Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
thebaddestass
Hangin' Around


Joined: Dec 21, 2006
Posts: 25

PostPosted: Sat Jun 06, 2009 2:51 pm Reply with quote

Hey all. Back a few years ago, I was running a PHP nuke site. It was php nuke 7.6.0.3.1, which is patched to 3.1 of course as you can see from the version #.

Now I was also running NukeSentinel 2.5.01.

The site went down around August 06. The server host lost all data and he said none was recoverable. Luckily I performed random full site backups, database and all.

Right after that I got a new job, had moved, had a ton of things going on. Point is, I owned domain, didn't have space for nearly 3 years due to not having time to work on anything.

Well now it is back up, restored DB, and all. Site displays perfectly and all data just as it was the day I backed it up. However none of the admin logins work.

When I go mydomain.com/admin.php it won't authenticate.

I have changed the passwords in the DB. It just isn't authenticating.

I haven't done anything for updating as I just got it back online last night and I am sure being so old it has major holes. Anywho first things first is logging into the admin panel, which I can't.

Any help would be mucho appreciated.


EDIT::: I meant to add that I can login with my regular user account and verified that another user could as well. Just can't login via admin panel.
 
View user's profile Send private message
ToolBox
Regular
Regular


Joined: Mar 16, 2005
Posts: 74

PostPosted: Sat Jun 06, 2009 3:36 pm Reply with quote

emptify your nuke_author table in your SQL db.
Then go to admin.php which will ask you a new root name and password.
Create a new admin root ID and PASSWD (if you want, type in the same ID and password as before).
Good Luck.
 
View user's profile Send private message
thebaddestass
PostPosted: Sat Jun 06, 2009 4:09 pm Reply with quote

Hey toolbox, right before you posted this my host fixed it and said this:

I removed the use of .staccess authentication.

That was causing the problem. But I specifically remember that my old host put that in purposely. So I would have a pop-up box to authenticate, then the phpnuke login again after the pop-up box.

Isn't removing the use of .staccess make is less secure?
 
ToolBox
PostPosted: Sat Jun 06, 2009 5:12 pm Reply with quote

You don't remove .staccess.
when shtml and normal html may not found in the target directory where your site users access, your hosting company will show their own screen as default path to guide. That's not a good way.

Absolutely, directory access permission might prevent your login as an admin. However, if it was true and they fixed it out, then that's fine.

As long as you concern security issue, the best way is to proect your web-hosting directory in Apache (like .htaccess with IP prevention specification). Next is your subj-directory access permission. Then, your phpnuke security.

.staccess, .htaccess (shtml and html) files should be in there if you want.
 
thebaddestass
PostPosted: Sat Jun 06, 2009 5:15 pm Reply with quote

Ya I have been out of hosting for 3 years now, so I am rusty and a n00b.

Not sure, but with it enabled I can't login. So you say I should put the website back like it was using st and ht access and then delete all accounts and do what you said?

Will that fix the problem if staccess was what was causing the original login issue?
 
ToolBox
PostPosted: Sat Jun 06, 2009 5:29 pm Reply with quote

try to chagne .staccess to .htaccess.

some of .staccess configuration is not simple to normal hosting users.
But .htaccess is recommended.

Once again, .staccess file might be the cause that you could not log in.
Deleting .staccess is ok, as long as your hosting is not secure html.
However, I would like you to keep .htacess file to control some directories that you want to give access permission selectively.
 
thebaddestass
PostPosted: Sat Jun 06, 2009 5:46 pm Reply with quote

My website is just a gaming site for clan. Nothing secure or anything. But I do have a paypal donations module, called Treasury module.

Well according to my host the staccess was the cause of me not being able to login.
 
ToolBox
PostPosted: Sat Jun 06, 2009 6:03 pm Reply with quote

thebaddestass wrote:
My website is just a gaming site for clan. Nothing secure or anything. But I do have a paypal donations module, called Treasury module.
Treasury module does not matter. Don't worry about this module.
thebaddestass wrote:
Well according to my host the staccess was the cause of me not being able to login.
If they are sure, then you may delete .sthaccess and create .htaccess.
 
thebaddestass
PostPosted: Sat Jun 06, 2009 6:10 pm Reply with quote

Well, now I already had a .htaccess file, so I still need to re-create one?
 
