Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
ring_c
Involved
Involved


Joined: Dec 28, 2003
Posts: 276
Location: Israel

PostPosted: Tue Jun 01, 2004 7:27 pm Reply with quote

For the last 24 hours, my site was hacked twice with the same method. Somehow, someone manage to alter/replace my index.php.

Today they left an index.php with these: "Rebellious Fingers - Only registered users can see links on this board! Get registered or login!"

I'm using phpnuke v6.7.
Is this a known issue?
Is there a solution?

I also have Fortress running, and it didn't seem to bother them, nor did I get an email from it.

Any help will do. please!
 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Tue Jun 01, 2004 7:45 pm Reply with quote

When you say they left your index.php changed, do you mean the actual index.php file on your ftp site? Or do you mean your main News page? I'm not insulting your intelligence Smile - some people refer to those two as the same thing.

Make sure that you have my http auth protection in place and all of Chat's fixpacks applied. If your index.php was truly hacked then none of the protection applications (Sentinel(tm), Fortress(tm), etc.) will protect against that.

If you are still at a loss, post back.
 
View user's profile Send private message
ring_c
PostPosted: Tue Jun 01, 2004 8:01 pm Reply with quote

Raven wrote:
When you say they left your index.php changed, do you mean the actual index.php file on your ftp site? Or do you mean your main News page?

Sorry for being slow, it's 4:50am here... Shocked
Anyway, I refer to the index.php which site on phpnuke's root dir, aside to mainfile.php, header.php and footer.php.

No relation to the News modul what so ever...

Could you please lead me to your http auth protection and Chat's fixpacks? will these help me?
 
Raven
PostPosted: Tue Jun 01, 2004 8:05 pm Reply with quote

Chat's fix pack on my front page at the top Smile
Only registered users can see links on this board! Get registered or login!

My Admin security Only registered users can see links on this board! Get registered or login!

And then of course Wink Sentinel(tm) Only registered users can see links on this board! Get registered or login!
 
ring_c
PostPosted: Tue Jun 01, 2004 8:12 pm Reply with quote

Raven wrote:
Chat's fix pack on my front page at the top Smile
Only registered users can see links on this board! Get registered or login!

My Admin security Only registered users can see links on this board! Get registered or login!

And then of course Wink Sentinel(tm) Only registered users can see links on this board! Get registered or login!


Thanks. asking again - will these help me with the current hack method?
 
Raven
PostPosted: Tue Jun 01, 2004 9:38 pm Reply with quote

Yes, they should. Chances are they used a known exploit in one or more of the modules that allow uploads, possibly a gallery or an upload module.
 
stephen2417
Worker
Worker


Joined: Jan 18, 2004
Posts: 244
Location: Bristolville, OH

PostPosted: Tue Jun 01, 2004 10:46 pm Reply with quote

Ah Ha. I had that problem, same guy too..

Coppermine ring a bell?

Get the latest version and your set.. DJ pointed this out some time ago.
 
View user's profile Send private message Visit poster's website
ring_c
PostPosted: Wed Jun 02, 2004 2:51 am Reply with quote

stephen2417 wrote:
Coppermine ring a bell?

d***! and I didn't even use it. I just put it on the site, and realy didn't have the time to work it out.

Oh well, here's another use for that little <delete> button! Very Happy

I guess this is related to the security vulnerability, as stated here: Only registered users can see links on this board! Get registered or login!

Thanks, stephen2417. I've removed coppermine. hopefully this solves it.
 
ring_c
PostPosted: Wed Jun 02, 2004 3:16 am Reply with quote

Raven wrote:
Chat's fix pack on my front page at the top Smile
Only registered users can see links on this board! Get registered or login!

Is there any detailed code changes to be made by hand, as my site is fully modded (uses Hebrew, a RTL language) and I can't allow myself to simply over write the current files?

Just as an example, I've installed attach_mod to my PhpBB, which is a file attach mod. this mod touches lots of phpbb related files, hence am certain that applying Chat's pack, will cause it to stop working (for the least).

As said before, I'd prefer a manualy code changes file for self implementation.
 
chatserv
Member Emeritus


Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Wed Jun 02, 2004 8:53 am Reply with quote

I have attempted before to write a diff pack for the patch but it involves many changes and because of user modifications it would be next to impossible to make it match every user's files, what i can offer to you is that you only replace the files you know are not modified by you them make a list of the ones you did not replace and pm me afterwards, i will patch them for you.
 
View user's profile Send private message Visit poster's website
ring_c
PostPosted: Wed Jun 02, 2004 9:17 am Reply with quote

Gee, you're realy generous!
I'll try to do that, though I'm not realy sure I could tell which files were changed or not. Maybe I'll use the date stamp to make the decision...

THANKS ALOT!

