Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> Raven's RavenNuke(tm) v2.00.00 - v2.02.00 Distro
Author Message
Bluezzz
Involved
Involved


Joined: Feb 08, 2005
Posts: 290
Location: USA

PostPosted: Fri Sep 19, 2008 4:19 am Reply with quote

Well I have been dreading upgrading and now I'm hacked LOL.

Seems they got into the /includes folder to do their dirty work, I see at least three files and the .htaccess there are changed. I managed to get the main page back by overwriting that .htaccess file to what I had it but I can't seem to find my includes folder to overwrite the others. Aside from that I'm not sure what else has been hacked. Can anyone tell me step by step how to ...

1) Lock this person out of my site/FTP to keep them from doing any further damage?

2) How to either delete all PHP/CMS related pages/databases/etc or update them to something more secure?

Links to *still hacked* pages are:
/includes/
configs.php, index.php, includes.php and the main .htaccess as well as the includes folder .htacess files. There may be more but I'm not sure. I can give you my site url if you want to see the hacked pages, which I've not yet removed because I don't really know how 0.o

I have not done a database restore, I just overwrote the one .htaccess page in the main nuke folder and that seems to have restored everything but those other files are still in includes folder as I said (and not sure what if any others might be in there as well). Interestingly, the changed php pages are dated 01/22/07 but the changed .htaccess pages are dated 09/13/08 which is when I think the actual hack occured. I'm just noticing it now, haven't looked at the site in a while.

Thanks!

_________________
Bluezzz
~ Stop & smell the roses, while you can! ~ 
View user's profile Send private message
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Fri Sep 19, 2008 4:35 am Reply with quote

This sounds like an inside job... Have you checked access logs to see what happened?

Do you allow uploads (e.g. images) on the site? If so, you might check that to make sure there aren't problems after you recover.

I would use a comparison tool like winmerge (free) or Beyond Compare (better) to compare the download to the current site to see what's different (and to restore affected files).

I'm not aware of any tool to easily restore affected content (pages, database). Check a database backup for that.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
Bluezzz
PostPosted: Fri Sep 19, 2008 4:40 am Reply with quote

I'm the only one that accesses this site to my knowledge. I really don't know how to check logs. I've checked the site tracker but I don't see anything that I can pinpoint as unusual. What do you mean an inside job?
 
kguske
PostPosted: Fri Sep 19, 2008 5:00 am Reply with quote

Inside job means that possibly a program on your server (maybe even from another account) caused it. But an uploaded file could do the same thing.
 
Bluezzz
PostPosted: Fri Sep 19, 2008 5:04 am Reply with quote

Well I knew what you meant by the term but not who you may have meant. I do have admins but they never log in or admin. I'm the only one that's been doing that. I still need to know how to get rid of the hacked files in includes folder and how to lock this person out. Thanks for your replies tho.
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9453
Location: Arizona

PostPosted: Fri Sep 19, 2008 5:47 am Reply with quote

Bluezzz, kguske already suggested how to determine which files were hacked. You need to take a backup of your site files, bring them down to your PC, and compare them against your local copy of "good" site files. If you do not have such a thing... shame on you. Wink Do you have previous good backups that maybe you can compare against?

How to lock this person out? You need to find out how they got in. This is why kguske is suggesting looking at the access logs. If you don't know how to do this, you may need your host's help.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Fri Sep 19, 2008 10:20 am Reply with quote

You might also want to list and third party modules etc you have installed in case we can identify one with known issues - this won't help you restore the site but it might help prevent a repeat if it was indeed conducted through a third party module and not some other site on the same server.
 
View user's profile Send private message Send e-mail
Bluezzz
PostPosted: Fri Sep 19, 2008 12:53 pm Reply with quote

I don't know what you mean by third party module.
 
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Fri Sep 19, 2008 1:07 pm Reply with quote

Bluezzz wrote:
I don't know what you mean by third party module.


Third party modules are modules, blocks, etc that did not come with the original RavenNuke distribution that you may have installed.

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
Bluezzz
PostPosted: Fri Sep 19, 2008 1:20 pm Reply with quote

Some clarifications ...

Yes I have site backups but I was having trouble lately getting them to d/l so the ones I do have are older rather than newer ... still, I haven't done anything with the site except u/l and post some desktop wallpaper I've done.

No, I so don't know how to compare those to the current changes.

Yes, I'm in touch with my host company to see if they can track down how this person got in.

I have no idea now which third party modules & blocks I added. I have the Sommaire Site Menu block but I don't remember what others I've added, the site has been secure with Raven's NukeSentinel 2.4.2pl5 up until now.

If I were to upload/install the newest RavenNuke (or whatever it may be called now) can I install that so as not to loose everything I have done or is my current version too old to be updated without hair pulling? I would think it's not worth the trouble until I find out how he got in and plug that first right?

And yes I have entire site copy as well as backup folders on my old computer, which would be a royal pita for me to hook up (I'd have to unplug everything on this one and plug that one in as I don't have extra cables, etc). I'm on a new computer so my files are not on this one. I may have them on CDs and will look for that soon. But again, priority I'd think would be to lock him out before I proceed with site restoration?

As I said, I left his altered pages in includes folder as I don't know what he changed or if those pages (listed above) are needed, new (from him) or what. I'm waiting to hear from my host now and will go from there. I can PM you the urls to those and my main site if you want to see, perhaps you'd recognize his work ... says he's an *Arabian* 0.o

Thanks ...
 
Bluezzz
PostPosted: Sat Sep 20, 2008 3:52 am Reply with quote

Well my host wasn't any help, as I feared 0.o
 
Guardian2003
PostPosted: Sat Sep 20, 2008 4:15 am Reply with quote

Please PM me a valid ftp log-in for the site and the url, I can at least take a look to see what you have installed.
 
slick_303
Hangin' Around


Joined: Feb 28, 2007
Posts: 34

PostPosted: Sat Sep 20, 2008 8:57 am Reply with quote

Bluezzz wrote:
I have no idea now which third party modules & blocks I added. I have the Sommaire Site Menu block but I don't remember what others I've added, the site has been secure with Raven's NukeSentinel 2.4.2pl5 up until now.


I think we found the problem! There are known issues with 2.4.x, and there have been 20+ versions since then. You need to keep up-to-date with NukeSentinel!
 
View user's profile Send private message
Bluezzz
PostPosted: Sat Sep 20, 2008 2:37 pm Reply with quote

I had issues with NS for the version I have, which I posted here way back when but never did get around to figuring out how to *fix it*. None the less it's kept me secure until now.

The headaches involved with keeping a PHP site *secure* have indeed been a deterent to my upgrading 0.o My bad! I love the look of PHP sites but keeping them constantly updated and secure is a major headache that I avoid until I have to do it (such as now LOL).

I know, you pros would just say "don't bother using PHP then". Have patience ... not everyone using PHP is a pro and nor will most of us ever be!
 
jakec
Site Admin


Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom

PostPosted: Sun Sep 21, 2008 6:37 am Reply with quote

Upgrading NS isn't really that difficult though. I don't consider myself a pro and I am not a coder, but I always keep everything up to date. The time spent trying to fix the site after a hack is considerably more than just keeping the site up to date.

Anyway hopefully we can get you back up and running, that is the most important thing now.
 
View user's profile Send private message
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> Raven's RavenNuke(tm) v2.00.00 - v2.02.00 Distro

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©