Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Unit1
Worker
Worker


Joined: Oct 26, 2004
Posts: 134
Location: Boston

PostPosted: Mon Nov 28, 2005 7:08 pm Reply with quote

Raven I need your help in trying to understand how some one could put a Bot on my site ? I just got home and for the past year I have tryed to keep the site locked down but when I went to the site tonight the hosting company deleted the whole site on me with no email beforehand just gone never to be seen again $#@$ the results of their scan is below

My site was up to date, patched . 7.8 Including the latest upgrades to v3.1x and phpBB 2.0.17 from chatserv the only thing i did not have was sentinal and i am kicking myself for not haveing it any way this is what the hosting company results of their scan is below?? Can you help me to understand what could of happend and how to stop this from ever going on again. I am just soooo peeed off right now one year of hard work on the site is now gone. What can I do so that I never have to go through this again... please any help on this

----------
SERVER LOG
----------
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sh 15297 cwd DIR 3,8 4096 13518449
/home/public_html/vwar/includes/language/bot
/home/public_html/vwar/includes/language/bot/LinkEvents
sh 15297 *** 1u IPv4 293748709 TCP
:****->London2.UK.EU.undernet.org:ircd

-----------------------------------------------------------


Last edited by Unit1 on Mon Nov 28, 2005 9:19 pm; edited 3 times in total 
View user's profile Send private message
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Mon Nov 28, 2005 7:19 pm Reply with quote

I guess it doesn't matter now, but I'd recommend editing out your root path from future postings.

That said, 7.8, even patched, has security flaws even NukeSentinel can't protect / prevent / block. This has been widely discussed here.

I'd suggest using a patched 7.6 distribution - like the one Raven posted here - with NukeSentinel.

Be careful with upload or photo gallery scripts that allow uploading as these can also cause problems.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Mon Nov 28, 2005 8:05 pm Reply with quote

Seems to be a vulernability with vWar, not phpNuke itself. You'd need access logs to determine how they did it

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Unit1
PostPosted: Mon Nov 28, 2005 8:53 pm Reply with quote

I was going to get the logs but they did not email me they was going to delete the site so I could not.

I am just so pi$$ed off right now at the hosting company for not at lest trying to email me befor the did this. So i guess no coppermine and no vwar plus getting Ravens patched should stop this.

And I am sorry for not doing a search just too angry right now to read I would like to talk to the hosting people in person That might help also Wink
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Mon Nov 28, 2005 8:58 pm Reply with quote

Third party scripts that allow upload of any kind are always dangerous. Unfortunately, you had to learn the hard way. You might consider Raven Web Hosting. I would have at least warned you Smile
 
View user's profile Send private message
Unit1
PostPosted: Mon Nov 28, 2005 9:02 pm Reply with quote

Now You Tell Me gezzzzzz Thanks Raven and will do that soon


Last edited by Unit1 on Tue Nov 29, 2005 9:00 am; edited 1 time in total 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Mon Nov 28, 2005 9:59 pm Reply with quote

Wow, I am astounded that your host deleted your account.
Most decent hosts would have simply suspended it so the problem could be verified, discussed and a possible solution drawn up.
Then if needed, it could of been activated again temporarily so you could at least have retrieved your files and DB.
 
View user's profile Send private message Send e-mail
technocrat
Life Cycles Becoming CPU Cycles


Joined: Jul 07, 2005
Posts: 511

PostPosted: Tue Nov 29, 2005 10:34 am Reply with quote

I agree with Gaurdian, that seems a bit harsh on the host's part.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! / Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message
money
New Member
New Member


Joined: Aug 24, 2003
Posts: 11

PostPosted: Wed Nov 30, 2005 9:32 am Reply with quote

Undernet is an IRC network. Maybe these guys uploaded eggdrop and were operating bots on your server. A couple months ago, outsiders uploaded eggdrop through a security hole in PostNuke on a few accounts at my host. They didn't go very far because our servers are scanned every few seconds, and oddball processes are immediately killed.

Although deleting an account is devastating to a customer, perhaps the host didn't catch them early enough and had no choice here. Their responsibility is to protect the server for all occupants. They should have at least notified you immediately afterwards.
 
View user's profile Send private message
Raven
PostPosted: Wed Nov 30, 2005 9:40 am Reply with quote

I do the same with my servers. Eggdrop is such a common one. They could have (should have imo) suspended the account and done what they needed to. That's the whole point, imo. Knee jerk reactions are silly.
 
Unit1
PostPosted: Wed Nov 30, 2005 11:55 am Reply with quote

I do understand that they have to protect the hosting sys But could this bot do any thing to the msql data sys. I am still at a lost as to what could of been saved. The way I look at it what if I was some one like amazon or some thing like that do you then just go ahead and delete their whole site then they lost every thing ? We all put a lot of time and effort into the site with all the members and post now gone. I kind of want to think that the tables could of been saved ?

Also can any one let me know of some type of program that i can use to do my own scans on the site ? I do scan any thing that I upload to it here on my sys beforhand. I would like to try to stop this from ever getting to the point that they do a scan on their end and whoshhhhh GONE again.
 
Raven
PostPosted: Wed Nov 30, 2005 12:37 pm Reply with quote

They should still have a backup of all your stuff. I would try to get it.
 
Unit1
PostPosted: Wed Nov 30, 2005 1:17 pm Reply with quote

It would not help me Raven This is what I got back from them so I could not use the backup to my nuke data base.

Unfortunately it appears your account may have been compromised. We found several hacking-related scripts under the ownership of your user account. These scripts when we locate them are usually found in the /tmp directory of the main server, but sometimes are located within the user account itself.

Please keep in mind that we do not explicitly go looking for these scripts, we merely suspend when we come across them and or we find them through investigation of high-resource usage stemming from your account (usually caused by those scripts themselves).

While we terminate any exploits found in /tmp upon discovery, this leads to an exploit or other abuse-related issue contained within your user accont.

As a result of this we will need to Terminate the account and reinstate it as a fresh brand new account to rid your account of the trailing abusive scripts that were installed to your site as a result of the exploit/hacking/abuse.

Please confirm this action by posting the last four digits of the Credit Card on file with the account and we will go ahead and regenerate this account for you.

Please note you will not be permitted to reload any backups dated from this suspension date or later to the server for risk of setting your account back up for exploitation again. Sad

Unfortunately security down to this account-level cannot be controlled by us, it is left up to you, the client, to maintain that level of security. We will continue to do our part with overall server security.

Upon reinstatement of your account it would be wise to change all account passwords as well as ensure you only install the latest and greatest versions of the scripts you employ.

Let us know if we can do anything further to assist.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©