Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
djmaze
Subject Matter Expert


Joined: May 15, 2004
Posts: 719
Location: http://tinyurl.com/5z8dmv

PostPosted: Tue Feb 08, 2005 11:04 am Reply with quote

Ok everyone hates those scriptkiddies that hack your site.
You try to prevent your site from hacks by blocking IP's and think that's safe.

Did you know that real hackers (approx. 1000 on the whole world) know how to use "IP spoofing" and they can actualy use my or your IP ?
So if sentinel blocks his IP and he gets annoyed of your website he can try any IP of the world and actualy completely shutdown your website.

This again is a short explanation that blocking IP's automaticly is a useless and never ending story to protect your site from hacking.
It's better to fix your website then to ban everyone.

I hope everyone again learns to update their backend with the latest security patches and fixes and do come on this website atleast once a day to keep your php-nuke or any raven related system online.

Oh and don't forget to donate, it's pretty expensive to run a non-supported website.
 
View user's profile Send private message Visit poster's website
PHrEEkie
Subject Matter Expert


Joined: Feb 23, 2004
Posts: 358

PostPosted: Tue Feb 08, 2005 12:17 pm Reply with quote

yah, but DJ, let's face the facts, REAL hackers don't have the time to bother with Nuke sites. There's nothing to gain. Real hackers want to get paid, so they go after sites that have sensitive information they can use or sell for profit. That leaves 99.9% of attacks against 'community' based websites by script kiddies, and banning their IP's -does- work enough times to warrant it.

Then we have the case of a worm release, and again, as futile is it seems to keep banning IP's, it's the only way to stop infected machines from hammering your server, even after you've patched your software.

So I agree with you... there is no 100% protection from a talented hacker who is bent on breaking into your site. If you have no credit card, financial or personal information to be gained from such a break-in, then the only other reason this person would want in is because you pissed them off somehow...

Where I will respectfully disagree is that script kiddies are either talented or persistant enough to use proxies and spoofs to continue attacks even after security measures kick in. It is well documented that ALL hackers, whether pro or amatuer, won't usually spend more than a few attempts 'sniffing' around your site for obvious and easy entry points. This means that if at a minimum you make it clear that they will be awhile trying to get into your site, a huge majority of them will move on to an easier site. Making a site 100% hack-proof? Probably impossible... making your site at least challenging enough to discourage 99% of would-be foos? Entirely possible, and actually quite easy.

PHrEEk

_________________
PHP - Breaking your legacy scripts one build at a time. 
View user's profile Send private message
djmaze
PostPosted: Tue Feb 08, 2005 4:33 pm Reply with quote

Agreed phreek.

But how much PHP-Nuke users run OSCommerce, PayPal and similar ?
 
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Tue Feb 08, 2005 5:10 pm Reply with quote

I think thats a real good point even the most basic paypal addon stores your paypal login info to manage transactions. Even if your not storing CC #'s at your site. I don't need much imagination to see how that could end up. Not to mention its common practice to run on a shared server where the access isn't always limited to your own webspace. Bring in the new generation of worms Eeek! Where's my teddy bear and blanky?

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Tue Feb 08, 2005 5:38 pm Reply with quote

Blocking the IP was never meant to be an all-in-all. You don't even have to spoof. Most are dynamic anyway so you hit and miss by deciding whether to ban 'x' number of octets. They are but one, albeit a weak one, tool in your arsenal. I can assure you of this - if/when they are using their PC and not a batch program and you have PC Killer installed, it will make them think twice about trying it again. IMO nuke sites are no more than practice/play grounds for the kids. A cheap thrill - a peep show. Some use it to find real exploits for both good and bad. Just as a skilled craftsman will have several screwdrivers in his toolchest for different situations, to remain as safe as you can you should use whatever counter measures you have at your disposal. But the basic one that everyone should use is the patching of the bad code as soon as a remedy is revealed. Although, that seems to be a never ending job!


Last edited by Raven on Wed Feb 09, 2005 8:55 am; edited 1 time in total 
View user's profile Send private message
Mesum
Useless


Joined: Aug 23, 2002
Posts: 213
Location: Chicago

PostPosted: Tue Feb 08, 2005 11:50 pm Reply with quote

Ok so what SHOULD a PHP-Nuke owner do to protect their site 100%? Smack You think switching to CPGnuke is a good idea if someone wants to run a commercial website (eg: store or subscription)?
Wait, I don't think CPGnuke has any eCommerce add-on yet... DAMMIT!!!! Now I'll have to stick with the buggy, insecure and what not PHP-Nuke AKA "PUKE" according to CPGnuke admins. HitsFan

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
sixonetonoffun
PostPosted: Wed Feb 09, 2005 7:50 am Reply with quote

I've all but givin up on some of the options out there.
osc2nuke is nice but they don't focus on one stable build long enough to do much good. Following the same path as XTC with an unstable public offering and a paid support version that isn't stable either.
nukecommerce is in a bit of a rut too I think.

