Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
18-delta
Hangin' Around


Joined: Oct 08, 2003
Posts: 36
Location: U.S.

PostPosted: Sun Jan 15, 2006 11:36 pm Reply with quote

Raven, Long time since I have stopped by. Good to see the site thriving.

I have been hacked and would like any help that anyone can afford. I have been out of the Nuke loop for so long my technical know-how leaves something to be desired; so I have to give a layman's discription of what is going on. Hopefully someone will recognize the variant of attack and offer advice.

Descripton: To me it appears to be some type of redirect hack. When you enter my web address my site will start to load. You can even see the site loading briefly before the browser screen turns into a page that simply says "Hacked?" in large letters in the middle of the screen. If you type in my web address but use moduels.php, admin.php, or any other besides index.php, the result is the same. I am able to hit the browser's stop button before the malicious page pops up. When doing so, it will stop the loading of the page and I can see my site. It appears that nothing in the site has been altered i.e. deleted, added, etc. However, I cannot log in as an admin . Not because the name or password has been changed, but because I am unable to stop the page at precisely the right time so i can see the security numbers so that I can enter them. (The redirect happens too fast)

I logged in to my adminstration Deck so I could take a peek behind the scenes. Again, I can see nothing SIMPLE that has been altered, such as a new user. I did take a peek at the logs but I don't know what I'm looking for. The good thing is that my logs for each day are very small because my site gets very little traffic.

My best uneducated guess is that they did some type of SQL injection. I don't think they hacked my password and altered things that way.

I am also running a sub-domain which has not been affected and to the best of my knowledge is unaltered. My goal here is to simply restore mormalcy to my main domain site. Once I have got that I will probably take it down and rebuild it with something besides Nuke. Not because I don't like Nuke but simply because my hosting service does not provide me the ability to update it (I tried in the past but was unsuccessful). The version I am running on my main domain is older and therefore I am sure has tons of vulnerabilities. My sub domain I have kept up on updates.

The website link is below. Hopefully my description, and a look for yourself, will be enough for someone to point me in the right direction so I can clean it up and move on. Sorry for not being able to provide more technical desciptors. Like I said, I have been out of the loop for a while and have probably forgotten 70% of what I used to know.

Thanks,
18-delta
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message Visit poster's website
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Mon Jan 16, 2006 1:10 am Reply with quote

Hmm sorry, I don't see anyting in that link. Only the webpage index

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
18-delta
PostPosted: Mon Jan 16, 2006 1:24 am Reply with quote

I am messing with it now. Yeah I'm lost...... Please disregard until I can give you guys something more specific.

At this point all I can say is that the Index.php in my default directory which points to the installed Nuke has been removed by me. Therefore one can not see the problem I described above at this time. If you wish to take a look here is the link:
Only registered users can see links on this board! Get registered or login!

I am trying to track it all down.

thanks for taking a look evaders99.
 
VinDSL
Life Cycles Becoming CPU Cycles


Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com

PostPosted: Mon Jan 16, 2006 1:32 am Reply with quote

Try: Only registered users can see links on this board! Get registered or login! Wink

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. 
View user's profile Send private message Visit poster's website ICQ Number
VinDSL
PostPosted: Mon Jan 16, 2006 1:37 am Reply with quote

Hrm... Interesting...

Looks like there's redirect in your CSS file to Only registered users can see links on this board! Get registered or login!
 
VinDSL
PostPosted: Mon Jan 16, 2006 1:47 am Reply with quote

More clues...

Disabling Javascript brings up your site just fine!
 
18-delta
PostPosted: Mon Jan 16, 2006 1:52 am Reply with quote

OK....???... somebody hacked the css file for the default theme i have for the site?

If so, is this a theme vulnarability or am I looking at a whole nother monster?
 
VinDSL
PostPosted: Mon Jan 16, 2006 1:57 am Reply with quote

Aha! Bogies at the bottom of your index file...

Code:
<body topmargin=0 leftmargin=0 onload="document.body.innerHTML='<iframe width=100% height=100% src=http://redirect1.sitemynet.com/></iframe>';">

<body topmargin=0 leftmargin=0 onload="document.body.innerHTML='<iframe width=100% height=100% src=http://redirect1.sitemynet.com/></iframe>';">
<body topmargin=0 leftmargin=0 onload="document.body.innerHTML='<iframe width=100% height=100% src=http://redirect1.sitemynet.com/></iframe>';">
 
VinDSL
PostPosted: Mon Jan 16, 2006 2:00 am Reply with quote

18-delta wrote:
OK....???... somebody hacked the css file for the default theme i have for the site?