ToolBox
PostPosted: Sat Jun 06, 2009 7:50 pm Reply with quote

You don't have to do.
.htaccess is enough.
Don't forget to double-check what your .htaccess defines.
 
thebaddestass
PostPosted: Sat Jun 06, 2009 8:38 pm Reply with quote

honestly, I don't know what I am looking for.
 
thebaddestass
PostPosted: Sun Jun 07, 2009 11:24 am Reply with quote

Also, I don't think sentinel is working correctly after the move. I tried editing admins without being GOD admin and I got the normal blocked page for an authors table attack. But I entered the site without removing IP from ban list, so this would tell me it isn't banning correctly right??

Also, when going into the admin of nukesentinel, it says that my files aren't chmod correctly for .htaccess, .staccess, etc. the error is: File does not exist or is not correctly CHMODed.

But they are, here are the chmod for them both:

rw- r-- r--
rw- r-- r--

Which I believe is correct. Also, I am using Admin CGIAuth.
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9453
Location: Arizona

PostPosted: Mon Jun 08, 2009 6:23 am Reply with quote

thebaddestass, regarding this last post, two things:

1. Check your NukeSentinel(tm) blockers to make sure they are set to actually "block", and

2. No, those are not the right permissions. .htaccess should be rw-rw-rw- (666) in order to NS to write to it the ban IP. .staccess would need to be 666 to begin with until you have saved the hashed passwords for your admins into it and then it can go back to 644.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
thebaddestass
PostPosted: Mon Jun 08, 2009 4:15 pm Reply with quote

Hey Montego,

Thanks for the reply,

I have went through all blocker settings and all are set to email, block, & default page. Except for Flood blocker, it says it can't be due to .ftaccess not existing. But it does exist, however I can't open it, gives an error something about binary data. Should I leave it as is or should I just put a blank one out there? Also, what are the file permissions for .ftaccess?

Also, my host has disabled the use of .staccess because I couldn't login to admin of the site until they disabled .staccess. The reason I couldn't login to admin is because I had wrong permissions on .htaccess and .staccess?

Also, the entry below is from .htaccess, is this where it calls .staccess?

#<Files admin.php>
#<Limit GET POST PUT>
#require valid-user
#</Limit>
#AuthName "Restricted"
#AuthType Basic
#AuthUserFile /var/www/vhosts/mydomain.org/httpdocs/.staccess
#</Files>


So should I re-enable .staccess and set correct file permissions and try it? Should I clear .staccess before re-logging in since it has all the old admin usernames and hashes in it?

Thanks
 
thebaddestass
PostPosted: Tue Jun 09, 2009 11:25 pm Reply with quote

Can anyone help me get my .staccess back working??

When I take out the # and use .staccess it blocks me. I can delete my login and encrypted password from the .staccess and it still won't let me login. How do I get that back working? Any help would be greatly appreciated.

EDIT:: I wanted to add that that file is chmod to 666.
 
montego
PostPosted: Wed Jun 10, 2009 7:04 pm Reply with quote

thebaddestass, you should probably start over with a new blank .staccess. You really should get up on the latest NukeSentinel(tm) and follow the instructions to re-create .htaccess and .staccess.

Although you are not running RavenNuke(tm), the page on NukeSentinel(tm) setup might be of some use to you. You can find it here:
Only registered users can see links on this board! Get registered or login!
 
thebaddestass
PostPosted: Thu Jun 11, 2009 4:28 pm Reply with quote

Hey Montego,

Thanks for the reply. I plan on upgrading to the latest nuke sentinel but first off I wanted to get the .staccess working before upgrade so as to not to change too many things at once until I get the site back as it was, then I was going to upgrade nukesentinel. I will try the blank .staccess and see what happens. But I do have some questions, the only install for NS that I can find is to upgrade from 2.6 to 2.6.01, but I don't have 2.6 yet, so how do I upgrade without having 2.5 to 2.6 upgrade file, and without removing and re-installing full package or is this possible?

Also, last week I ran into this link:
Only registered users can see links on this board! Get registered or login!

and when I got down toward .staccess problems I was like, AWESOME this is gonna be my fix, and the page says this:

Quote:

If you find yourself locked out of your ACP after these steps you can temporarily comment out the lines that you have just added to .htaccess. Just put a # character in front of all the lines you added. This will give you access again while you resolve the problem.


Which was my exact problem after restoring website, but I couldn't resolve my problem and there was no further information on the page to help solve the issue, so I was at a loss.

