You are missing our premiere tool bar navigation system! Register and use it for FREE!


Author: madmanPostPosted: Fri Aug 06, 2004 1:46 pm    Post subject: Re: (trick) How to "hide" your admin.php file?

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 

Author: HajdukPostPosted: Wed Aug 04, 2004 11:52 pm    Post subject:

Ok, you hide your admin file and I will find it within 5 mins. Rename it, htaccess it, move it, chmod it.

And even still, hacking Nuke can be done throughout the whole system not just the admin file.

Author: madmanPostPosted: Thu Aug 05, 2004 1:50 pm    Post subject: Re: (trick) How to "hide" your admin.php file?

This trick doesn't rename/move admin.php elsewhere.
Someone need glasses here. Cool

Author: d0d0lsLocation: IndonesiaPostPosted: Fri Aug 06, 2004 11:54 am    Post subject: Re: (trick) How to "hide" your admin.php file?

I try your suggestion

Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 159 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - (trick) How to "hide" your admin.php file? (trick) How to "hide" your admin.php file?
Goto page 1, 2  Next  :| |:
Nuke Cops -> Nuke Security

Author: madman PostPosted: Fri Jul 30, 2004 2:51 pm    Post subject: (trick) How to "hide" your admin.php file?

Prolog

This is a trick to "hide" PHP-Nuke admin.php file and preventing unauthorized access to PHP-Nuke administration panel. The scenario is, even someone got your admin username and MD5 password, they'll have no idea to find admin.php file. This trick requires PHP-Nuke running under Apache web server and configured to allow .htaccess overrides (AllowOverride settings in main Apache .conf file). In addition, mod-rewrite module must be enable in Apache configuration.

Before you go, backup original admin.php file on your PHP-Nuke root directory. For example, rename admin.php into admin_backup.php or whatever. If exists, also backup/rename existing .htaccess file stored in PHP-Nuke root directory.

Ok, now let's begin.

First, you need to modify admin.php file. Append these lines at the beginning of your admin.php. Because admin.php may vary among PHP-Nuke version, usually you may append the code below either after PHP start tag (<?php), before $checkurl = $_SERVER['REQUEST_URI']; line, or before require_once("mainfile.php"); line. Here the "template" code:

Code:
$admin_pass_cname  = "admin_pass";
$admin_pass_cvalue = "whatever";
$admin_pass_env    = 0;
if (isset($_SERVER['ADMIN_PT']) && ($_SERVER['ADMIN_PT'] == 1)) $admin_pass_env = 1;
if (isset($_SERVER['REDIRECT_ADMIN_PT']) && ($_SERVER['REDIRECT_ADMIN_PT'] == 1)) $admin_pass_env = 1;
if ($admin_pass_env == 1) { setcookie($admin_pass_cname, $admin_pass_cvalue, time()+86400); }
unset($admin_pass_cname);
unset($admin_pass_cvalue);
unset($admin_pass_env);


Second, you need to create (or modify) .htaccess file in your PHP-Nuke root dir, and then put these identifiers:

Code:
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{SCRIPT_FILENAME} ^.*/admin.php.*$ [NC]
  RewriteCond %{HTTP_COOKIE} !^.*admin_pass=whatever.*$ [NC]
  RewriteRule ^.*$ - [G,L]
  RewriteCond %{SCRIPT_FILENAME} ^.*/newadmin.php$
  RewriteRule ^.*$ admin.php [env=ADMIN_PT:1]
</IfModule>


Third, you need to change all default values/signals in this trick. This is necessary otherwise your admin.php access no longer secure since everyone else also read this article. These are default values/signals on both files above:

ADMIN_PT
This is a signal for access validity and stored as server variable. In common situations, you no need to change this string but if this is the case then you should change it on both admin.php and .htaccess files. As noticed in admin.php insertion code, there are two ADMIN_PT variable checkings, one is ADMIN_PT itself and another is the clone, REDIRECT_ADMIN_PT. You can safely change ADMIN_PT string but do not alter "REDIRECT_" string since it is a default behavior in Apache server. Consider to use search/replace function on your text editor to change this string from both code above.

admin_pass
This is a string that will be stored as cookie name (key pair). If you in doubt to change this string, be sure to use only native letters (A-Z, a-z) and underscores. The .htaccess instertion code above treat this string as case insensitive. Consider to use search/replace function on your text editor to change this string from both code above.

whatever
This is a string that will be stored as cookie value (value pair). If you in doubt to change this string, be sure to use only native letters (A-Z, a-z), numbers (0-9), and underscores. The .htaccess instertion code above treat this string as case insensitive. Consider to use search/replace function on your text editor to change this string from both code above.

newadmin.php
This string only appear once in .htaccess insertion code. This will be used as "virtual" admin.php call replacement and doesn't have to be exists in your actual PHP-Nuke root directory. If you in doubt to change this string, be sure to use only native letters (A-Z, a-z), numbers (0-9), and underscores, followed by file extension. The extension doesn't have to be restricted only to .php, but you may experimenting with another extensions.

