Could someone please tell me what is going on. Someone hacked into my server, they posted some anti war crap with the message WE OWN YOU - IRONIC BOYZ
Today I upgraded from 6.0 to 6.5, I went into the admin folder to copy the 6.5 files, I found a index.php file inside my admin folder that was never there before, of course I deleted it right away.
I'm so pissed I feel like deleting phpnuke and call it a day. How did they do it and how can I prevent it from happening again? I read NukeStyles post and I feel the same way. It took me hours on top of hours to build my website now some knucklehead jerks came along just to screw it up.
chatserv General
Joined: Jan 12, 2003
Posts: 3128
Location: Puerto Rico
Posted:
Wed Apr 02, 2003 12:05 pm
Nuke 6.5 includes a patch for the story hack, as an additional step make sure all folders are chmod to 755 and not 777 and files to 664 and not 666.
_________________ Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources
foxyfemfem Support Staff
Joined: Jan 23, 2003
Posts: 668
Location: USA
Posted:
Wed Apr 02, 2003 12:28 pm
I'm changing my folders & files permissions. I found this module.php file in my module folder. This is what those jerks are using. I wish I had kept that index.php file to show you what they are using.
Code:
<?php
/************************************************************************/
/* PHP-NUKE: Advanced Content Management System */
/* ============================================ */
/* */
/* Copyright (c) 2002 by Francisco Burzi */
/* http://phpnuke.org */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/************************************************************************/
require_once("mainfile.php");
$module = 1;
if (isset($name)) {
$result = sql_query("select active, view from ".$prefix."_modules where title='$name'", $dbi);
list($mod_active, $view) = sql_fetch_row($result, $dbi);
if (($mod_active == 1) OR ($mod_active == 0 AND is_admin($admin))) {
if (!isset($mop)) { $mop="modload"; }
if (!isset($file)) { $file="index"; }
if (ereg("\.\.",$name) || ereg("\.\.",$file)) {
echo "You are so cool...";
} else {
$ThemeSel = get_theme();
if (file_exists("themes/$ThemeSel/modules/$name/$file.php")) {
$modpath = "themes/$ThemeSel/";
}
if ($view == 0) {
$modpath .= "modules/$name/$file.php";
if (file_exists($modpath)) {
include($modpath);
} else {
die ("Sorry, such file doesn't exist...");
}
}
if ($view == 1 AND is_user($user) || is_admin($admin)) {
$modpath .= "modules/$name/$file.php";
if (file_exists($modpath)) {
include($modpath);
} else {
die ("Sorry, such file doesn't exist...");
}
} elseif ($view == 1 AND !is_user($user) || !is_admin($admin)) {
$pagetitle = "- "._ACCESSDENIED."";
include("header.php");
title("$sitename: "._ACCESSDENIED."");
OpenTable();
echo "<center><b>"._RESTRICTEDAREA."</b><br><br>"
.""._MODULEUSERS.""
.""._GOBACK."";
CloseTable();
include("footer.php");
die();
}
if ($view == 2 AND is_admin($admin)) {
$modpath .= "modules/$name/$file.php";
if (file_exists($modpath)) {
include($modpath);
} else {
die ("Sorry, such file doesn't exist...");
}
} elseif ($view == 2 AND !is_admin($admin)) {
$pagetitle = "- "._ACCESSDENIED."";
include("header.php");
title("$sitename: "._ACCESSDENIED."");
OpenTable();
echo "<center><b>"._RESTRICTEDAREA."</b><br><br>"
.""._MODULESADMINS.""
.""._GOBACK."";
CloseTable();
include("footer.php");
die();
}
}
} else {
include("header.php");
OpenTable();
echo "<center>"._MODULENOTACTIVE."<br><br>"
.""._GOBACK."</center>";
CloseTable();
include("footer.php");
}
} else {
die ("Sorry, you can't access this file directly...");
}
?>
DeepThought Nuke Cadet
Joined: Apr 11, 2003
Posts: 2
Location: Kiel, Germany
Posted:
Fri Apr 11, 2003 10:58 am
They hacked my site last night too.
They also rename the 'index.html' in images/reviews to '666'.
foxyfemfem Support Staff
Joined: Jan 23, 2003
Posts: 668
Location: USA
Posted:
Fri Apr 11, 2003 12:02 pm
Hello,
Take the advice that Chatserv gave me. Change your folders 755 & files 664. The moment I discovered it (within hours) I contacted my host about the situation they ran an sql repair to my database.
I think you should do the same contact your host so they can repair your database.
DeepThought Nuke Cadet
Joined: Apr 11, 2003
Posts: 2
Location: Kiel, Germany
Posted:
Sat Apr 12, 2003 10:17 am
Thanks for your hints. I've changed all attributes as you described. Therefor my database is ok there's nothing to do for my host.
These gangsters only have changed the headline from the first article and added a java script for forwarding to their site. There's no more demage, thanks god.
Anyone knows a good minded hacker to kick their asses to the moon ?
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