PS: As stephen2417 suggested, I've removed copermine. Do you think this could have caused it?
 
stephen2417
PostPosted: Wed Jun 02, 2004 9:55 am Reply with quote

I still use coppermine actually, its all patched up in the new version.. I suggest if your going to use it just install it again. Wink

Wanna say thanks to oprime2001(NC) for orignaly pointing this out to me.
 
stephen2417
PostPosted: Wed Jun 02, 2004 9:56 am Reply with quote

ring_c wrote:
Do you think this could have caused it?


Yes it was coppermine, look at the logs if you dare.. Search for coppremine in them. Rolling Eyes
 
chatserv
PostPosted: Wed Jun 02, 2004 9:58 am Reply with quote

I know you won't like this suggestion but trust me it'll be worth the extra work:

Do not upload the Forums module or the includes folder.
Make a full backup of all your current files.
Now upload one file at a time from Nuke Patched, test the site and any section related to the files you just uploaded, if all seems ok, upload another and so on. If at any time a file breaks the site or area to which it is related replace it with the original file from the backup you made and add said file to the list of files i will patch for you.
 
ring_c
PostPosted: Thu Jun 03, 2004 11:26 pm Reply with quote

stephen2417 wrote:
Yes it was coppermine, look at the logs if you dare.. Search for coppremine in them. Rolling Eyes


I guess it wasn't coppermine after all. they've just done it again:
Code:
Rebellious Fingers Defacements Crew! - Only registered users can see links on this board! Get registered or login!
Crying or Very sad

And coppermine is out of my site since you told me to remove it...
d*** them. how do they do that???
 
Raven
PostPosted: Thu Jun 03, 2004 11:40 pm Reply with quote

Had you cleared up your admin table ==> nuke_authors of any admin accounts that weren't legitimate and then changed the passwords on the others? Is it possible they have gotten hold of your account password to your server account?
 
ring_c
PostPosted: Thu Jun 03, 2004 11:57 pm Reply with quote

Raven wrote:
Had you cleared up your admin table ==> nuke_authors of any admin accounts that weren't legitimate and then changed the passwords on the others? Is it possible they have gotten hold of your account password to your server account?


My nuke_authors is clean (only contain those who got authorisation from me).

I don't beleive they have my pwds. and even if they do - why don't they mess with the rest of it? why only change my index.php? Why not crapping it all up?

Oh, and I've tried mailing this guy. guess what:
Code:
User mailbox exceeds allowed size: Only registered users can see links on this board! Get registered or login!
 
Raven
PostPosted: Fri Jun 04, 2004 12:54 am Reply with quote

Have you applied all of Chat's fixes? If they have not added an admin account then they are using an old exploit that his fix pack fixes.
 
ring_c
PostPosted: Fri Jun 04, 2004 1:49 am Reply with quote

Raven wrote:
Have you applied all of Chat's fixes? If they have not added an admin account then they are using an old exploit that his fix pack fixes.

Actually no. I trusted stephen2417's assurance of it being coppermine's fault.
I guess I'll try your advice as of not updating the forums and includes patch, but using the others, one by one.
 
ring_c
PostPosted: Fri Jun 04, 2004 2:16 am Reply with quote

Raven, I had a problem with the FIRST file I've uploaded. Sad
I've started with the root's admin.php file. after replacing (don't worry I have a backup) the file, i got this error:

Fatal error: Call to undefined function: stripos_clone() in /home/hagigim/public_html/admin.php on line 19

Now I'm realy afraid to continue...
 
stephen2417
PostPosted: Fri Jun 04, 2004 4:19 am Reply with quote

I’m sorry to mislead you ring_c Sad

Do you happen to use any other photo gallery becides that or like anything that allows you to upload a file..
Just for me being an idiot ill look at your server logs for you if you can pick out an arround about time and date.
 
ring_c
PostPosted: Fri Jun 04, 2004 4:26 am Reply with quote

stephen2417 wrote:
I’m sorry to mislead you ring_c Sad

Do you happen to use any other photo gallery becides that or like anything that allows you to upload a file..
Just for me being an idiot ill look at your server logs for you if you can pick out an arround about time and date.

it's fine. don't worry.
i'm using 4nalbum. is this one a problem too?
 
ring_c
PostPosted: Fri Jun 04, 2004 4:27 am Reply with quote

never mind, removing 4nalbum right now. the hell with it...
 
stephen2417
PostPosted: Fri Jun 04, 2004 4:29 am Reply with quote

Well what a motto.. If you do get hacked again then its not an image gallery.. we have rulled that out then. Shocked
 
Raven
PostPosted: Fri Jun 04, 2004 4:34 am Reply with quote

All have had issues at one time or another. Any application that has upload capability is suspect at this point,
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©