Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> WYSIWYG - Raven's RavenNuke(tm) v2.x Distro
Author Message
gbhughs
Regular
Regular


Joined: Sep 11, 2004
Posts: 84

PostPosted: Mon May 01, 2006 10:55 am Reply with quote

Somebody hacked my site today and somehow changed the title of every side block and news block. It has also changed the articles and stories heading too.

Only registered users can see links on this board! Get registered or login! to see what has happened.

Where would this be called up from?

Thanks in advance
 
View user's profile Send private message
gbhughs
PostPosted: Mon May 01, 2006 11:05 am Reply with quote

I think but I am not sure, but nuke sentinel has been screwed with......

In my php admin the table nuke_nsnst_tracked_ips has an error.

Quote:
Error

SQL query: Edit

SHOW INDEX FROM `nuke_nsnst_tracked_ips` ;

MySQL said: Documentation
#1016 - Can't open file: 'nuke_nsnst_tracked_ips.MYI' (errno: 145)


It looks like my problem is here........
 
gbhughs
PostPosted: Mon May 01, 2006 11:30 am Reply with quote

In my php admin the table nuke_nsnst_tracked_ips

Does not exist and it sez that the table has crashed.

Any suggestions??
 
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Mon May 01, 2006 12:00 pm Reply with quote

Check server logs to see if you can determine what happened and what IP it came from. If you can and you can isolate it to an IP then ban that one in .htaccess immediately.

Restore the tables from the recent backup that you have. Probably should dump the current tables out to a sql file that you can look at later.

It would be helpful if you'd post Nuke Version, patch level and Sentinel level.
 
View user's profile Send private message Visit poster's website
gbhughs
PostPosted: Mon May 01, 2006 12:16 pm Reply with quote

I am using 76v2.02.....

As for the patch level (havent installed one) and nuke sentinel (came with the pkg)

I fixed the table for Sentinel.

So you think I should restore my tables with my most recent backup?
 
gbhughs
PostPosted: Mon May 01, 2006 2:19 pm Reply with quote

My admin block and waiting content block are uneffected by the hack if that helps.......
 
fkelly
PostPosted: Mon May 01, 2006 3:10 pm Reply with quote

Sorry, been out but was thinking. To help out with some questions that others may have maybe you could post a description of what you did to load RN 2.02. I ask because it's obvious that you have somehow incorporated content from your old web page and I think folks would be interested in how you accomplished that and whether any of the tables from the Ravennuke install have been "compromised". For instance, did you run the installSQL.php program and go thru all the steps in it? Then do the setup.php step and customize Sentinel. And after that did you restore any/all of your old tables on top?

Also, assuming your host supports it, you might want to download recent log files onto your home pc so you have them available for "forensics" whenever you have time to go into it. Sometimes log files disappear from a host after a while and you might need to look at these over time. I know one thing I've done after I find a suspicious IP address is to use the find command in Firefox to step thru the logs (or in an editor if I've downloaded them) and sort of trace what that IP address was doing on the system. Sometimes you can reconstruct what they did.

You might also want to just check your authors table to make sure that didn't get compromised.
 
gbhughs
PostPosted: Mon May 01, 2006 3:26 pm Reply with quote

fkelly wrote:
Sorry, been out but was thinking. To help out with some questions that others may have maybe you could post a description of what you did to load RN 2.02. I ask because it's obvious that you have somehow incorporated content from your old web page and I think folks would be interested in how you accomplished that and whether any of the tables from the Ravennuke install have been "compromised".


Not sure what you meant here: I did transfer over my members from a pn nuke site, if that is what you mean?

fkelly wrote:
For instance, did you run the installSQL.php program and go thru all the steps in it? Then do the setup.php step and customize Sentinel. And after that did you restore any/all of your old tables on top?


I followed all the instructions in the doc files when I installed this.

fkelly wrote:
You might also want to just check your authors table to make sure that didn't get compromised.


What would I be checking for, gotta tell ya I'm kinda green with phpnuke so bear with me..........
 
Stang5_0
Hangin' Around


Joined: Oct 17, 2002
Posts: 49
Location: Phoenix, AZ

PostPosted: Mon May 01, 2006 4:25 pm Reply with quote

FYI

I am now having the same issue when lookin with myphpadmin, and I have made no changes recently. Can you please PM me the IP if you have one or post it here so we can compare notes?

Thanks,
Stang
 
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger ICQ Number
gbhughs
PostPosted: Mon May 01, 2006 4:30 pm Reply with quote

I just noticed that I posted this in the wrong place........

I posted another one here: Only registered users can see links on this board! Get registered or login!

We should probably delete this one (Raven?) and compare notes on that thread Stang5_0?

What is the url of your site?
 
Stang5_0
PostPosted: Mon May 01, 2006 4:43 pm Reply with quote

Um....
Isn't that the url of this thread?
 
gbhughs
PostPosted: Mon May 01, 2006 4:46 pm Reply with quote

Your right, sorry.....

As you can see it has been a very long and trying day.

Here is the right one Only registered users can see links on this board! Get registered or login!
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Mon May 01, 2006 5:46 pm Reply with quote

You could try to repair the table
Code:


REPAIR TABLE `nuke_nsnst_tracked_ips` ;


They probably did this to remove the traces of the attack. In which case, you will need to go to your server access logs

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
gbhughs
PostPosted: Mon May 01, 2006 6:07 pm Reply with quote

I did repair the table and it is still there......
 
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Mon May 01, 2006 8:38 pm Reply with quote

Sorry to jump in - since this thread is in the WYSIWYG forum - was that intentional?

Ooops - I saw the post in the other thread. Should we close this one?

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> WYSIWYG - Raven's RavenNuke(tm) v2.x Distro

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©