You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 276 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - BRAND NEW ANTi-HACKER (Script Kiddie) PROTECTION! [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
El_Supremo
Sergeant
Sergeant


Joined: May 23, 2003
Posts: 126


PostPosted: Mon Mar 15, 2004 5:46 pm Reply with quoteBack to top

I have just completed this evening, a simple pair of scripts that help safeguard against the devastating effects of script kiddies.

3 months ago, terrible irrepairable damage was done to my server by a hacker who replaced all the code in every single file named index.* on my server.

I had to get the server completely reset as not only the website files were over-written, but many important files to do with the virtual hosting control panel.

So this is my solution.

For every directory on your server where there exists a file called index.* it will be copied to a file called name_chosen_by you.* in the same directory.

Now obviously if everybody used the same name for the copied files, the hackers would be on to it in a flash and soon write the file name into their damaging scripts. For this reason, everybody who uses the script must set a variable called $newfile to an inconspicuous name.

e.g: suppose you set the variable $newfile to old_texts

then the files

/var/www/html/index.php
/var/www/html/modules/forums/index.php
/var/www/html/bobs/index.html
/var/www/html/sue/index/shtml

would be copied to

/var/www/html/old_texts.php
/var/www/html/modules/forums/old_texts.php
/var/www/html/bobs/old_texts.html
/var/www/html/sue/old_texts.shtml

and it should preserve the appropriate permissions, ownership and group as it uses cp -p

Should a hacker break into to deface your index files, he probably wouldn't notice or bother with files named old_texts.php

So, he defaces all your index files, including some heavily modifed ones.

No problem, repair your server and websites in a jiffy by running unxedni.sh
It will delete all the corrupted index.* files and restore them from your backup old_texts.* files.

I hope people find this very useful. Please don't hesitate to ask questions or comment.

The files are here:

http://www.nukecops.com/uploads/El_Supremo/xedni.zip

Please read the instructions in the script very carefully as I won't take any responsibility if you screw up. They are very simple, unbuggy shell scripts that are very easy to use ... if you follow the instructions!

The first time you run it, ignore any error messages - they are just because the program is trying to delete any old backup files before making new ones - obviously the first time it is run, there is nothing to delete Smile It was easier for me than testing whether they existed before deletion.

I would also recommend renaming the scripts and the directory they reside in to same name as you use for the variable $newfile.

Best of luck, I hope this helps save a few people from the heartbeaking experience I have had!

_________________
Who does number two work for?

Last edited by El_Supremo on Tue Mar 16, 2004 7:26 am; edited 1 time in total
Find all posts by El_SupremoView user's profileSend private message
Daniel-cmw
Site Admin
Site Admin


Joined: Mar 02, 2003
Posts: 1662

Location: The UK!

PostPosted: Tue Mar 16, 2004 1:35 am Reply with quoteBack to top

Very well done and a nice idea.

_________________
Read Me
Find all posts by Daniel-cmwView user's profileSend private message
Mesum
Support Staff
Support Staff


Joined: Mar 11, 2003
Posts: 842

Location: Chicago

PostPosted: Tue Mar 16, 2004 5:49 am Reply with quoteBack to top

Me gotta try this.

_________________
Only FREE Dating site for Desis.
Find all posts by MesumView user's profileSend private messageVisit poster's websiteAIM AddressYahoo MessengerMSN Messenger
El_Supremo
Sergeant
Sergeant


Joined: May 23, 2003
Posts: 126


PostPosted: Tue Mar 16, 2004 7:09 am Reply with quoteBack to top

Thanks, I had to think long and hard over whether to release it at all if you know what I mean! People who download this script, should only download it from here and they should always check the code for themselves before executing it and make sure they understand what it will do as there is a potential for this code to be modified and distributed as a trojan.

_________________
Who does number two work for?

Last edited by El_Supremo on Tue Mar 16, 2004 7:28 am; edited 1 time in total
Find all posts by El_SupremoView user's profileSend private message
DaveTomneyUK
Lieutenant
Lieutenant


Joined: Sep 03, 2003
Posts: 162

Location: UK, England

PostPosted: Tue Mar 16, 2004 7:19 am Reply with quoteBack to top

Hmmmm... Good work supremo, Works fine for me. Cheers
Find all posts by DaveTomneyUKView user's profileSend private messageVisit poster's website
serff
Nuke Cadet
Nuke Cadet


Joined: Feb 20, 2004
Posts: 9

Location: Denver

PostPosted: Tue Mar 16, 2004 7:38 am Reply with quoteBack to top

This is a good idea...but wouldn't it be a better idea to figure out how they are getting in a corrupting all your files? Is this a known exploit in apache or something? I would rather prevent this from happening than just saying "oh well, it happened for the 20th time, copy the files over again..." Just wanted to know if any one knows the source of the problem...

