Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
superflash
Hangin' Around



Joined: Dec 06, 2004
Posts: 46

PostPosted: Mon Sep 04, 2006 1:07 pm Reply with quote

I have a nuke 7.6 installation with Nuke Sentinel 2.4.2pl9 (that it might not be installed properly) and someone put a long text in the footer section of my site just before the "Page generated in 3.92 Seconds" and below the last "center block".

My question is, how did he got in and what to look for?

Thanks in advance Smile

Regards.
 
View user's profile Send private message
gregexp
The Mouse Is Extension Of Arm



Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Mon Sep 04, 2006 1:20 pm Reply with quote

hmm, Thats actually hard coded. I believe he uploaded a script and was able to manipulate the file contents, does anyone have ftp accounts other then you, does your server allow anonymous ftp, and do you have any other form of upload on your account? That means anywhere below the public_html.

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
superflash







PostPosted: Mon Sep 04, 2006 2:29 pm Reply with quote

Thank you darklord. I suppose that I'm the only one who knows my ftp user/password, unless someone had been able to guess it, but I don't think so. I do have an image upload script that can be viewed if you are an administrator, and I have 4 other administrators and at least two of them said they use public PCs to access and publish their stuff. Since you said that may be hard coded, I'm guessing that there might be the fault, altough the uploader checks for image file extension and puts the image in a specific folder and I couldn't find any extraneous file there. How else could the intruder got in? Thank you again for your time and help.
 
superflash







PostPosted: Mon Sep 04, 2006 2:33 pm Reply with quote

Update:

Ok, I found the intrusion in a database table: nuke_config

The intruder gain access to (at least) this table and change the fields for: foot1, foot2, foot3, and Copyright.

He also put himself as Administrator God

How did he do that?

Thanks in advance.

Another Update:

I had a "html.php" file in the root directory to handle some text, I just deleted it, could that be the fault?
 
fkelly
Former Moderator in Good Standing



Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Mon Sep 04, 2006 3:03 pm Reply with quote

I'd suggest that you read thru your server logs. If you can narrow down the time frame when this happened that will help. If you can determine the IP address (perhaps of the new God Administrator) you can search on that in the logs too. He may have found a way to take advantage of your html.php file, especially if you had database access codes in there or something like that.

Sentinel can protect against intrusions thru PHPnuke but it can't really do much if they can get into your site thru other means and change tables. You do want to make sure that Sentinel is installed correctly though.

In terms of looking at logs, I've found it really helps if you download the logs for suspicious days into a text file that you can keep and look at using your favorite editor.
 
View user's profile Send private message Visit poster's website
superflash







PostPosted: Mon Sep 04, 2006 5:51 pm Reply with quote

Thank you fkelly, I checked with my web hosting and they said that the server logs are shared and they are out of bounds from us users. It seems there isn't much I can do to locate the perpetrator. I really need to find out if sentinel is working or not, I might have something installed wrongly because I have done many patching over and over. Thank you for taking the time to look into this.
 
fkelly







PostPosted: Mon Sep 04, 2006 6:42 pm Reply with quote

You really might consider another web host. I don't say that lightly as I know what a pain it can be but if you can't see your logs then you really are at a loss. There's many things in them that can help with diagnosing problems aside from just hacking attempts. Like if a file is missing for instance you will see messages there.

You said at the top of the thread that you have a Nuke 7.6 installation. I don't know if that means Ravennuke or not but you might consider Ravennuke if you haven't already. If you just have Nuke 7.6 you may not have all the patches you need in addition to Sentinel and in fact, if I'm not mistaken you need the patches to correctly install Sentinel.

If you install the current version of Ravennuke 2.02 you will be a little behind on Sentinel updates since 2.02 was released but the upgrade path is fairly straightforward. The upcoming release of RN (2.10) will also update Sentinel though specifics are not yet official (I don't think).

Just a second thought on the web host. They are really giving you a lot of hooey. For my production site I use Ipowerweb and they are about as brain dead as you are going to find yet you still have access to your own logs. For testing I use Ravenwebhosting and of course there you also have access to your logs. Both of these are "shared" servers running a number of sites.
 
superflash







PostPosted: Mon Sep 04, 2006 7:57 pm Reply with quote

Thank you fkelly. I also host on webmasters.com, I'm very comfortable with them and I have my business site there (www.deandastudios.com), but I haven't moved my other site precisely for the reason you said: all the pain it would be to do it. Besides, they have been very nice regarding their techical support. But as I see it I really need the log thing access.

I have Raven Nuke 2.02.02 with sentinel patch up to version 2.4.2pl9, but all this is installed over several copies of old nuke installations since September 2002, that's why I usually have problems.

Best regards,

Eduardo.
 
montego
Site Admin



Joined: Aug 29, 2004
Posts: 9457
Location: Arizona

PostPosted: Tue Sep 05, 2006 6:23 am Reply with quote

I would place my bets on a Forums exploit (if you have not protected your modules/Forums/admin directory per several threads here) or your uploader script. Just because something is only accessible to admin, if it is not written to stop direct access of the scripts, exploits of individual scripts may still happen.

PHP-Nuke, or any other system, is only as good as its "weakest link". Sad

_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... 
View user's profile Send private message Visit poster's website
superflash







PostPosted: Tue Sep 05, 2006 9:57 am Reply with quote

A forums exploit? I'll check into that, thank you montego! Regards.

Update: I took care of admin folder following these instructions:
[ Only registered users can see links on this board! Get registered or login! ]

Thank you guys! RavensScripts
 
montego







PostPosted: Tue Sep 05, 2006 8:13 pm Reply with quote

BTW, regarding your host, if they are not going to give you the tools that you need to figure out how your site was exploited, then they need to do the work to figure out how. They are only opening themselves up for one hack to infiltrate other sites on the same server... Keep records of your correspondence with them, especially if they refuse to assist you. You may need that later... trust me...
 
superflash







PostPosted: Thu Sep 07, 2006 10:02 am Reply with quote

Great advise, I didn't think about that matter. I hope it doesn't get to that, but is better to be prepared. Thank you.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©