Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
giantmidget
Regular
Regular


Joined: Nov 27, 2005
Posts: 53

PostPosted: Mon Jan 02, 2006 8:55 pm Reply with quote

Currently, it's suspended until I can coordinate with my webhost to be available to disable the site through Sentinel and find the problem.

This is a fully patched 7.6 version of nuke, with Raven Sentinel installed, and Forums are current up through .18

My webhost just emailed me to let me know that it had to be suspended because a script had been used to make phpnuke send out over 25,000 emails in the last 24 hours.

Do you know what could cause this ? What should I look for when my site is activated again ?

I would ask how to prevent this in the future, but not knowing exactly what was done, I guess I will have to wait.



-----

On a side not, maybe related, maybe not. My gt-nextgen suddenly stopped working about 2 weeks ago with no site changes. Also, I have a story database that allows users to upload text stories (Fictioneer module) which has not been acting properly either. Uses can submit the first chapter, but not subsequent chapters. As an admin, I can add any.

Also, there was a folder in the stories folder, which contains usernames folders with the chapters they uploaded, that I could not delete. The user folders were something like 1234567890 and ___________________

I don't know if thats even related to the latest issues, but thats all the info I have at this time.
******
EDIT: I just found out my site was upgraded from PHP 4.3.11 to 4.4.1, so that may possibly be the cause of the latter. If so, I am clueless whats changed and how to rework.
 
View user's profile Send private message
VinDSL
Life Cycles Becoming CPU Cycles


Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com

PostPosted: Tue Jan 03, 2006 12:29 am Reply with quote

giantmidget wrote:
Currently, it's suspended until I can coordinate with my webhost to be available to disable the site through Sentinel and find the problem.

This is a fully patched 7.6 version of nuke, with Raven Sentinel installed, and Forums are current up through .18

My webhost just emailed me to let me know that it had to be suspended because a script had been used to make phpnuke send out over 25,000 emails in the last 24 hours.

Do you know what could cause this ? What should I look for when my site is activated again ?

I would ask how to prevent this in the future, but not knowing exactly what was done, I guess I will have to wait.


You might want to investigate this thread... Wink
Only registered users can see links on this board! Get registered or login!

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. 
View user's profile Send private message Visit poster's website ICQ Number
giantmidget
PostPosted: Tue Jan 03, 2006 2:07 pm Reply with quote

Do you have a working update ? I currently use Ravens php 7.6 package.

How would I find out whether the exploit was indeed done through the feedback, recommend us module ?


--------------

I just accessed my site and found one blocked IP for script abuse. They uploaded something supposedly as a story, but it had script. It had a lot of red and green commands. This site would not let me repost it or PM it.

Would anyone care to have at look at the abuse email I got ? Also, is it possible the script hack happened, blocked the IP, but the damage was done and allowed emails to go out ?
 
giantmidget
PostPosted: Tue Jan 03, 2006 3:24 pm Reply with quote

In my modules folder, I found the following and deleted them:

dark.php

drk.php

inc.php

mmm-dont.php (script title: Spammer r3l04d3d by cyb3rc0d3r )

All seemd to be bad files.

I run SPChat on the site, and also, the primary thing on my site is a fanfiction database which allows users to upload stories as text files with minimal html like <center>

Any ideas on what to do ? or how this happened ?

Also, I have a folder in my stories folder named: 12345678910111213

I cannot delete this folder for some reason. This stories folder contains site users folders who upload stories, and their text for each chapter.

Also, are any passwords compromised, and if so, what do I need to do to secure ?
 
technocrat
Life Cycles Becoming CPU Cycles


Joined: Jul 07, 2005
Posts: 511

PostPosted: Tue Jan 03, 2006 6:15 pm Reply with quote

SPChat has a hole in that allows remote files to be uploaded. Thats where you got attacked. I would suggest turning it off and change all your admin passwords, and your db password.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! / Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message
giantmidget
PostPosted: Wed Jan 04, 2006 2:38 pm Reply with quote

What about Fictioneer ? Is that a possible hole ?

What it does is take general info like title, username, summary, and also saves a .txt file in that users folder. Could this be a possible way for this to happen ?

If so, my popular site is in major trouble, as the fanfiction database is the only reason anyone goes to it.


Referring to my database password, do you mean the one listed in my config.php ?
 
jaded
Theme Guru


Joined: Nov 01, 2003
Posts: 1006

PostPosted: Wed Jan 04, 2006 2:42 pm Reply with quote

giantmidget wrote:



Referring to my database password, do you mean the one listed in my config.php ?


Yes, that is what he meant. Please change that in your cpanel and then in your config file and anywhere else that you might have put it.

_________________
Themes BB Skins Only registered users can see links on this board! Get registered or login!
Graphic Tees Only registered users can see links on this board! Get registered or login!
Paranormal Tees Only registered users can see links on this board! Get registered or login!
Ghost Stories & More Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Wed Jan 04, 2006 3:30 pm Reply with quote

giantmidget wrote:
What about Fictioneer ? Is that a possible hole ?

What it does is take general info like title, username, summary, and also saves a .txt file in that users folder. Could this be a possible way for this to happen ?
If so, my popular site is in major trouble, as the fanfiction database is the only reason anyone goes to it.

It is certainly possible as a quick check of the files reveals there is no real checking of what is submitted but I'm only aware there was a problem with V1.0 - I cannot remember what the exact issue was with it.
 
View user's profile Send private message Send e-mail
giantmidget
PostPosted: Wed Jan 04, 2006 4:32 pm Reply with quote

I recieved one abuse report, but I am not sure it was a script hack, but possibly someone trying to put up a flashy story title.


The script was:
Script created by Lefteris Haritou
(lef@the.forthnet.gr)
Permission granted to Dynamicdrive.com to feature the script
For more DHTML scripts, visit Dynamicdrive.com

and the messages put in the script were title, summary, etc.



ow, with the spchat exploit, would that get by Sentinel ?
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Thu Jan 05, 2006 1:34 am Reply with quote

As stated many times, NukeSentinel(tm) cannot and does not police third party scripts.
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©