitwalker

signature.php is used for my dynamic forum signature.

Regards

Martyn
 
hitwalker







PostPosted: Mon Dec 18, 2006 9:30 am Reply with quote

did you changed the permissions (chmod) on that file ?
 
netgoodies







PostPosted: Mon Dec 18, 2006 9:33 am Reply with quote

Was at 644
 
hitwalker







PostPosted: Mon Dec 18, 2006 9:41 am Reply with quote

so file was empty?
 
hitwalker







PostPosted: Mon Dec 18, 2006 9:48 am Reply with quote

bit weird to deface it with no rights...
just upload one ,and latest version....
btw i found a lot of defaced phpbb faq pages as well...
 
netgoodies







PostPosted: Mon Dec 18, 2006 9:48 am Reply with quote

Contents replaced with

Code:
hacked [ Only registered users can see links on this board! Get registered or login! ] ulusaldarbe.com
 
netgoodies







PostPosted: Mon Dec 18, 2006 9:50 am Reply with quote

hitwalker wrote:

btw i found a lot of defaced phpbb faq pages as well...


where?
 
evaders99
Former Moderator in Good Standing



Joined: Apr 30, 2004
Posts: 3221

PostPosted: Mon Dec 18, 2006 10:09 am Reply with quote

Probably need access logs to see how he got in

I've not found any security reports about the dynamic signatures themselves
I'm not sure if there's a hole in Sentinel. But there are some fixes to Patched in 3.3.

_________________
- Star Wars Rebellion Network -

Need help? Nuke Patched Core, Coding Services, Webmaster Services 
View user's profile Send private message Visit poster's website
netgoodies







PostPosted: Mon Dec 18, 2006 11:24 am Reply with quote

Hi evaders

Yes as I suspect there would be some fixes in 3.3. I have already started working on the upgrade.

Regards

Martyn
 
netgoodies







PostPosted: Mon Dec 18, 2006 12:03 pm Reply with quote

Hi

My host has responded, when asked if he could tell what had happened, with:

Quote:
From what I can tell they got in because Register Globals is enabled on the server..

This is a glaring security hole..

Make sure that you have this line in your .htaccess file i your root "public_html" folder

php_value register_globals 0


Forgive my ignorance but does it matter if Register Globals is on at the server rather than if it was off and I switched it on in my .htaccess. As I know that HTTPAuth requires Register Globals on.

Regards

Martyn
 
evaders99







PostPosted: Mon Dec 18, 2006 12:24 pm Reply with quote

While register_globals is a security issue, it is not a hole in itself. It allows people to write sloppy code... but simple measures can be taken so that hackers cannot get in.
Your host really needs to go through the access logs to see how they got in.

Note that phpNuke itself does not require register_globals to be on, as it will turn on a workaround called import_request_variables
 
montego
Site Admin



Joined: Aug 29, 2004
Posts: 9457
Location: Arizona

PostPosted: Tue Dec 19, 2006 6:35 am Reply with quote

All the same questions: do you have any of the following added to your nuke site: chat, vwar, some type of gallery or any other add-on with file upload capability?

If they mucked with your FAQs, is it the forum FAQs or the nuke module called FAQ? I.e., did they get into your database or just the forum FAQ files?

_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... 
View user's profile Send private message Visit poster's website
netgoodies







PostPosted: Tue Dec 19, 2006 6:44 am Reply with quote

evaders99 wrote:
Note that phpNuke itself does not require register_globals to be on, as it will turn on a workaround called import_request_variables


Yes I know but NukeSentinel does if Admin HTTPAuth is to be used. So is it best to have register_globals off and use CGIAUth instead?

I have since found out that another site on the server was hacked by the same guy before he got to me. Register_globals was turned on at server level so 1 site could test out a piece of software and was forgotten to be switched back off again.

Just seems so pathetic to just tag a site thats he has been there, as no other damage caused......but I am grateful thats all that was done.

Regards

Martyn
 
netgoodies







PostPosted: Tue Dec 19, 2006 7:05 am Reply with quote

Hi Montego


Thats why I asked Hitwalker
netgoodies wrote:
hitwalker wrote:

btw i found a lot of defaced phpbb faq pages as well...


where?


Because I cannot find anything defaced in the FAQ module or the forum faq's.

The site has X7 chat but no vwar or gallery. The forums have attachment mod installed but thats about it. No other way of uploading files.

No access was gained into the db.

The only change I can find was the defaced signature.php file.

Regards

Martyn
 
montego







PostPosted: Wed Dec 20, 2006 7:45 am Reply with quote

Ok, good thing on the db. That means, though, that they have found a hole through either the forums attachment mod and/or chat. These are common security holes and definitely NOT recommended.

You may want to check through all your directories on your server and make sure they haven't deposited something else there. Looks for files that you do not recognize.
 
netgoodies







PostPosted: Wed Dec 20, 2006 12:36 pm Reply with quote

Hi

Well thats the crazy thing, all I can find is the signature.php defaced. I have checked through all my files for anything strange and I have even opened all files edited that day to see if there was anything in them but there was'nt.

Re-forums attachment there is no access to it unless you are a member and the chat, all be it a different one, was what was hacked on the other site on the same server. So maybe your right that the chat was his way in.

Regards

Martyn

PS Still waiting for a reply from Hitwalker. Bit worried about what you said about the FAQ's .... Maybe I am misunderstanding you.
 
hitwalker







PostPosted: Wed Dec 20, 2006 2:31 pm Reply with quote

well i couldnt find any hard evidence of existing hacks towards the signature but i did found a lot of defaced faq pages of phpbb,but most of it effected the whole forum as well.
 
netgoodies







PostPosted: Wed Dec 20, 2006 2:35 pm Reply with quote

Oh I thought you was talking about my site... Phew. lol
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©