I've been hacked!

RaDiKaL · New Member Joined: Jun 10, 2004 Posts: 23

Well my time came Sad

I have Sentinel 2.0.1+ latest patches, yet some Albanian dude desided that I am against him(I don't know why...) and hacked my site...

Take a look...

Only registered users can see links on this board!
Get registered or login to the forums!

Sentinel did not caught any attempts and I have every filtre on Sad

Any ideas where the breach may came from?

Thnanks...

[I have backup, so only my pride and hard work is damaged Smile

]

RaDiKaL · New Member Joined: Jun 10, 2004 Posts: 23

Sorry the bastards are still in so I'm taking it down. Basically they created new admin account(not God) and messed around with the prefferences, changing the language to albanian etc...

I had taken every precaution yet...

Oh well...
Funny thing is that all the hoopla is because they won a soccer game[world cup qualifiers...) and I was about to say that the greek fans over over reacted... I was on their side for crying out loud!

Stupid mofos...

Sorry for the post...
I guess I'll load the backup...
Any tips for extra protection?

sixonetonoffun · Posted: Mon Sep 06, 2004 7:47 am

Did you use the admin http auth layer Nuke Sentinel provides? (Dual Login)

RaDiKaL · New Member Joined: Jun 10, 2004 Posts: 23

sixonetonoffun wrote:

Did you use the admin http auth layer Nuke Sentinel provides? (Dual Login)

My server(host) doesn't support htaccess files, so...

But i noticed that phpmyadmin wrote "Server localhost" that's impossible!

They probably hacked right to the Dbase right?

Raven · Posted: Mon Sep 06, 2004 8:49 am

Without the HTTP Auth, your admin is wide open unless you have installed the patches to admin.php, which you say you have. Please post your admin.php because the patches from Chatserv should have stopped any hacking into authors. They may have found another way.

RaDiKaL · New Member Joined: Jun 10, 2004 Posts: 23

I'm pretty sure that my host doesn't support HTTP Auth but I'll double check. Here's ths admin.php

Code:

<?php

/************************************************************************/
/* PHP-NUKE: Advanced Content Management System */
/* ============================================ */
/* */
/* Copyright (c) 2002 by Francisco Burzi */
/* http://phpnuke.org */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/* */
/************************************************************************/
/* Additional security checking code 2003 by chatserv */
/* http://www.nukefixes.com -- http://www.nukeresources.com */
/************************************************************************/
if(stristr($_SERVER["QUERY_STRING"],'AddAuthor') || stristr($_SERVER["QUERY_STRING"],'UpdateAuthor')) {
die("Illegal Operation");
}
$checkurl = $_SERVER['REQUEST_URI'];

if ((preg_match("/\?admin/", "$checkurl")) || (preg_match("/\&admin/", "$checkurl"))) {
echo "die";
exit;
}
require_once("mainfile.php");

[Admin note: Truncated because the rest of the code was not needed to see what level of protection you were using]

Raven · Posted: Mon Sep 06, 2004 12:58 pm

HTTP Auth does NOT require .htaccess. It is part of the HTTP protocol. Try to activate it with NukeSentinel(tm). Unfortunately, that admin.php will not stop the admin hacks if they use some encoding like base64. I am working on enhancements to my stand alone HackAlert script that will basically be a NukeSentinel(tm) (lite) version.

RaDiKaL · New Member Joined: Jun 10, 2004 Posts: 23

Thanks Raven. No site is 100% secure, even when running the mighty Sentinel Wink

I'll activate HTTP Auth for sure next time. I think I tried it offline and I got banned Confused

Keep up the good work!

Hey is there any way to track the little $%^%$^ down? What traces he might have left?

sixonetonoffun · Posted: Mon Sep 06, 2004 2:35 pm

I'd search the logs for any access like this on the date of the attack using your own path of course:
"POST /pnuke74/admin.php HTTP/1.1"
"GET /pnuke74/admin.php?op=mod_authors HTTP/1.1"

RaDiKaL · New Member Joined: Jun 10, 2004 Posts: 23

Hmm in which logs? SQL?
Because I'm in shared hosting, not in a seperate server...

thanks

Raven · Posted: Tue Sep 07, 2004 4:21 am

RaDiKaL wrote:

Thanks Raven. No site is 100% secure, even when running the mighty Sentinel Wink

Mighty? Hmmmm. Agreed that no site is 100% secure, but had you been using all the protection that NukeSentinel(tm) and the Patches from Chat, you wouldn't have gotten hacked, either. I don't mean that as a smartaleck remark. I just want those that read this to understand that NukeSentinel(tm) may not be perfect, but I've yet to see a site that has been hacked who has it installed and is using HTTP Auth for the admin panel. New exploits are always just around the corner though Wink

RaDiKaL · New Member Joined: Jun 10, 2004 Posts: 23

I meant that as a good remark Raven Embarassed

Sorry If you took it as something else Embarassed

Thanks for all your work amd support! And I really mean it Smile

Raven · Posted: Tue Sep 07, 2004 5:22 am

I hesitated before I wrote that because I did not want to come across like that. I know you did not mean anything by it and no apology was necessary! As I said, it was for the benefit of those that don't yet know the product Wink

RaDiKaL · New Member Joined: Jun 10, 2004 Posts: 23

Ok

Then to those that do no have the product yet, let me say that it has caugh noumerous attempts before and I know now that I left a security hole by mistake...

