There's 0 ways to protect your site from hackers

Posted: Tue Feb 08, 2005 11:04 am

Ok everyone hates those scriptkiddies that hack your site.
You try to prevent your site from hacks by blocking IP's and think that's safe.

Did you know that real hackers (approx. 1000 on the whole world) know how to use "IP spoofing" and they can actualy use my or your IP ?
So if sentinel blocks his IP and he gets annoyed of your website he can try any IP of the world and actualy completely shutdown your website.

This again is a short explanation that blocking IP's automaticly is a useless and never ending story to protect your site from hacking.
It's better to fix your website then to ban everyone.

I hope everyone again learns to update their backend with the latest security patches and fixes and do come on this website atleast once a day to keep your php-nuke or any raven related system online.

Oh and don't forget to donate, it's pretty expensive to run a non-supported website.

Subject Matter Expert Joined: Feb 23, 2004 Posts: 358

yah, but DJ, let's face the facts, REAL hackers don't have the time to bother with Nuke sites. There's nothing to gain. Real hackers want to get paid, so they go after sites that have sensitive information they can use or sell for profit. That leaves 99.9% of attacks against 'community' based websites by script kiddies, and banning their IP's -does- work enough times to warrant it.

Then we have the case of a worm release, and again, as futile is it seems to keep banning IP's, it's the only way to stop infected machines from hammering your server, even after you've patched your software.

So I agree with you... there is no 100% protection from a talented hacker who is bent on breaking into your site. If you have no credit card, financial or personal information to be gained from such a break-in, then the only other reason this person would want in is because you pissed them off somehow...

Where I will respectfully disagree is that script kiddies are either talented or persistant enough to use proxies and spoofs to continue attacks even after security measures kick in. It is well documented that ALL hackers, whether pro or amatuer, won't usually spend more than a few attempts 'sniffing' around your site for obvious and easy entry points. This means that if at a minimum you make it clear that they will be awhile trying to get into your site, a huge majority of them will move on to an easier site. Making a site 100% hack-proof? Probably impossible... making your site at least challenging enough to discourage 99% of would-be foos? Entirely possible, and actually quite easy.

PHrEEk

Posted: Tue Feb 08, 2005 4:33 pm

Agreed phreek.

But how much PHP-Nuke users run OSCommerce, PayPal and similar ?

Posted: Tue Feb 08, 2005 5:10 pm

I think thats a real good point even the most basic paypal addon stores your paypal login info to manage transactions. Even if your not storing CC #'s at your site. I don't need much imagination to see how that could end up. Not to mention its common practice to run on a shared server where the access isn't always limited to your own webspace. Bring in the new generation of worms Eeek! Where's my teddy bear and blanky?

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Blocking the IP was never meant to be an all-in-all. You don't even have to spoof. Most are dynamic anyway so you hit and miss by deciding whether to ban 'x' number of octets. They are but one, albeit a weak one, tool in your arsenal. I can assure you of this - if/when they are using their PC and not a batch program and you have PC Killer installed, it will make them think twice about trying it again. IMO nuke sites are no more than practice/play grounds for the kids. A cheap thrill - a peep show. Some use it to find real exploits for both good and bad. Just as a skilled craftsman will have several screwdrivers in his toolchest for different situations, to remain as safe as you can you should use whatever counter measures you have at your disposal. But the basic one that everyone should use is the patching of the bad code as soon as a remedy is revealed. Although, that seems to be a never ending job!

Useless Joined: Aug 23, 2002 Posts: 213 Location: Chicago

Ok so what SHOULD a PHP-Nuke owner do to protect their site 100%? Smack

You think switching to CPGnuke is a good idea if someone wants to run a commercial website (eg: store or subscription)?
Wait, I don't think CPGnuke has any eCommerce add-on yet... DAMMIT!!!! Now I'll have to stick with the buggy, insecure and what not PHP-Nuke AKA "PUKE" according to CPGnuke admins. HitsFan

Posted: Wed Feb 09, 2005 7:50 am

I've all but givin up on some of the options out there.
osc2nuke is nice but they don't focus on one stable build long enough to do much good. Following the same path as XTC with an unstable public offering and a paid support version that isn't stable either.
nukecommerce is in a bit of a rut too I think.

