| Author |
Message |
ring_c
Involved
Joined: Dec 28, 2003
Posts: 276
Location: Israel
|
 Posted:
Tue Jun 01, 2004 7:27 pm |
|
For the last 24 hours, my site was hacked twice with the same method. Somehow, someone manage to alter/replace my index.php.
Today they left an index.php with these: "Rebellious Fingers - [ Only registered users can see links on this board! Get registered or login! ]"
I'm using phpnuke v6.7.
Is this a known issue?
Is there a solution?
I also have Fortress running, and it didn't seem to bother them, nor did I get an email from it.
Any help will do. please! |
| |
|
 
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Tue Jun 01, 2004 7:45 pm |
|
When you say they left your index.php changed, do you mean the actual index.php file on your ftp site? Or do you mean your main News page? I'm not insulting your intelligence  - some people refer to those two as the same thing.
Make sure that you have my http auth protection in place and all of Chat's fixpacks applied. If your index.php was truly hacked then none of the protection applications (Sentinel(tm), Fortress(tm), etc.) will protect against that.
If you are still at a loss, post back. |
| |
|
|
|
|
ring_c
|
| Posted:
Tue Jun 01, 2004 8:01 pm |
|
| Raven wrote: | | When you say they left your index.php changed, do you mean the actual index.php file on your ftp site? Or do you mean your main News page? |
Sorry for being slow, it's 4:50am here... 
Anyway, I refer to the index.php which site on phpnuke's root dir, aside to mainfile.php, header.php and footer.php.
No relation to the News modul what so ever...
Could you please lead me to your http auth protection and Chat's fixpacks? will these help me? |
| |
|
|
|
|
Raven
|
| Posted:
Tue Jun 01, 2004 8:05 pm |
|
Chat's fix pack on my front page at the top
[ Only registered users can see links on this board! Get registered or login! ]
My Admin security
[ Only registered users can see links on this board! Get registered or login! ]
And then of course  Sentinel(tm)
[ Only registered users can see links on this board! Get registered or login! ] |
| |
|
|
|
|
ring_c
|
| Posted:
Tue Jun 01, 2004 8:12 pm |
|
| Raven wrote: | Chat's fix pack on my front page at the top
[ Only registered users can see links on this board! Get registered or login! ]
My Admin security
[ Only registered users can see links on this board! Get registered or login! ]
And then of course Sentinel(tm)
[ Only registered users can see links on this board! Get registered or login! ] |
Thanks. asking again - will these help me with the current hack method? |
| |
|
|
|
|
Raven
|
| Posted:
Tue Jun 01, 2004 9:38 pm |
|
Yes, they should. Chances are they used a known exploit in one or more of the modules that allow uploads, possibly a gallery or an upload module. |
| |
|
|
|
|
stephen2417
Worker
Joined: Jan 18, 2004
Posts: 244
Location: Bristolville, OH
|
| Posted:
Tue Jun 01, 2004 10:46 pm |
|
Ah Ha. I had that problem, same guy too..
Coppermine ring a bell?
Get the latest version and your set.. DJ pointed this out some time ago. |
| |
|
|
|
|
ring_c
|
| Posted:
Wed Jun 02, 2004 2:51 am |
|
| stephen2417 wrote: | | Coppermine ring a bell? |
d***! and I didn't even use it. I just put it on the site, and realy didn't have the time to work it out.
Oh well, here's another use for that little <delete> button! 
I guess this is related to the security vulnerability, as stated here: [ Only registered users can see links on this board! Get registered or login! ]
Thanks, stephen2417. I've removed coppermine. hopefully this solves it. |
| |
|
|
|
|
ring_c
|
| Posted:
Wed Jun 02, 2004 3:16 am |
|
| Raven wrote: | Chat's fix pack on my front page at the top
[ Only registered users can see links on this board! Get registered or login! ] |
Is there any detailed code changes to be made by hand, as my site is fully modded (uses Hebrew, a RTL language) and I can't allow myself to simply over write the current files?
Just as an example, I've installed attach_mod to my PhpBB, which is a file attach mod. this mod touches lots of phpbb related files, hence am certain that applying Chat's pack, will cause it to stop working (for the least).
As said before, I'd prefer a manualy code changes file for self implementation. |
| |
|
|
|
|
chatserv
Member Emeritus
Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico
|
| Posted:
Wed Jun 02, 2004 8:53 am |
|
I have attempted before to write a diff pack for the patch but it involves many changes and because of user modifications it would be next to impossible to make it match every user's files, what i can offer to you is that you only replace the files you know are not modified by you them make a list of the ones you did not replace and pm me afterwards, i will patch them for you. |
| |
|
|
|
|
ring_c
|
| Posted:
Wed Jun 02, 2004 9:17 am |
|
Gee, you're realy generous!
I'll try to do that, though I'm not realy sure I could tell which files were changed or not. Maybe I'll use the date stamp to make the decision...
THANKS ALOT!
