Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
RaDiKaL
New Member
New Member


Joined: Jun 10, 2004
Posts: 23

PostPosted: Mon Sep 06, 2004 7:20 am Reply with quote

Well my time came Sad

I have Sentinel 2.0.1+ latest patches, yet some Albanian dude desided that I am against him(I don't know why...) and hacked my site...

Take a look... Only registered users can see links on this board! Get registered or login!

Sentinel did not caught any attempts and I have every filtre on Sad

Any ideas where the breach may came from?

Thnanks...

[I have backup, so only my pride and hard work is damaged Smile ]
 
View user's profile Send private message
RaDiKaL
PostPosted: Mon Sep 06, 2004 7:41 am Reply with quote

Sorry the bastards are still in so I'm taking it down. Basically they created new admin account(not God) and messed around with the prefferences, changing the language to albanian etc...

I had taken every precaution yet...

Oh well...
Funny thing is that all the hoopla is because they won a soccer game[world cup qualifiers...) and I was about to say that the greek fans over over reacted... I was on their side for crying out loud!

Stupid mofos...

Sorry for the post...
I guess I'll load the backup...
Any tips for extra protection?
 
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Mon Sep 06, 2004 7:47 am Reply with quote

Did you use the admin http auth layer Nuke Sentinel provides? (Dual Login)

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
RaDiKaL
PostPosted: Mon Sep 06, 2004 7:55 am Reply with quote

sixonetonoffun wrote:
Did you use the admin http auth layer Nuke Sentinel provides? (Dual Login)


My server(host) doesn't support htaccess files, so...

But i noticed that phpmyadmin wrote "Server localhost" that's impossible!

They probably hacked right to the Dbase right?
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Mon Sep 06, 2004 8:49 am Reply with quote

Without the HTTP Auth, your admin is wide open unless you have installed the patches to admin.php, which you say you have. Please post your admin.php because the patches from Chatserv should have stopped any hacking into authors. They may have found another way.
 
View user's profile Send private message
RaDiKaL
PostPosted: Mon Sep 06, 2004 12:50 pm Reply with quote

I'm pretty sure that my host doesn't support HTTP Auth but I'll double check. Here's ths admin.php

Code:
<?php


/************************************************************************/
/* PHP-NUKE: Advanced Content Management System                         */
/* ============================================                         */
/*                                                                      */
/* Copyright (c) 2002 by Francisco Burzi                                */
/* http://phpnuke.org                                                   */
/*                                                                      */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License.       */
/*                                                                      */
/************************************************************************/
/* Additional security checking code 2003 by chatserv                   */
/* http://www.nukefixes.com -- http://www.nukeresources.com             */
/************************************************************************/
if(stristr($_SERVER["QUERY_STRING"],'AddAuthor') || stristr($_SERVER["QUERY_STRING"],'UpdateAuthor')) {
die("Illegal Operation");
}
$checkurl = $_SERVER['REQUEST_URI'];

if ((preg_match("/\?admin/", "$checkurl")) || (preg_match("/\&admin/", "$checkurl"))) {
echo "die";
exit;
}
require_once("mainfile.php");


[Admin note: Truncated because the rest of the code was not needed to see what level of protection you were using]
 
Raven
PostPosted: Mon Sep 06, 2004 12:58 pm Reply with quote

HTTP Auth does NOT require .htaccess. It is part of the HTTP protocol. Try to activate it with NukeSentinel™. Unfortunately, that admin.php will not stop the admin hacks if they use some encoding like base64. I am working on enhancements to my stand alone HackAlert script that will basically be a NukeSentinel™ (lite) version.
 
RaDiKaL
PostPosted: Mon Sep 06, 2004 1:42 pm Reply with quote

Thanks Raven. No site is 100% secure, even when running the mighty Sentinel Wink

I'll activate HTTP Auth for sure next time. I think I tried it offline and I got banned Confused

Keep up the good work!

