My site was hacked

cornishpixie · Regular Joined: Dec 15, 2008 Posts: 79

Thanks!

Gremmie · Posted: Wed Feb 18, 2009 10:11 am

What version of RN is vulnerable to this captcha problem? Thanks.

Raven · Posted: Wed Feb 18, 2009 10:45 am

To our knowledge, any version that uses it. Btw, Greetings! You couldn't have come at a worse time!

cornishpixie · Regular Joined: Dec 15, 2008 Posts: 79

LOL

Gremmie · Posted: Wed Feb 18, 2009 1:08 pm

Raven wrote:

To our knowledge, any version that uses it.

Okay, I'll do some diffs and see if the new version will drop easily into my site.

Raven wrote:

Btw, Greetings! You couldn't have come at a worse time!

LOL, sorry to hear that my friend.

dad7732 · Posted: Wed Feb 18, 2009 1:22 pm

The fix works on 2.3 and 2.20.10 here ...

Cheers

Donovan · Client Joined: Oct 07, 2003 Posts: 735 Location: Ohio

So I used to run a site that still has rn76v2.02

Would they be vulnerable?

kguske · Site Admin Joined: Jun 04, 2004 Posts: 5997

No.

cornishpixie · Regular Joined: Dec 15, 2008 Posts: 79

Everythings working fine on the site now apart from 2 users accounts.

One is an existing mod, and is in the mod group, but I can't give moderating rights in ACP, and the other is a member who I need to make a mod who is in the mod group but can't give moderating rights in ACP.

I get this error message when I try to upgrade both those accounts to mods.

Quote:

Could not obtain moderator status

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') AND aa.group_id = ug.group_id AND aa.auth_mod = 1 GROUP BY ug.us' at line 3

SELECT ug.user_id, COUNT(auth_mod) AS is_auth_mod FROM nuke_bbauth_access aa, nuke_bbuser_group ug WHERE ug.user_id IN () AND aa.group_id = ug.group_id AND aa.auth_mod = 1 GROUP BY ug.user_id

Line : 561
File : admin_ug_auth.php

Could someone tell me what I need to do please? Thank you.

Raven · Posted: Wed Feb 18, 2009 5:09 pm

I think if you will search for the phrase admin_ug_auth (Search all terms) you will find your answer Wink

cornishpixie · Regular Joined: Dec 15, 2008 Posts: 79

Is that in phpmyadmin in the database Raven?

Raven · Posted: Wed Feb 18, 2009 5:17 pm

Search in these forums Smile

kguske · Site Admin Joined: Jun 04, 2004 Posts: 5997

And look at this:

Only registered users can see links on this board!
Get registered or login to the forums!

cornishpixie · Regular Joined: Dec 15, 2008 Posts: 79

Found it Raven, thankyou

Groupfix.php

Just uploading it now

Gremmie · Posted: Wed Feb 18, 2009 5:31 pm

Thanks for the fix. I looked it over, and it was indeed compatible with my site's version. It seemed that a person would only be vulnerable if they were running with register globals on. Is this correct? Is there any more background or detail on the problem?

kguske · Site Admin Joined: Jun 04, 2004 Posts: 5997

Don't think register globals mattered. I'll send you a pm with attack details.

dad7732 · Posted: Wed Feb 18, 2009 6:30 pm

Upgraded three production domains without a hitch, all ok, etc.

Cheers

cornishpixie · Regular Joined: Dec 15, 2008 Posts: 79

uploaded recommended files in security announcement and no problems at all since.

Will upgrade fully to v2.3.01 tomorrow

Thank you so much team and Raven.

cornishpixie · Regular Joined: Dec 15, 2008 Posts: 79

I have a problem.

As per previous post above, I uploaded recommended files in security announcement.

Everything seemed ok until I left the site and came back again.

Now I'm getting this problem:

from Home (index.php) can access ACP and all working in there and can access all admin areas with no problems.

from Home (index.php) I cannot access Downloads, Your Account, Forums from the top menu on theme.

I'm getting this error

Quote:

Not Found

The requested URL /main/forums.html was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.25 PHP/5.2.5 mod_perl/2.0.3 Perl/v5.8.8 Server at

Only registered users can see links on this board!
Get registered or login to the forums!

Port 80

Thats when I click on Forum, obviously if I clicked on Your Account or Downloads it would say /main/forums/downloads.html

It's probably something I've maybe done uploading the files???

Raven · Posted: Wed Feb 18, 2009 8:11 pm

It sounds like you have activated ShortLinks in rnconfig.php $tnsl_bUseShortLinks = true; but you haven't added the ShortLinks.htaccess contents to your regular .htaccess file. That or your host doesn't allow the Apache RewriteEngine on directive in .htaccess.

See the HowToInstall section for AddOns -> TegoNuke(tm) ShortLinks (Version 1.2.1)

cornishpixie · Regular Joined: Dec 15, 2008 Posts: 79

Thats really weird because all I have done, and I swear I've not touched anything else, too tired I just want to go to bed now after 24hrs with 3hrs sleep lol.

But all I did was upload these files as recommended:

** If you are upgrading from ANY version of RavenNuke(tm) that uses the CAPTCHA System: **
images/captcha.php
**

** If you are upgrading from ANY version of RavenNuke(tm) that uses the Resend Email Module: **
modules/Resend_Email/xx.xx - the entire Resend_Email folder/directory
**

** If you are upgrading from RavenNuke(tm) v2.30.00: **
admin.php
modules/Your_Account/xx.xx - the entire Your_Account folder/directory

I went off my site for a second to check email and came back, clicked on Admin everything fine, went to home, home is fine, clicked on forum and wham, 404 error.

Can I just go into rnconfig.php and put false after $tnsl_bUseShortLinks ???

I dont particularly want short links, I've not activated it.

Would there have been anything in those files I uploaded that would have activated short links?

cornishpixie · Regular Joined: Dec 15, 2008 Posts: 79

Have changed $tnsl_bUseShortLinks=true to =false and it all works ok now. Wonder what would have changed that setting, as that files not been touched since the site was installed last year.

Would the groupfix thing have done anything? Very odd.

Am off to me bed now before I collapse.

Gremmie · Posted: Wed Feb 18, 2009 8:50 pm

kguske wrote:

Don't think register globals mattered. I'll send you a pm with attack details.

Ok, I'd like to hear about it, thanks.

It looked to me like the fix was just to make sure some variables were defined before first use. That's something you always should do, but especially if register globals is on, otherwise a bad guy could provide his own values for those variables.

Register globals "on" is a really, really bad idea.

montego · Posted: Wed Feb 18, 2009 9:27 pm

Don't forget that for many reasons, we import the request variables within mainfile.php. Too many add-on modules/blocks/etc. would break otherwise.

I am thinking that captcha came into RN at 2.10.00, so that would be the start of this particular one captcha script issue, but there are more files to upload/fix. Only if you are on RN 2.3.0 do you need the modules/Your_Account/* files. Previous versions, I believe, were not at risk... but, don't quote me on that.

Raven · Posted: Thu Feb 19, 2009 3:07 am

cornishpixie wrote:

Have changed $tnsl_bUseShortLinks=true to =false and it all works ok now. Wonder what would have changed that setting, as that files not been touched since the site was installed last year.

Would the groupfix thing have done anything? Very odd.

Am off to me bed now before I collapse.

I verified it's what I had thought. If you add the contents of ShortLinks.htaccess to your .htaccess and then set the 2 settings in rnconfig.php back to true, all should work just fine. If I remember right you had restored your .htaccess file when you were having those cgiauth issues.