I'd really like to use a osc cart in a nuke portal on a new site but it is almost more work then its worth. I've been testing and hacking away for a couple months off and on with osc2nuke74x but its still not running at a level I am comfortable with using for a live site.

GT slows it down considerably when there is live traffic. I'm going to shut off GT and caching and see if it will speed up any and work on caching some of the sql's maybe there is a sweet spot to be found. But even then I have to fix the switching of SSL so that it works as its sposed to. Hack in the contributions I need blah blah blah...

So today I'm going to give ZenCart another look and maybe just forget the nuke idea completely. Because this shouldn't be taking this much time just to decide if something is stable enough to use on a live site.

Posted: Wed Feb 09, 2005 8:06 am

Have you looked at WhoisCart?

Posted: Wed Feb 09, 2005 8:38 am

@Mesum: i don't know what you have against CPG-Nuke, and this topic wasn't about it at all.
Did you see me or someone else posting about it ?
If you don't have something usefull to say, then don't.

@Raven: I don't think only kiddies run and abuse php-nuke. I've seen pro websites from big companies running on modified versions of php-nuke and postnuke.
Never seen WhoisCart but it seems promising.

@six: ZenCart is making a turn in the core which makes it harder to integrate in PHP-Nuke.
I did keep a close eye on a team from several CMS's to built overall useable Zen classes, but it has died silently.

Posted: Wed Feb 09, 2005 8:54 am

DJ,

You misunderstood my comment. When i said that kids use it as a playground, I meant they use the product as a test/play bed. I wasn't implying that the product is only used by kids.

Posted: Wed Feb 09, 2005 10:43 am

Whoiscart has some really advanced features at an extrordinary price (wipe chin of drewl here) but it looks like its is geared towards selling hosting packages and electronic goods?

I'm not looking at putting out electronic goods for the site but actual widgets and whatgnots. Which why an osc base seemed the place to go for integrated shipping calculations ect... via USPS and UPS. Along with quickbooks exports for managment and so on.

Reason for considering a portal based site was the future expansion as a subscription site offering discounts and freebies to subscribed members, active authors and so on.

I'll probably wind up using osc2nuke7.4 but its going to be a lot of work but better then begining from scratch maybe. As long as we keep chatserv creating patches it will probably work out ok in the end.

Posted: Wed Feb 09, 2005 11:58 am

Dj, let me assure you that I have nothing against CPGnuke and I do recommend it to others whenever there is the right time, I don't know where you getting the vibe that I am against CPGnuke. On the other hand, I can prove that CPGNuke's admins have been putting down PHP-Nuke whenever they can and this is what I didn't understand that you made a post to PHP-Nuke users saying there are 0 ways to make their websites secure.

Anyways, I don't wanna trash this thread.
sixonetonoffun, I think the problem is that OSC not working well with PHP-Nuke is that it's a huge script as well and whenever a newer version comes out, *OSC-to-Nuke teams have to start from point A again. I could be wrong, just a thought on it.
The idea still stands in the middle of nowhere that should one implant eCommerce with ANY *Nuke or other open source project at all? There are 3 shopping carts that looked very promising but have either died out or got put on hold by the authors.
1: Burnwave's Emporium (Now back to NSN Cart)
2: CCPro by GuitarFiles.
3: AserShop by X-Prices but does not support online payment gateways.

As for subscription systems, there are 2 popular systems out already and one by Telli is in progress but none of them are free or open source. I ended up with one add-on that works with PHP-Nuke's default "subscription system" but not sure if it's worth anything as of right now maybe once we are done with the final version of YA, we can start working on it together and release it as GPL.

Posted: Wed Feb 09, 2005 12:00 pm

I just noticed my status "worker" this is funny, a jobless worker ROTFL

Posted: Wed Feb 09, 2005 1:13 pm

:::Grumbles something like an apology for hijacking the topic::: Thinking some opinions will be best kept to myself...

Posted: Wed Feb 09, 2005 3:42 pm

Maybe I spoke to soon about nukecommerce being in a rut [ Only registered users can see links on this board! Get registered or login! ]
will have to give that another look when its available.

Posted: Wed Feb 09, 2005 4:11 pm

Sorry mesum i probably misunderstood you.
d*** sometimes different languages does give issues, now if the whole world spoke dutch i could atleast understand it all Laughing

Ah niceone about nukecommerce, i'm looking forward to your answer on it six...