Hey is there any way to track the little $%^%$^ down? What traces he might have left?
 
sixonetonoffun
PostPosted: Mon Sep 06, 2004 2:35 pm Reply with quote

I'd search the logs for any access like this on the date of the attack using your own path of course:
"POST /pnuke74/admin.php HTTP/1.1"
"GET /pnuke74/admin.php?op=mod_authors HTTP/1.1"
 
RaDiKaL
PostPosted: Tue Sep 07, 2004 1:40 am Reply with quote

Hmm in which logs? SQL?
Because I'm in shared hosting, not in a seperate server...

thanks
 
Raven
PostPosted: Tue Sep 07, 2004 4:21 am Reply with quote

RaDiKaL wrote:
Thanks Raven. No site is 100% secure, even when running the mighty Sentinel Wink
Mighty? Hmmmm. Agreed that no site is 100% secure, but had you been using all the protection that NukeSentinel™ and the Patches from Chat, you wouldn't have gotten hacked, either. I don't mean that as a smartaleck remark. I just want those that read this to understand that NukeSentinel™ may not be perfect, but I've yet to see a site that has been hacked who has it installed and is using HTTP Auth for the admin panel. New exploits are always just around the corner though Wink
 
RaDiKaL
PostPosted: Tue Sep 07, 2004 4:54 am Reply with quote

I meant that as a good remark Raven Embarassed Sorry If you took it as something else Embarassed

Thanks for all your work amd support! And I really mean it Smile Embarassed
 
Raven
PostPosted: Tue Sep 07, 2004 5:22 am Reply with quote

I hesitated before I wrote that because I did not want to come across like that. I know you did not mean anything by it and no apology was necessary! As I said, it was for the benefit of those that don't yet know the product Wink
 
RaDiKaL
PostPosted: Tue Sep 07, 2004 10:55 pm Reply with quote

Ok Smile

Then to those that do no have the product yet, let me say that it has caugh noumerous attempts before and I know now that I left a security hole by mistake...

It's by far the best and easiest to setup security you can add to your Nuke site. And it has amazing support to boot Smile

So I tried activating HTTP Auth locally and even though I set a password it doesn't accept it. What am I doing wrong here?
[Apache and MySQL running on WinXP]

Thanks again!
 
Raven
PostPosted: Tue Sep 07, 2004 11:02 pm Reply with quote

The default id/pass is your admin id/pass. You have to log in with that and then you can change it, or should be able to.
 
RaDiKaL
PostPosted: Tue Sep 07, 2004 11:40 pm Reply with quote

Well now I see why I haven't set it up before Sad

It reads Admin HTTP Auth: Not Available

What do I do now? Embarassed
 
Raven
PostPosted: Tue Sep 07, 2004 11:47 pm Reply with quote

Your PHP is probably compiled as a stand-alone CGI instead of an Apache module. Ask your host if they will recompile PHP as an Apache module so you can use HTTP Authentication. I am almost complete with the rewrite of my Hack Alert script also.
 
RaDiKaL
PostPosted: Wed Sep 08, 2004 12:02 am Reply with quote

I'll give it a go but I don't think they 'll even bother...
They didn't even install the GR local Twisted Evil

So I'm holding my breath and await for Hack Alert Smile

Thanks Raven
 
chatserv
Member Emeritus


Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Wed Sep 08, 2004 12:19 am Reply with quote

I'm more interested in finding out how they got in, contact your webhost and ask them for a copy of your site's access.log, once you have it check it for odd entries as suggested by sixonetonoffun and post any findings.
 
View user's profile Send private message Visit poster's website
RaDiKaL
PostPosted: Wed Sep 08, 2004 2:05 am Reply with quote

Ok I'll do that.

In the mean time since I don't have HTTP Auth capabilities I took a dramatic measure Laughing I took admin.php off the web. If he got to me once, he can do it again.