Cookie expiration time
By default, cookie will be expire within 24 hours after first login. The expiration value is defined in admin.php insertion code above as 86400 seconds (60 seconds x 60 minutes x 24 hours = 86400 seconds, does this ringing the bells on you?). You may modify this value for your own needs. Consider to set this value as small as possible, depend on how long you usually taken to administering your own site.

Ok, at this point you've done with the setups. Now you need to know how this thing works and proper procedures on how to login to your PHP-Nuke administration menu. On every first login, you'll need to call "virtual" admin script from the browser (default is newadmin.php as noted above). During the call, it will setup server variable to trigger cookie storing code. If cookie already stored, any call to admin.php will be considered valid, until the cookie itself expires.


An alternative
This is an alternative trick without altering actual admin.php file. The difference is, storing the cookie are handled from .htaccess file as well and no need additional code to be inserted into admin.php file. However, this trick may not work with most common Apache version and configuration. If you get Internal Server error, stop from using it. The only thing to do is by putting this code into .htaccess file in PHP-Nuke root directory:

Code:
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{SCRIPT_FILENAME} ^.*/admin.php.*$ [NC]
  RewriteCond %{HTTP_COOKIE} !^.*admin_pass=whatever.*$ [NC]
  RewriteRule ^.*$ - [G,L]
  RewriteCond %{SCRIPT_FILENAME} ^.*/newadmin.php$
  RewriteRule ^.*$ admin.php [CO=admin_pass:whatever:{DOMAIN}:1440:/]
</IfModule>


Change {DOMAIN} string above with your actual domain, e.g. example.com (without www prefix). If you running under subdomain, put them instead e.g. home.example.com (without any prefix). If you get 500 Internal Server Error message, indicate that your Apache/mod-rewrite does not support cookie set through RewriteRule flag.


Does this trick always works?
It may not work on specific Apache configuration, especially if your site is hosted using host management software (Plesk, cPanel, Ensim, etc). I has few problems working with .htaccess under Ensim management panel, but in contrast I never had any problems under Plesk. I'm not so sure with cPanel since I never use it. It also may or may not work with Apache configured as virtual host mapping, you need to do some experiments with it. This trick always work on my local server, either with Apache version 1.x or version 2.x with all requirements accomplished (allowoverride, mod-rewrite).


Why Cookie?
You can use PHP session to replace cookie, but you'll need longer code. You can also combining them both for additional security. Additionally, some tricks using Javascript can also be used for client-side security scripting consideration. Javascript is very powerfull againts bots (non-human controlled) hack engine.


Is this trick work if Admin Secure installed?
Yes or no. If you enable Auth Login (HTTP Authentification) in Admin Secure configuration panel, it may (or may not) conflict with the trick describes here. If you want to apply this trick in the companion of Admin Secure installation, do it with your own risk.


What is .htaccess file?
This is an Apache special file to control common HTTP requests, usually resides in www directories. This file work per directory basis and can override Apache default settings. This file also provides mechanisms to communicate with Apache modules to perform specific tasks. Consult to your Apache manual or visit Apache Website for more information.
Code:
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{SCRIPT_FILENAME} ^.*/admin.php.*$ [NC]
  RewriteCond %{HTTP_COOKIE} !^.*admin_pass=whatever.*$ [NC]
  RewriteRule ^.*$ - [G,L]
  RewriteCond %{SCRIPT_FILENAME} ^.*/newadmin.php$
  RewriteRule ^.*$ admin.php [CO=admin_pass:whatever:{DOMAIN}:1440:/]
</IfModule>


And i check the error log at my site it show like this

Quote:
[Fri Aug 6 15:48:08 2004] [alert] [client 202.155.150.16] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:48:08 2004] [alert] [client 202.155.150.16] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:48:06 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:48:06 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:47:52 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:47:52 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:47:50 2004] [alert] [client 202.155.150.16] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:47:50 2004] [alert] [client 202.155.150.16] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:47:26 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:47:26 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:47:12 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:47:12 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:46:50 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:46:50 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:46:42 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:46:42 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:37:36 2004] [alert] [client 202.146.253.4] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:37:36 2004] [alert] [client 202.146.253.4] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:37:33 2004] [alert] [client 202.146.253.4] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:37:33 2004] [alert] [client 202.146.253.4] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n


Is this normal or the script is not work at my server by the way I using a cPanel

Thanks for your helpmy site just been added a GOD ADMIN
d0d0ls wrote:
Is this normal or the script is not work at my server by the way I using a cPanel

That mean Apache on your server does not support cookie through rewrite flag. I re-quote the warning notes for this alternative:
Quote:
However, this trick may not work with most common Apache version and configuration. If you get Internal Server error, stop from using it.