I'd really like to use a osc cart in a nuke portal on a new site but it is almost more work then its worth. I've been testing and hacking away for a couple months off and on with osc2nuke74x but its still not running at a level I am comfortable with using for a live site.

GT slows it down considerably when there is live traffic. I'm going to shut off GT and caching and see if it will speed up any and work on caching some of the sql's maybe there is a sweet spot to be found. But even then I have to fix the switching of SSL so that it works as its sposed to. Hack in the contributions I need blah blah blah...

So today I'm going to give ZenCart another look and maybe just forget the nuke idea completely. Because this shouldn't be taking this much time just to decide if something is stable enough to use on a live site.
 
Raven
PostPosted: Wed Feb 09, 2005 8:06 am Reply with quote

Have you looked at WhoisCart?
 
djmaze
PostPosted: Wed Feb 09, 2005 8:38 am Reply with quote

@Mesum: i don't know what you have against CPG-Nuke, and this topic wasn't about it at all.
Did you see me or someone else posting about it ?
If you don't have something usefull to say, then don't.

@Raven: I don't think only kiddies run and abuse php-nuke. I've seen pro websites from big companies running on modified versions of php-nuke and postnuke.
Never seen WhoisCart but it seems promising.

@six: ZenCart is making a turn in the core which makes it harder to integrate in PHP-Nuke.
I did keep a close eye on a team from several CMS's to built overall useable Zen classes, but it has died silently.
 
Raven
PostPosted: Wed Feb 09, 2005 8:54 am Reply with quote

DJ,

You misunderstood my comment. When i said that kids use it as a playground, I meant they use the product as a test/play bed. I wasn't implying that the product is only used by kids.
 
sixonetonoffun
PostPosted: Wed Feb 09, 2005 10:43 am Reply with quote

Whoiscart has some really advanced features at an extrordinary price (wipe chin of drewl here) but it looks like its is geared towards selling hosting packages and electronic goods?

I'm not looking at putting out electronic goods for the site but actual widgets and whatgnots. Which why an osc base seemed the place to go for integrated shipping calculations ect... via USPS and UPS. Along with quickbooks exports for managment and so on.

Reason for considering a portal based site was the future expansion as a subscription site offering discounts and freebies to subscribed members, active authors and so on.

I'll probably wind up using osc2nuke7.4 but its going to be a lot of work but better then begining from scratch maybe. As long as we keep chatserv creating patches it will probably work out ok in the end.
 
Mesum
PostPosted: Wed Feb 09, 2005 11:58 am Reply with quote

Dj, let me assure you that I have nothing against CPGnuke and I do recommend it to others whenever there is the right time, I don't know where you getting the vibe that I am against CPGnuke. On the other hand, I can prove that CPGNuke's admins have been putting down PHP-Nuke whenever they can and this is what I didn't understand that you made a post to PHP-Nuke users saying there are 0 ways to make their websites secure.

Anyways, I don't wanna trash this thread.
sixonetonoffun, I think the problem is that OSC not working well with PHP-Nuke is that it's a huge script as well and whenever a newer version comes out, *OSC-to-Nuke teams have to start from point A again. I could be wrong, just a thought on it.
The idea still stands in the middle of nowhere that should one implant eCommerce with ANY *Nuke or other open source project at all? There are 3 shopping carts that looked very promising but have either died out or got put on hold by the authors.
1: Burnwave's Emporium (Now back to NSN Cart)
2: CCPro by GuitarFiles.
3: AserShop by X-Prices but does not support online payment gateways.

As for subscription systems, there are 2 popular systems out already and one by Telli is in progress but none of them are free or open source. I ended up with one add-on that works with PHP-Nuke's default "subscription system" but not sure if it's worth anything as of right now maybe once we are done with the final version of YA, we can start working on it together and release it as GPL.
 
Mesum
PostPosted: Wed Feb 09, 2005 12:00 pm Reply with quote

I just noticed my status "worker" this is funny, a jobless worker ROTFL
 
sixonetonoffun
PostPosted: Wed Feb 09, 2005 1:13 pm Reply with quote

:::Grumbles something like an apology for hijacking the topic::: Thinking some opinions will be best kept to myself...
 
sixonetonoffun
PostPosted: Wed Feb 09, 2005 3:42 pm Reply with quote

Maybe I spoke to soon about nukecommerce being in a rut Only registered users can see links on this board! Get registered or login!
will have to give that another look when its available.
 
djmaze
PostPosted: Wed Feb 09, 2005 4:11 pm Reply with quote

Sorry mesum i probably misunderstood you.
d*** sometimes different languages does give issues, now if the whole world spoke dutch i could atleast understand it all Laughing

Ah niceone about nukecommerce, i'm looking forward to your answer on it six...
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©