Tnanks for all the help guys
 
64bitguy
The Mouse Is Extension Of Arm


Joined: Mar 06, 2004
Posts: 1159
Location: Sanbornton, NH USA

PostPosted: Wed Sep 08, 2004 2:47 am Reply with quote

I'm compiled in CGI mode as well so I don't have HTTP Auth capabilities, but I always assumed (I know, bad Idea to assume anything) between Protector and Sentinal I would have pretty good converage of securing my admin.php file.

Are there other methods beyond HTTP Auth of locking down the admin functions beyond the methods employed now by these two security applications, or should I not worry and assume they are doing their things adequately?

Just curious.
Thanks!

_________________
Steph Benoit Only registered users can see links on this board! Get registered or login!
1CMS, 100% Section 508 and W3C XHTML/CSS Compliant (Truly) 
View user's profile Send private message Visit poster's website
Raven
PostPosted: Wed Sep 08, 2004 4:29 am Reply with quote

Yes there are. But as has been noted, we need to determine the method used for the breach to fix this particular case. However, I will post back shortly at least one alternative method as there could be several.
 
Raven
PostPosted: Wed Sep 08, 2004 6:52 am Reply with quote

HTTP Authentication is a process that challenges the user to enter an id and password. So, technically, you could write any number of SSI type scripts to do this. I do not have a CGI installation to test this on, but this does work on my setup. Please test it under a CGI installation and let me know.

This is only valid under Apache. You will need 2 files. One is .htaccess and the other is a file to hold the users and passwords that are allowed access to the file. The .htaccess file will be stored in the folder where admin.php is located, which is your root nuke folder. If you already have a .htaccess just add this code to it. Otherwise you will have to create a .htaccess file. Add this code to .htaccess
Code:
<Files admin.php>

   <Limit GET POST PUT>
      require valid-user
   </Limit>
   AuthName "Restricted"
   AuthType Basic
   AuthUserFile REAL_PATH_TO_ID_PASS_FILE
</Files>

Now the REAL_PATH_TO_ID_PASS_FILE will be site specific, but many *nix sites have a realpath to your public_html/www folder that looks like this
Code:
/home/USERNAME/public_html/

So, let's assume that your secret file is named 64bitsecret. I would make it hidden by naming it .64bitsecret. Now, the contents will be a username:password, like 64bitguy:secretpass, except secretpass needs to be encrypted with the crypt() function. I will not attempt an explanation of the function, but I will provide a short script I wrote to help you Smile. The salt value can be whatever you like.
Code:
<form method='post'>

Enter password to be encrypted using crypt(): <input name='pw'><br /><br />
Enter the 'salt' value for the encryption (2 long): <input name='salt' maxlength='2'><br /><br />
<input type='submit' name='submit' value='Encrypt'><br /><br />
<?
if (isset($_POST['submit'])&&isset($_POST['pw'])&&!empty($_POST['pw'])) {
   echo "Password <b>".$_POST['pw']."</b> translated is <b>".crypt($_POST['pw'],$_POST['salt'])."</b>";
}
?>
So, upon entering your password of 'secretpass' with a salt of '64' (remember it can be anything you want), we get an encrypted value of '64hH0OZjEnJyQ'. So, we now place 64bitguy:64hH0OZjEnJyQ in the .64bitsecret file.

Now we upload .htaccess and .64bitsecret to the nuke root folder and hopefully when you try to access the admin.php file you will be challenged appropriately. Pleas note that you cannot use both http auth in NukeSentinel and .htaccess http auth. It will give the browser a migraine Wink. Please let me know your results.

Also, here is a quick little diddy to find out your REALPATH. Save this to your root nuke folder to discover the path and then delete it!
Code:
<?

echo 'rp = '.realpath('index.php');
?>
 
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Wed Sep 08, 2004 9:22 am Reply with quote

Raven, you are awesome. RavensScripts I'll test this on a CGI installation tonight and let you know.
 
View user's profile Send private message
kguske
PostPosted: Wed Sep 08, 2004 10:01 am Reply with quote

I was so excited, I couldn't wait. This worked BEAUTIFULLY. Thank you, thank you, thank you...
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©