Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Tommytester
New Member
New Member


Joined: Apr 02, 2006
Posts: 7

PostPosted: Fri Jun 09, 2006 5:49 pm Reply with quote

Today I tried to access the admin area of my website and found I couldn't as it said password incorrect. When I checked the nsnst_admins area of the database the password and username were still as set but still I couldn't login.

I then checked the .staccess file to find "This Site Hacked By Mr & Miss SuZuki A Hacker From Iran"

I am using Sentinel 2.4.2pl4 and php nuke 7.7 patched 3.2 (I think)

Nothing else seems to have changed, but I am limited in knowledge and cannot find anything on the forum similar to give me some idea of the damage they have done, and how to rectify it. Any help would be appreciated.
 
View user's profile Send private message
gregexp
The Mouse Is Extension Of Arm


Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Fri Jun 09, 2006 5:53 pm Reply with quote

did u leave ur .staccess chmod to 777?

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
Tommytester
PostPosted: Fri Jun 09, 2006 5:55 pm Reply with quote

I honestly cannot remember, but it is set at 666 at the present so I suspect not !
 
gregexp
PostPosted: Fri Jun 09, 2006 5:59 pm Reply with quote

ok ...well all they did was write to it.. did sentinel setup the .htaccess or did u?
 
Tommytester
PostPosted: Fri Jun 09, 2006 6:04 pm Reply with quote

I would have set it up as I used the instructions found at nukescripts.net
 
gregexp
PostPosted: Fri Jun 09, 2006 6:31 pm Reply with quote

pls post the contents of ur .htacess without any personal info...plz fill the personal info in with somethin to let me know its actually there..just not ur info

ex

username:XXXX
 
Dauthus
Worker
Worker


Joined: Oct 07, 2003
Posts: 211

PostPosted: Fri Jun 09, 2006 8:34 pm Reply with quote

He has been busy. Just do a google search for Mr & Miss SuZuki.
Only registered users can see links on this board! Get registered or login!

_________________
Only registered users can see links on this board! Get registered or login!
Vivere disce, cogita mori 
View user's profile Send private message Visit poster's website
Tommytester
PostPosted: Sat Jun 10, 2006 2:50 am Reply with quote

This is the entire contents of it Darklord (appreciate the help - thankyou!)

# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
<Files .staccess>
deny from all
</Files>

<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted by NukeSentinel(tm)"
AuthType Basic
AuthUserFile /home/www/*****/*****/.staccess
</Files>
# -------------------------------------------
# End of NukeSentinel(tm) admin.php Auth
# -------------------------------------------deny from 84.66.99.228
 
jaded
Theme Guru


Joined: Nov 01, 2003
Posts: 1006

PostPosted: Sat Jun 10, 2006 3:06 am Reply with quote

the sentinel you were using is out of date. you must upgrade. Also, what damag3 do you see done to your site when viewing the homepage? Now that your staccess and htaccess are restored by you can you access your admin page?

_________________
Themes BB Skins Only registered users can see links on this board! Get registered or login!
Graphic Tees Only registered users can see links on this board! Get registered or login!
Paranormal Tees Only registered users can see links on this board! Get registered or login!
Ghost Stories & More Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Tommytester
PostPosted: Sat Jun 10, 2006 3:14 am Reply with quote

I didn't realise there was an update - Laxness on my part!!

As far as I can see, no damage has been done, it was just the fact that I couldn't/can't access my admin page. As yet I have not restored any files as I was uncertain of the procedure. - Trying to understand a little of what is going on and how far this jerk got really.

I was hacked previously (before I installed Sentinel) which I am sure is the usual story, but last time they left a banner and changed the admin pw and un - This time they just apppear to have changed the .staccess file like - If I cannot get into it then neither will you attitude!
 
Tommytester
PostPosted: Sat Jun 10, 2006 4:48 pm Reply with quote

Seem to have got it all working again and have updated to the new 2.4.2pl9 version. Wont let that slip again!!

Can I assume the IP address found at the bottom of my .htaccess file above was that of the attacker as I had any attacker to write to .htaccess file in options ?
 
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Sat Jun 10, 2006 5:07 pm Reply with quote

well the newest ip is written at the last line...
 
View user's profile Send private message
gregexp
PostPosted: Sat Jun 10, 2006 5:59 pm Reply with quote

thats true but the newest ip is on a commented out line i believe...so i dont think the server would have actually blocked that ip...the real question here is how did he access the .staccess with .htaccess set to block EVERY1 from directly accessing it...unless he uploaded a script designed to attack the .staccess...ok well this time...id sudjest u chmod to 666..let sentinel write to it...then AFTER sentinel has set ur admin access...chmod .staccess to 444...444 only lets somethin read from it..but not write to it...this is what i think happened and this should stop them from EVER writing to it...without root access of course.

Also delete these lines from .htaccess:

# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------

# -------------------------------------------
# End of NukeSentinel(tm) admin.php Auth
# -------------------------------------------


i think the # symbol may be like a comment out line...so i dont think ur .htaccess is actually blockin that ip...it wont hurt anything to do this...but leave whats inbetween the lines as that will protect anyone from accessing the .staccess file directly

look throughout ur site for anything anyone canupload to ur server with.
And eliminate it..till u can find out EXACTLY what they did or test each one..if some is able to run a script on ur site..u need to find out how they did it...but setting the .staccess to chmod444 will prevent this from happening again

I repeat...let sentinel right all the admin passes to it FIRST
 
Tommytester
PostPosted: Sun Jun 11, 2006 1:43 am Reply with quote

I have made alterations to file as suggested and also chmoded to 444. Everything is working sweet again.

From what I have read I have committed a cardinal sin by installing Coppermine and that may be where the problems lie, but am unsure where or how to test my security.
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Sun Jun 11, 2006 3:52 am Reply with quote

Anything that allows remote file upload will be an open invitation to hackers - period!
Whilst it is possible that a fix has been released for the last reported security issue with that module, you can bet right now that someone, somwhere is looking for another way in.
If you do not have to have it - don't use it is my motto.
Some sites rely on modules and other hacks that make use of remote file uploads so the best you can do in those cases is make sure you visit the authors site as often as you can to keep up to date with bugs and fixes AND make frequent back ups of your site and database.
 
View user's profile Send private message Send e-mail
gregexp
PostPosted: Sun Jun 11, 2006 10:38 am Reply with quote

glad my sudjestion helped...but remember if u take on a new admin..sentinel will block them till it writes to the .staccess .....it cannot right to the .staccess right now...u must chmod to 666 so it can write to it everytime u make a new admin. Then once it writes to it..change it back to 444

security can be a pain..but u have to work as hard if not harder then the hackers tryin to access ur site.
 
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Sun Jun 11, 2006 3:41 pm Reply with quote

Let me just add one thing to the excellent suggestions made by others. Get used to reading your server logs. Such amusement can be found there. If you can figure out what IP that hacker used then you can use the find features in your browser (or download the files and look at them in an editor) and figure out what he/she is doing. You might even be able to see whether he's attacking Coppermine or not or whatever other means he's using. You'll see other interesting things there, like files that might be missing, miscellaneous errors etc. Such fun and it's free.
 
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©