Also, what is the best way to delete old admins that no longer exist, one of which was an original god admin, but my account is also a god admin by editing via mysql, will there be an issue if I delete the original GOD account even though mine is now God account as well?
 
montego
PostPosted: Sat Jun 13, 2009 8:51 am Reply with quote

Wow, lots of questions embedded in one post. My apologies up front if I miss one...

thebaddestass wrote:
the only install for NS that I can find is to upgrade from 2.6 to 2.6.01, but I don't have 2.6 yet, so how do I upgrade without having 2.5 to 2.6 upgrade file, and without removing and re-installing full package or is this possible?


You are right. Not possible. (Well, anything is possible with time and the right skills.) But, it would ensure you are working with the latest, most secure and most bug free release and starting from scratch will ensure you are not carrying over any past issues.

Quote:
Also, what is the best way to delete old admins that no longer exist, one of which was an original god admin, but my account is also a god admin by editing via mysql, will there be an issue if I delete the original GOD account even though mine is now God account as well?


Toolbox had the right suggestion further up by deleting all your nuke_authors records, and I would add removing the lines from .staccess, and then start from scratch with setting up your admin account.

Regarding getting admin auth protection working, it is also absolutely critical that the "AuthUserFile" directive in .htaccess is the correct full (absolute) path to your .staccess, otherwise, game over before you even begin. (BTW, whatever you do, do NOT post this path here in the forums, just make sure it is correct to YOUR user account.)

Not sure what else we can do except log in and try and help set you up. But, unfortunately, my time is too limited to do that at the moment. Sorry.
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Sat Jun 13, 2009 11:09 pm Reply with quote

Pretty sure you'll need the full version of 2.6 to get the upgrade script

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
thebaddestass
PostPosted: Sun Jun 14, 2009 10:22 pm Reply with quote

Thanks for the replies guys. The path to .staccess is correct in the .htaccess file.

First things first, should I fix the admins and .staccess before messing with NS? Also since I can't upgrade NS, then that means uninstall and do full install, right?

Now do I leave my tables in DB as is or delete them? Delete all files and modules associated with NS or do I delete nothing and I just overwrite everything with the full 2.6.01 and follow normal install procedures?
 
montego
PostPosted: Mon Jun 15, 2009 6:24 am Reply with quote

The full install kit has an option to Remove NS tables. Do this first. Then install the fresh 2.6.1 tables. The key here, though, is you are also needing to go through the core file edits and just make sure that something doesn't have to be "tweaked". I know there was a slight change, but if memory serves me, it wasn't a big one between 2.5. and 2.6. But, would be good to sync up anyways.
 
thebaddestass
PostPosted: Mon Jun 15, 2009 11:51 am Reply with quote

Great, thanks for the info, I will give it a try tonight and let you know how it all works.

Going to make backups of my NS tables though just to make sure.
 
thebaddestass
PostPosted: Mon Jun 15, 2009 3:46 pm Reply with quote

Ok, so first things first, I started with blank .staccess, chmod to 666 and then deleted everything in nuke authors table. Checked path in .htaccess and path was correct for .staccess.

I left .staccess disabled to create the admin account, so I created a new admin account and logged in as admin, works wonderfully. Then I re-enabled .staccess.

Now I still can't get past the .staccess login box, fails after all 3 tries.

.staccess is empty and chmod to 666, but still just keeps popping up the login box for 3 times, then unauthorized.

Also, in my NS menu, it says .ftaccess isn't chmod correctly or doesn't exist, but it does and path is correct, what is file permissions for .ftaccess, could this be causing hte problem with .staccess?

Just want to get that .staccess working before updating NS.
 
montego
PostPosted: Tue Jun 16, 2009 6:13 am Reply with quote

thebaddestass, your .staccess file cannot be empty. That could very well be the problem. You need to go to "HTTPAuth Menu" link and then "Admin Auth List". Look at the table of admins and right above it should be a link to Build CGIAuth File. You missed that step I think.

BTW, that was in the HowToInstall manual page in the steps.
 
thebaddestass
PostPosted: Tue Jun 16, 2009 10:53 pm Reply with quote

Great, thanks I got my .staccess back working and am going to update to the newest sentinel, but a couple of questions.

Even though IP tracking is setup, there are no ip's in the database, set for 7 days as well, but no ip's, but don't know why, maybe it will work after I upgrade?

Also, in the NS setup page, it says this:

Change your permissions on both .htaccess and .staccess back to 666.

But you said .staccess should be 644, right?

one more thing, how do you make an .ftaccess page, that isn't really covered in the setup and what should the file permissions be?
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©