If so, is this a theme vulnarability or am I looking at a whole nother monster?

Hard to say, but I think the first place I would look is inside my footer code... Wink
 
18-delta
PostPosted: Mon Jan 16, 2006 2:05 am Reply with quote

ok, thanks VIN. Not to sure what I'm looking for but i will keep searching through the files.

One mess at a time LOL.
 
VinDSL
PostPosted: Mon Jan 16, 2006 2:08 am Reply with quote

Heh! Happy hunting!
 
18-delta
PostPosted: Mon Jan 16, 2006 2:12 am Reply with quote

Vin. Where did you pull that code from? I threw my index file into an editor and don't see it anywhere?
 
VinDSL
PostPosted: Mon Jan 16, 2006 2:13 am Reply with quote

Here's another clue for you... check out the footer on this site:
Only registered users can see links on this board! Get registered or login!

Looks like a failed attempt... ROTFL
 
VinDSL
PostPosted: Mon Jan 16, 2006 2:15 am Reply with quote

18-delta wrote:
Vin. Where did you pull that code from? I threw my index file into an editor and don't see it anywhere?

How does your (root) 'footer.php' file look? I think I'd check that first...
 
djmaze
Subject Matter Expert


Joined: May 15, 2004
Posts: 719
Location: http://tinyurl.com/5z8dmv

PostPosted: Mon Jan 16, 2006 2:23 am Reply with quote

Pff what a waste of time.

1. Download and install FireFox
2. Install Only registered users can see links on this board! Get registered or login!
3. Disable JavaScript thru webdeveloper
4. Admin -> Settings

Or just run the following query
Code:
UPDATE nuke_config SET footer1='';
 
View user's profile Send private message Visit poster's website
VinDSL
PostPosted: Mon Jan 16, 2006 2:25 am Reply with quote

djmaze wrote:
Pff what a waste of time...


Come on, Cowboy, this is fun! Smile

Quote:
“Give a man a fish; you have fed him for today. Teach a man to fish; and you have fed him for a lifetime.”
 
18-delta
PostPosted: Mon Jan 16, 2006 2:31 am Reply with quote

My root footer looks fine.

already use firefox, and disabled javascript.
 
VinDSL
PostPosted: Mon Jan 16, 2006 2:37 am Reply with quote

Probably a SQL injection then...

I think I'd check my `nuke_config` table next. See how your foot fields look, e.g. 'foot1', 'foot2', 'foot3', et cetera...
 
VinDSL
PostPosted: Mon Jan 16, 2006 3:03 am Reply with quote

Oh, BTW... Only registered users can see links on this board! Get registered or login!
 
18-delta
PostPosted: Mon Jan 16, 2006 3:04 am Reply with quote

found it in foot1.

man.....

So do i just dump the data out of foot1?

I dont know what the original had in it.

More importantly, how can I avoid an injection like this inthe future?

Thanks in advance Vin.


I am heading off to bed and will check back in the morning.
 
VinDSL
PostPosted: Mon Jan 16, 2006 3:18 am Reply with quote

18-delta wrote:
found it in foot1. man... So do i just dump the data out of foot1?

Cool! Cheers

Well, all that is, as the name implies, is the first line in your footer message. Mine is, like, 'Copyright 1996-2005 Lenon.com All rights reserved', or whatever...

As far as protecting yourself in the future -- I don't know how this Turkish hacker injected the code. What I would so is go through my logs, line-by-line and see how he did it -- then, close the loophole.

Anyway, glad to see you found the problem!

Latez!
 
18-delta
PostPosted: Mon Jan 16, 2006 3:22 am Reply with quote

Cool. thanks man!!

I will scour the logs and post anything I find.

Sincerely, thanks for your time.
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Mon Jan 16, 2006 9:51 am Reply with quote

This hack is usually accomplished by them adding an admin to your authors table and possibly a user record too. Be sure to check that out. If you find that is the case, NukeSentinel(tm) easily stops that. Are you using NS?
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©