Forum Management displays "Hacking Attempt"

Psycho · Worker Joined: May 27, 2006 Posts: 157

About 2 days ago i had a hack attempt of my site which sentinel picked up on and all seemed ok. Then today i went on to the forum admin. the preview forum link comes up with page cannot be displayed. Then when i try to go to forum management or permissions it comes up with "Hacking attempt!". Why is it doing that?
Rolling Eyes

hitwalker · Sells PC To Pay For Divorce Joined: Posts: 5661

Is ?? a description ?

and see if this helps..

Only registered users can see links on this board!
Get registered or login to the forums!

Psycho · Worker Joined: May 27, 2006 Posts: 157

that is about removing a title bar, i have a problem with the admin for the forum.

montego · Posted: Wed Aug 23, 2006 9:24 pm

Nice description... Wink

Thx.

Now, please logout out of admin and normal user (if logged in), delete cookies and cache, close the browser and come back in to admin.php. First, before doing anything, make sure you can still get to Forums admin.... one step at a time.

Please post what the ban from Sentinel was (remove anything that could be specific to your paths, etc., if there in the text).

Also, check your web server logs from the time NS tripped the ban and see if anything looks suspicious. And, you may want to check your files to make sure nothing has been overwritten / deleted.

This may all be for nothing, but this is "Triage", just to make sure there isn't really a hack that occurred. If you find nothing, then we can work more methodically on trying to figure out what is wrong.

Psycho · Worker Joined: May 27, 2006 Posts: 157

ok well i removed cookies and cache and restarted web browser and no change.. The ban from sentinel was someone else and i dont think it was connected. although heres what the report said:

Code:

Date & Time: 2006-08-21 21:57:28 BST GMT +0100
Blocked IP: 71.201.247.*
User ID: Guest (1)
Reason: Abuse-Union
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Query String:

Only registered users can see links on this board!
Get registered or login to the forums!

Get String:

Only registered users can see links on this board!
Get registered or login to the forums!

Post String:

Only registered users can see links on this board!
Get registered or login to the forums!

Forwarded For: none
Client IP: none
Remote Address: 71.201.247.1
Remote Port: 2354
Request Method: GET
--------------------
Who-Is for IP
OrgName: Comcast Cable Communications, Inc.
OrgID: CMCS
Address: 1800 Bishops Gate Blvd
City: Mt Laurel
StateProv: NJ
PostalCode: 08054
Country: US

NetRange: 71.192.0.0 - 71.207.255.255
CIDR: 71.192.0.0/12
NetName: ATT-COMCAST
NetHandle: NET-71-192-0-0-1
Parent: NET-71-0-0-0-0
NetType: Direct Allocation
NameServer: DNS.INFLOW.PA.BO.COMCAST.NET
NameServer: DNS.CMC.CO.DENVER.COMCAST.NET
Comment:
RegDate: 2005-07-27
Updated: 2006-07-11

OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: +1-856-317-7272
OrgAbuseEmail:

Only registered users can see links on this board!
Get registered or login to the forums!

OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications Inc
OrgTechPhone: +1-856-317-7200
OrgTechEmail:

Only registered users can see links on this board!
Get registered or login to the forums!

Which i believe is an attack to get to the admin section?

Anyway, i can see anything overwritten in my files and i dont know how to check my web server logs.

Im pretty sure that was a hack attempt as sentinel block says "We have caught 1 shameful hacker(s)"

Thanks montego.

Psycho · Worker Joined: May 27, 2006 Posts: 157

rofl i clicked that link in the email and it said that ive been blocked and now i can't see my site! bit lost how to recover it:D

montego · Posted: Wed Aug 23, 2006 11:25 pm

You have to edit your .htaccess file to remove your IP address as use phpMyAdmin to remove your IP from the blockedips table. Laughing

Psycho · Worker Joined: May 27, 2006 Posts: 157

right, i logged in as one of my other admins on a different computer and sorted it out;) anyway, still got the problem!

montego · Posted: Fri Aug 25, 2006 5:59 am

Psycho, yes, the original NS block was a hack attempt, there was never a question about that in my mind as it was a clear UNION attempt.

If you want me to look at it closer, PM me an admin login and if you can, even an FTP login. Also let me know what version of nuke you are running.

BTW, I am extremely busy at work right now so if you need this looked at quickly, I will not be your man. But, I will help you sort it out if you want me to (at least I will try).

Psycho · Worker Joined: May 27, 2006 Posts: 157

Thanks Montego!

montego · Posted: Sun Aug 27, 2006 8:45 am

I have looked at it briefly. I changed the forum style back to Subsilver and at least the Forum Preview is working again. Must be a problem with the AcidTechGreen style that you had previously.

However, I am a bit "stumped" by the "Hacking Attempt!" issue. I can find no references to this literal anywhere within the RavenNuke 2.02.02 distribution.

What version of nuke and patchset is this? If you feel more comfortable PM'ing me the info, that is fine.

Psycho · Worker Joined: May 27, 2006 Posts: 157

patchset? not sure, version is the ravenuke package from this site.

montego · Posted: Sun Aug 27, 2006 10:52 pm

Ah, I think I found it now, but not in 2.02.02 (that you are using). Had you tried to upgrade to the 2.0.21 BBtoNuke patchset? I see now that that literal was just added to includes/functions.php. Odd thing is, though, we have integrated 2.0.21(+) into 2.10.00 (due out soon), and I am not seeing this issue. However, your site is a bit different in that you are somehow redirecting folks from one URL to another... I wonder if that has anything to do with it.

Did you, by chance, miss the upgrade db patch for that upgrade?

Psycho · Worker Joined: May 27, 2006 Posts: 157

lol barely understood what i was reading there! I think i may have missed a db patch for an upgrade? but i dont remember tryin to upgrade 2.0.21 BBto Nuke patchset.

Psycho · Worker Joined: May 27, 2006 Posts: 157

just on another note, i do have a redirect on my site because the url was one for my hosing company and i wanted a .co.uk address.

Psycho · Worker Joined: May 27, 2006 Posts: 157

Any more ideas about this? Rolling Eyes

montego · Posted: Tue Sep 26, 2006 5:38 am

Unfortunately not. Have not had time to go back in and look either. Sorry. Sad

What I would suggest is upgrading to 2.10.00 release once it comes out. I just won't have time to debug this on your site. You may want to try the "For Hire" forum and get someone to help you.

Psycho · Worker Joined: May 27, 2006 Posts: 157

lol i got the new version.. installed it and now my forum admin section and actual forum are blank?

montego · Posted: Wed Nov 15, 2006 10:51 am

Psycho, not sure what "new version" you are talking about. My last post was talking about the RavenNuke release 2.10.00 which is still not out. So, not sure what you installed...

Psycho · Worker Joined: May 27, 2006 Posts: 157

lol the new forum bbphp thing that the admin panel suggested..

evaders99 · Posted: Wed Nov 15, 2006 11:39 pm

You cannot install the original phpBB files on your phpNuke. You must use the BBToNuke files

Only registered users can see links on this board!
Get registered or login to the forums!

GIven that this is for RavenNuke, wait til 2.0.10 is out and it will come with the latest phpBB.

Psycho · Worker Joined: May 27, 2006 Posts: 157

i got those files ur on about and did an upgrade apparently and it wiped the forums lol

Psycho · Worker Joined: May 27, 2006 Posts: 157

how do i get them back? Sad

jakec · Posted: Thu Nov 16, 2006 1:51 pm

Did you run a backup before upgrading?

evaders99 · Posted: Thu Nov 16, 2006 7:06 pm

Restore the files from your RavenNuke package