Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
francescodelv
New Member
New Member


Joined: Jan 06, 2010
Posts: 7

PostPosted: Mon Feb 22, 2010 10:08 am Reply with quote

hi all.sorry for bad english.i have a 7.6 3.1b patched 3.1b with sentinel 2.5.17, fortress, redirect of config, antispam, etc.it works fine with no security problem for 4 year, but tomorning ive found a direct access in the config folder that have changed one parameter of config.the site go offline for mysql message etc..... i've searched in the iptracking history module, in sentinel tracker, in storyhost module, but this ip never has present in all the tabel..... the question is:how is possible that he know the direct folder where is collocated the config with a direct access?a person that don't know your configuration file or ftp folder, see around before to found the exat folder/file..... thanks for reply.
 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Mon Feb 22, 2010 10:57 am Reply with quote

To be sure I'm understanding correctly, you're saying your nuke config.php file was changed. Is that correct?
 
View user's profile Send private message
francescodelv
PostPosted: Mon Feb 22, 2010 11:33 am Reply with quote

Raven wrote:
To be sure I'm understanding correctly, you're saying your nuke config.php file was changed. Is that correct?


yes.was changend one parameter(1970 to 1979) in the config. a friendly attack.... see the ftp log file:

Mon Feb 22 02:48:28 2010 0 81.72.118.167 4475 /home/mysite/public_html/folder/config.php
Mon Feb 22 02:48:52 2010 0 81.72.118.167 4379 /home/mysite/public_html/folder/config.php

thanks
 
Raven
PostPosted: Mon Feb 22, 2010 11:48 am Reply with quote

A friendly attack? Have you also examined your server error log to see how he got in? Or are those the only log entries for that IP?
 
francescodelv
PostPosted: Mon Feb 22, 2010 11:57 am Reply with quote

Raven wrote:
A friendly attack? Have you also examined your server error log to see how he got in? Or are those the only log entries for that IP?


hi raven.friendly because i think that he could make many damages if he want...... the problem is that the log file has tracked only this two trace:

Mon Feb 22 02:48:28 2010 0 81.72.118.167 4475 /home/mysite/public_html/folder/config.php
Mon Feb 22 02:48:52 2010 0 81.72.118.167 4379 /home/mysite/public_html/folder/config.php


how is possible to see without ftp password the exact folder where the config is located??
 
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Mon Feb 22, 2010 12:34 pm Reply with quote

Do you have anonymous ftp ? If so check the settings for this maybe they have changed. I have been hacked through this and with the uploaded shell script its possible to read everything.
 
View user's profile Send private message
francescodelv
PostPosted: Mon Feb 22, 2010 4:58 pm Reply with quote

Susann wrote:
Do you have anonymous ftp ? If so check the settings for this maybe they have changed. I have been hacked through this and with the uploaded shell script its possible to read everything.


no susan.i haven't anonymous Only registered users can see links on this board! Get registered or login! are 3 user x 3 folder and one for all the space.the acces on the config folder is come from the user that have the access on all the ftp(only i have the username and pwd for access).you think that one of the 3 user has upload on ftp space some malicious file?now i have changed the password for all the ftp space and deleted the other 3, changed the name folder of config..... how can see if the shell script are working on my site??thanks for reply
 
Susann
PostPosted: Mon Feb 22, 2010 6:01 pm Reply with quote

You need to check your folders for new unknown files e.g. mshell.php.
However its good practice to change all passwords and have you site under control I mean check it daily also the logs if possible.
I don´t know if the problem was caused through one of your user because I believe there are different ways. My issue was a changed anonymous ftp access.
 
slackervaara
Worker
Worker


Joined: Aug 26, 2007
Posts: 236

PostPosted: Tue Feb 23, 2010 1:19 am Reply with quote

Earlier when I used SPChat hackers used it's smileyupload.php to upload new index.php and config.php to my site, so the front page was changed.
 
View user's profile Send private message
francescodelv
PostPosted: Tue Feb 23, 2010 8:32 am Reply with quote

thanks for support.in this hours i make a control on the folders for see last modified file.i have changed all password after deleted the other ftp accounts.... update from me in this days.... thanks
 
francescodelv
PostPosted: Wed Feb 24, 2010 4:53 am Reply with quote

hi.in this hour i've monitored the ftp logs and there aren't strange access.i think that the shell attack from one of the user that have the ftp access is the right reason, but there aren't file in the folder with strange name.is possible that the code is inside some common phpnuke file?thanks for reply
 
nuken
RavenNuke(tm) Development Team


Joined: Mar 11, 2007
Posts: 2024
Location: North Carolina

PostPosted: Wed Feb 24, 2010 11:01 am Reply with quote

Could it be another site on a shared server being attacked by the shell script causing the problem?

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
Susann
PostPosted: Wed Feb 24, 2010 11:03 am Reply with quote

I´ve found this very helpful:
Only registered users can see links on this board! Get registered or login!

However, its good you didn´t find this file on your server. Check the logs in the next time too. Maybe you can find some other interesting things and make sure everything is up-to-date. Also with a Nuke site you should always be prepared to restore your site.
 
francescodelv
PostPosted: Fri Feb 26, 2010 3:03 pm Reply with quote

hi there's a problem.i've downloaded all the file in the folder of one of the ftp account.i've used depeche view for search in the file some words usually present in the shell attack.... results=0...... the problem is that the ip that have changed my config haven't make other action(deleted file etc....).....
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©