You'll have to use the main trick. Smile

Author: d0d0lsLocation: Indonesia PostPosted: Fri Aug 06, 2004 5:59 pm    Post subject: Re: (trick) How to "hide" your admin.php file?

Thanks MadMan The reason I use the second one cause is not to confusing me and my bad english and bad programing knowlaedge

I will try your first 1

Thanks and Peace

Author: Hajduk PostPosted: Sun Aug 08, 2004 11:39 pm    Post subject: Re: (trick) How to "hide" your admin.php file?

So why did my post get removed?

Author: madman PostPosted: Mon Aug 09, 2004 12:41 pm    Post subject: Re: (trick) How to "hide" your admin.php file?

Hajduk wrote:
So why did my post get removed?

Split them to another topic: http://www.nukecops.com/postt32676.html
Posts that not related to the topic was moved.

Author: marius26Location: Great Britain PostPosted: Sat Apr 23, 2005 5:28 am    Post subject: Re: (trick) How to "hide" your admin.php file?

Quote:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SCRIPT_FILENAME} ^.*/admin.php.*$ [NC]
RewriteCond %{HTTP_COOKIE} !^.*admin_pass=whatever.*$ [NC]
RewriteRule ^.*$ - [G,L]
RewriteCond %{SCRIPT_FILENAME} ^.*/newadmin.php$
RewriteRule ^.*$ admin.php [CO=admin_pass:whatever:{DOMAIN}:1440:/]
</IfModule>


i would like to know why you included port: 1440 into this file. explain yourself.


Last edited by marius26 on Sun Jun 17, 2007 1:48 pm; edited 1 time in total

Author: ishadami PostPosted: Mon Aug 01, 2005 4:17 am    Post subject: Re: (trick) How to "hide" your admin.php file?

hi i am new at both php nuke and this site
i like phpnkue so much but it has lots of security problems
i want to add code here which bloks to access admin.php except the real admin
* i add this code here for two reasons
1. i wonder is it really works as i thought
2. if work everybody can use it
open admin.php
after <?php
add this:
Code:
$ip = "my-ip";
if($ip != $_SERVER['REMOTE_ADDR']) {
Header("Location: index.php");
exit;
}


Author: marius26Location: Great Britain PostPosted: Mon Aug 01, 2005 9:53 am    Post subject: Re: (trick) How to "hide" your admin.php file?

[quote="d0d0ls"]I try your suggestion

Code:
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{SCRIPT_FILENAME} ^.*/admin.php.*$ [NC]
  RewriteCond %{HTTP_COOKIE} !^.*admin_pass=whatever.*$ [NC]
  RewriteRule ^.*$ - [G,L]
  RewriteCond %{SCRIPT_FILENAME} ^.*/newadmin.php$
  RewriteRule ^.*$ admin.php [CO=admin_pass:whatever:{DOMAIN}:1440:/]
</IfModule>


i would like to know why is port 1440 needed? cause i personaly dont think its needed.

Author: Legno_Genova PostPosted: Wed Oct 25, 2006 6:07 am    Post subject:

Is it always better to hide it?

Author: Evaders99 PostPosted: Wed Oct 25, 2006 6:19 am    Post subject:

It is a pretty good security trick, security through obscurity. Doesn't mean you should slack by not keeping up with patches though

Author: sahoLocation: Turkey PostPosted: Tue Jun 26, 2007 4:09 pm    Post subject:

change name admin file this better

Author: 38super PostPosted: Wed Jan 16, 2008 6:02 am    Post subject:

i'm new to phpnuke and such. would just deleting the admin.php file, then uploading it when your wanting to change something work?

i'm talking about a small site here.



Nuke Cops -> Nuke Security

All times are GMT - 8 Hours

Goto page 1, 2  Next  :| |:
Page 1 of 2

Powered by phpBB © 2001,2002 phpBB Group
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.397 Seconds - 361 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
added by Evaders - DO NOT REMOVE
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::