It's by far the best and easiest to setup security you can add to your Nuke site. And it has amazing support to boot Smile

So I tried activating HTTP Auth locally and even though I set a password it doesn't accept it. What am I doing wrong here?
[Apache and MySQL running on WinXP]

Thanks again!

Raven · Posted: Tue Sep 07, 2004 11:02 pm

The default id/pass is your admin id/pass. You have to log in with that and then you can change it, or should be able to.

RaDiKaL · New Member Joined: Jun 10, 2004 Posts: 23

Well now I see why I haven't set it up before Sad

It reads Admin HTTP Auth: Not Available

What do I do now? Embarassed

Raven · Posted: Tue Sep 07, 2004 11:47 pm

Your PHP is probably compiled as a stand-alone CGI instead of an Apache module. Ask your host if they will recompile PHP as an Apache module so you can use HTTP Authentication. I am almost complete with the rewrite of my Hack Alert script also.

RaDiKaL · New Member Joined: Jun 10, 2004 Posts: 23

I'll give it a go but I don't think they 'll even bother...
They didn't even install the GR local Twisted Evil

So I'm holding my breath and await for Hack Alert Smile

Thanks Raven

chatserv · Posted: Wed Sep 08, 2004 12:19 am

I'm more interested in finding out how they got in, contact your webhost and ask them for a copy of your site's access.log, once you have it check it for odd entries as suggested by sixonetonoffun and post any findings.

RaDiKaL · New Member Joined: Jun 10, 2004 Posts: 23

Ok I'll do that.

In the mean time since I don't have HTTP Auth capabilities I took a dramatic measure Laughing

I took admin.php off the web. If he got to me once, he can do it again.

Tnanks for all the help guys

64bitguy · Posted: Wed Sep 08, 2004 2:47 am

I'm compiled in CGI mode as well so I don't have HTTP Auth capabilities, but I always assumed (I know, bad Idea to assume anything) between Protector and Sentinal I would have pretty good converage of securing my admin.php file.

Are there other methods beyond HTTP Auth of locking down the admin functions beyond the methods employed now by these two security applications, or should I not worry and assume they are doing their things adequately?

Just curious.
Thanks!

Raven · Posted: Wed Sep 08, 2004 4:29 am

Yes there are. But as has been noted, we need to determine the method used for the breach to fix this particular case. However, I will post back shortly at least one alternative method as there could be several.

Raven · Posted: Wed Sep 08, 2004 6:52 am

HTTP Authentication is a process that challenges the user to enter an id and password. So, technically, you could write any number of SSI type scripts to do this. I do not have a CGI installation to test this on, but this does work on my setup. Please test it under a CGI installation and let me know.

This is only valid under Apache. You will need 2 files. One is .htaccess and the other is a file to hold the users and passwords that are allowed access to the file. The .htaccess file will be stored in the folder where admin.php is located, which is your root nuke folder. If you already have a .htaccess just add this code to it. Otherwise you will have to create a .htaccess file. Add this code to .htaccess

Code:

<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile REAL_PATH_TO_ID_PASS_FILE
</Files>

Now the REAL_PATH_TO_ID_PASS_FILE will be site specific, but many *nix sites have a realpath to your public_html/www folder that looks like this

Code:

/home/USERNAME/public_html/

So, let's assume that your secret file is named 64bitsecret. I would make it hidden by naming it .64bitsecret. Now, the contents will be a username:password, like 64bitguy:secretpass, except secretpass needs to be encrypted with the crypt() function. I will not attempt an explanation of the function, but I will provide a short script I wrote to help you Smile

. The salt value can be whatever you like.

Code:

<form method='post'>
Enter password to be encrypted using crypt(): <input name='pw'><br /><br />
Enter the 'salt' value for the encryption (2 long): <input name='salt' maxlength='2'><br /><br />
<input type='submit' name='submit' value='Encrypt'><br /><br />
<?
if (isset($_POST['submit'])&&isset($_POST['pw'])&&!empty($_POST['pw'])) {
echo "Password <b>".$_POST['pw']."</b> translated is <b>".crypt($_POST['pw'],$_POST['salt'])."</b>";
}
?>

So, upon entering your password of 'secretpass' with a salt of '64' (remember it can be anything you want), we get an encrypted value of '64hH0OZjEnJyQ'. So, we now place 64bitguy:64hH0OZjEnJyQ in the .64bitsecret file.

Now we upload .htaccess and .64bitsecret to the nuke root folder and hopefully when you try to access the admin.php file you will be challenged appropriately. Pleas note that you cannot use both http auth in NukeSentinel and .htaccess http auth. It will give the browser a migraine Wink

. Please let me know your results.

Also, here is a quick little diddy to find out your REALPATH. Save this to your root nuke folder to discover the path and then delete it!

Code:

<?
echo 'rp = '.realpath('index.php');
?>

kguske · Site Admin Joined: Jun 04, 2004 Posts: 6044

Raven, you are awesome. RavensScripts

I'll test this on a CGI installation tonight and let you know.

kguske · Site Admin Joined: Jun 04, 2004 Posts: 6044

I was so excited, I couldn't wait. This worked BEAUTIFULLY. Thank you, thank you, thank you...