Thanks for the scripts though!
Find all posts by serffView user's profileSend private messageVisit poster's website
El_Supremo
Sergeant
Sergeant


Joined: May 23, 2003
Posts: 126


PostPosted: Tue Mar 16, 2004 7:49 am Reply with quoteBack to top

Oh don't worry, I agree with you absolutley and I have tightened my security considerably since I was hacked.
In my case there were two factors which contributed to my downfall.

1) I had taken my Firewall down for some routine maintenence and forgotten to switch it back on.

2) I had safe-mode disabled globally. I now only have disabled locally for for my nuke site by use of php .htaccess directives.

I still find it reassuring to have this last resort in place, just in case they find a new way in.

Security all the way!

_________________
Who does number two work for?
Find all posts by El_SupremoView user's profileSend private message
Jeruvy
Lieutenant
Lieutenant


Joined: Jul 09, 2003
Posts: 293


PostPosted: Wed Mar 17, 2004 11:23 am Reply with quoteBack to top

I have to wonder about this.

Most index changes are defacements used to 'sign' the work of the hacker/group.

Your infection has nothing to do with the index.* whatsoever. If the hacker can get your password hash, decrypt it, and then go to the web site like ANY user and login, voila.

I don't see how this will affect the infection.

_________________
J.
j e r u v y a t y a h o o d o t c o m
Find all posts by JeruvyView user's profileSend private messageICQ Number
El_Supremo
Sergeant
Sergeant


Joined: May 23, 2003
Posts: 126


PostPosted: Wed Mar 17, 2004 11:48 am Reply with quoteBack to top

My infection is history - if you read through this thread thoroughly, you will see that my breach was caused by momentarily letting my guard down. If I had had this script operational before that mass defacement took place, I could have undid the 10,000 or so index file changes made by the hacker in about two minutes and saved myself a server rebuild.

This is not a prescription or a firewall, merely a useful tool that might just help if the worst were to ever happen again. It is probably not suitable for everyone who runs a nuke site, just webhosts or those that run their own dedicated servers.

_________________
Who does number two work for?

Last edited by El_Supremo on Wed Mar 17, 2004 2:39 pm; edited 1 time in total
Find all posts by El_SupremoView user's profileSend private message
Jeruvy
Lieutenant
Lieutenant


Joined: Jul 09, 2003
Posts: 293


PostPosted: Wed Mar 17, 2004 11:53 am Reply with quoteBack to top

I'm not saying your method isn't worthy, I'm saying that it's not security through prevention it's security through oop's I screwed up so hopefully this will work.

Sorry I am taking this stance based on your subject line that this is some kind of protection. I think we both agree that isn't true.

That's all.

_________________
J.
j e r u v y a t y a h o o d o t c o m
Find all posts by JeruvyView user's profileSend private messageICQ Number
El_Supremo
Sergeant
Sergeant


Joined: May 23, 2003
Posts: 126


PostPosted: Wed Mar 17, 2004 12:32 pm Reply with quoteBack to top

Whatever dude

_________________
Who does number two work for?
Find all posts by El_SupremoView user's profileSend private message
MissVicky
Private
Private


Joined: Jan 07, 2004
Posts: 45


PostPosted: Mon Mar 22, 2004 10:17 pm Reply with quoteBack to top

I think it 'IS' security ...

Just like backing up your computer hard drive is a data security. This is a great idea and really appreciate your sharing it with us.

All the Best To You!
Miss Vicky
Find all posts by MissVickyView user's profileSend private message
nukelover
Sergeant
Sergeant


Joined: Dec 28, 2003
Posts: 87


PostPosted: Tue Mar 23, 2004 1:56 am Reply with quoteBack to top

hi
im very newbie so sorry for my question if its stupid .if someone hack my site he only hack my files on host server but not in my pc right ? so if they hack for example my index.php isnt it possible i upload my clean index.php or something Rolling Eyes Sad
regards
Find all posts by nukeloverView user's profileSend private message
EscortCossie
Lieutenant
Lieutenant


Joined: Feb 21, 2004
Posts: 235

Location: Stavanger, Norway

PostPosted: Tue Mar 23, 2004 2:21 am Reply with quoteBack to top

Hmm.. this might seem like a stupid question.. Embarassed

But where do I run the script? If i try to run it on my server, there pops up a box that ask if I would like to save the file... how do I run the file directly on my server?

Do I need to change the ending to something else? .sh to .**?

_________________
Image
Visit the Ford Escort Portal >> EscortPower.net!
Find all posts by EscortCossieView user's profileSend private messageVisit poster's website
EscortCossie
Lieutenant
Lieutenant


Joined: Feb 21, 2004
Posts: 235

Location: Stavanger, Norway

PostPosted: Tue Mar 23, 2004 4:16 pm Reply with quoteBack to top

Anyone? I would really like to get this working as I already have been hacked this way before Sad

_________________
Image
Visit the Ford Escort Portal >> EscortPower.net!
Find all posts by EscortCossieView user's profileSend private messageVisit poster's website
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.130 Seconds - 447 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::