Still got hacked

Posted: Sat Nov 05, 2005 2:24 am

Hey all,
I'm admin on a friends site, and I'm getting hacked constantly.
I'm using the nuke 7.6 patched 3.1 and the latest sentinel version, I a have enabled .staccess / .htaccess feature with double login. And the hacked still gets into the admin area and changes the preferences....

Any other Ideas of security, cuz I'm getting pissed off Evil or Very Mad

Support Mod Joined: Oct 19, 2004 Posts: 1032 Location: UK

Hey XenoMorpH

I have spoken to you on MSN regards this.

I'll help get it fixed up for you!

Nuke Soldier Joined: Oct 31, 2005 Posts: 20

Man that has to be some settings youve got wrong or your using same pass for htaccess and admin and its a very easy one cause in my opinion 7.6.3.1 with sentinel 2.42 is basically unhackable. Try this admin ip lock, if you put this on admin.php and forums/admin/pagestart.php then only your ip or range can view those pages but Im really interested in hearing what was used to hack your site unless you have some kinda table expoit uploaded somewhere on your server. Because me and a BUNCH of my friends, mostly security pros and hackers have been clawing at that version with sentinel for ever and cant find no vuln, just patched platinum is the only one even related to that version that has vuln. Anyway here is the admin ip lock. It will make your site unhackable even with the shittiest version ever because only your ip or range can view the admin pages then they cant change anything

Code:

http://felosi-inc.com/files/AdminIP1.02.rar

Posted: Sat Nov 05, 2005 5:23 am

Hmm.....bad thing is....my friend has dynamic IP. Surprised

on several isp's

btw, there's a small bug in the script:

Code:

area");

shouldn't this be: unset("area"); ?

or sumfn else?

Nuke Soldier Joined: Oct 31, 2005 Posts: 20

nah it works and there is instructions in there for adding multiple ranges and multiple ips. I have dynamic ip too and use it. Actually the its all in there for static and dynamic if you read. It works, Technocrat made that one and I swear by it. My isp goes through 3 different ranges and I have them all on my ip lock. You can even use an editor with ftp like php designer to chenge it when you have to or add to it. The script is fine, I know a lot of people that use it.

Posted: Sat Nov 05, 2005 9:01 am

Yeah, I got it sorted, altho,

Code:

if(stristr($_SERVER['REMOTE_ADDR'], "xxx.xxx.xxx") == FALSE)
{
unset($aid);
unset($admin);
area");
die("Invalid IP<br />Access denied");
}

does NOT work, I'm using Dreamweaver, amediately saw that the script was wrong:
Changed it to:

Code:

if(stristr($_SERVER['REMOTE_ADDR'], "xxx.xxx.xxx") == FALSE)
{
unset($aid);
unset($admin);
//area");
die("Invalid IP<br />Access denied");
}

Wroking now Smile

Tnx

Nuke Soldier Joined: Oct 31, 2005 Posts: 20

By the way, how was you still hacked having sentinel and latest patches? Me and my friends and other people have tried all forms of xss which sentinel blocks because the ( ) Any query that uses the word UNION, BIND, JOIN, or etc: Also you can add forbidden strings Im sure you know what I dont once I got all my ranges in protected was made admin.php a forbidden string..lol So I dont have to manually ban the idiots hitting my admin pages.
Probably would be useful to these guys and everyone else to check your awstats or access logs to see what strings were used so they can find a fix cause if your site is patched 7.6 with sentinel 2.42 )which I seen you have) and its getting hacked that easy, we all may be in trouble.

Support Mod Joined: Oct 19, 2004 Posts: 1032 Location: UK

I said exactly the same thing.

Sentinel 2.4.2 is very very good and with chatservs patches on top it is virtually indestructable.

I am lost as to how they are getting in short of ftp hacking and gaining config.php details.

However he said the cpanel and ftp passes are good so Im confused.

My opinion is that someone else is doing this. i.e another admin, old admin that hasnt been removed, or someone that has access to an admins pc.

Nuke Soldier Joined: Oct 31, 2005 Posts: 20

exactly. Im actually having cms hacking/security research now where I have setup a 7.6.3.1b install without sentinel and Ive had at least 10 people tell me its a waste of time even trying to exploit it. Disgruntled ex-admin very strong possibilty

Support Mod Joined: Oct 19, 2004 Posts: 1032 Location: UK

Quote:

I have setup a 7.6.3.1b install without sentinel and Ive had at least 10 people tell me its a waste of time even trying to exploit it.

I'll have a pop at that.

whats allowed? I am guessing there are criteria, no ftp or cpanel brute force?

Nuke Soldier Joined: Oct 31, 2005 Posts: 20

www.felosizworld.com in that vb forum there are the test sites lists. Only rules are application level hacking only so like you said no ftp, cpanel, ssh, or any other bruteforcing. And dont root the server til we're done. I just reinstalled the 7.8 nuke I put there for the noobs and people to vent on but Im sure that wont interest you. Let me know if there is anything you want installed and if you can take the vbullentin forum go for it just leave the test site posts lol
And post if youve succesfully exploited something so I can run the sql again.
Have fun it will be there for a while.

Site Admin Joined: Aug 17, 2003 Posts: 12383

Only way to know for sure, go back to the server error logs. You need to see how he is doing it.

Ban the entire ISP in the mean time
If it is indeed a script issue, report to us immediately