PS: As stephen2417 suggested, I've removed copermine. Do you think this could have caused it? |
| |
|
|
|
|
stephen2417
|
| Posted:
Wed Jun 02, 2004 9:55 am |
|
I still use coppermine actually, its all patched up in the new version.. I suggest if your going to use it just install it again.
Wanna say thanks to oprime2001(NC) for orignaly pointing this out to me. |
| |
|
|
|
|
stephen2417
|
| Posted:
Wed Jun 02, 2004 9:56 am |
|
| ring_c wrote: | | Do you think this could have caused it? |
Yes it was coppermine, look at the logs if you dare.. Search for coppremine in them.  |
| |
|
|
|
|
chatserv
|
| Posted:
Wed Jun 02, 2004 9:58 am |
|
I know you won't like this suggestion but trust me it'll be worth the extra work:
Do not upload the Forums module or the includes folder.
Make a full backup of all your current files.
Now upload one file at a time from Nuke Patched, test the site and any section related to the files you just uploaded, if all seems ok, upload another and so on. If at any time a file breaks the site or area to which it is related replace it with the original file from the backup you made and add said file to the list of files i will patch for you. |
| |
|
|
|
|
ring_c
|
| Posted:
Thu Jun 03, 2004 11:26 pm |
|
| stephen2417 wrote: | | Yes it was coppermine, look at the logs if you dare.. Search for coppremine in them. |
I guess it wasn't coppermine after all. they've just done it again:
Code:Rebellious Fingers Defacements Crew! - [ Only registered users can see links on this board! Get registered or login! ]
|
And coppermine is out of my site since you told me to remove it...
d*** them. how do they do that??? |
| |
|
|
|
|
Raven
|
| Posted:
Thu Jun 03, 2004 11:40 pm |
|
Had you cleared up your admin table ==> nuke_authors of any admin accounts that weren't legitimate and then changed the passwords on the others? Is it possible they have gotten hold of your account password to your server account? |
| |
|
|
|
|
ring_c
|
| Posted:
Thu Jun 03, 2004 11:57 pm |
|
| Raven wrote: | | Had you cleared up your admin table ==> nuke_authors of any admin accounts that weren't legitimate and then changed the passwords on the others? Is it possible they have gotten hold of your account password to your server account? |
My nuke_authors is clean (only contain those who got authorisation from me).
I don't beleive they have my pwds. and even if they do - why don't they mess with the rest of it? why only change my index.php? Why not crapping it all up?
Oh, and I've tried mailing this guy. guess what:
Code:User mailbox exceeds allowed size: [ Only registered users can see links on this board! Get registered or login! ]
|
|
| |
|
|
|
|
Raven
|
| Posted:
Fri Jun 04, 2004 12:54 am |
|
Have you applied all of Chat's fixes? If they have not added an admin account then they are using an old exploit that his fix pack fixes. |
| |
|
|
|
|
ring_c
|
| Posted:
Fri Jun 04, 2004 1:49 am |
|
| Raven wrote: | | Have you applied all of Chat's fixes? If they have not added an admin account then they are using an old exploit that his fix pack fixes. |
Actually no. I trusted stephen2417's assurance of it being coppermine's fault.
I guess I'll try your advice as of not updating the forums and includes patch, but using the others, one by one. |
| |
|
|
|
|
ring_c
|
| Posted:
Fri Jun 04, 2004 2:16 am |
|
Raven, I had a problem with the FIRST file I've uploaded. 
I've started with the root's admin.php file. after replacing (don't worry I have a backup) the file, i got this error:
Fatal error: Call to undefined function: stripos_clone() in /home/hagigim/public_html/admin.php on line 19
Now I'm realy afraid to continue... |
| |
|
|
|
|
stephen2417
|
| Posted:
Fri Jun 04, 2004 4:19 am |
|
I’m sorry to mislead you ring_c
Do you happen to use any other photo gallery becides that or like anything that allows you to upload a file..
Just for me being an idiot ill look at your server logs for you if you can pick out an arround about time and date. |
| |
|
|
|
|
ring_c
|
| Posted:
Fri Jun 04, 2004 4:26 am |
|
| stephen2417 wrote: | I’m sorry to mislead you ring_c
Do you happen to use any other photo gallery becides that or like anything that allows you to upload a file..
Just for me being an idiot ill look at your server logs for you if you can pick out an arround about time and date. |
it's fine. don't worry.
i'm using 4nalbum. is this one a problem too? |
| |
|
|
|
|
ring_c
|
| Posted:
Fri Jun 04, 2004 4:27 am |
|
never mind, removing 4nalbum right now. the hell with it... |
| |
|
|
|
|
stephen2417
|
| Posted:
Fri Jun 04, 2004 4:29 am |
|
Well what a motto.. If you do get hacked again then its not an image gallery.. we have rulled that out then. |
| |
|
|
|
|
Raven
|
| Posted:
Fri Jun 04, 2004 4:34 am |
|
All have had issues at one time or another. Any application that has upload capability is suspect at this point, |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
