Admin messages module vulnerability

Nuke Cadet Joined: Feb 15, 2004 Posts: 8

My site based on Nuke 6.5 with updated patches and Nukesentinel, has been running since 2003 and has been hacked several times, mostly by turkish hackers.

9 out of 10 times they posted on the admin messages module.

Is there a vulnerability on the module that has been addressed to so I can just upgrade that module or there is nothing I can do about it?

Is it more vulnerable when a message is activated?

And what is the story behind these turks... do they mean harm or they just want to put their political message across?

Nuke Cadet Joined: Jun 25, 2006 Posts: 3

88.224.202.147 - - [25/Jun/2006:11:01:43 -0500] "GET /index.php HTTP/1.1" 200 8663 "http://www.zone-h.org/component/option,com_attacks/Itemid,45/filter_defacer,SanalYargic/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Does anyone have any information about how to stop this (IP banned now of course)?

Posted: Sun Jun 25, 2006 10:24 am

Have a look at this thread on RavenPHPScripts:

http://ravenphpscripts.com/posts8988-highlight-.html

The last post by kguske gives some details to add to your .htaccess file, which redirects them back to themself.

Posted: Sun Jun 25, 2006 10:53 am

I should of said it's not actually an attack, someone will have reported your site being attacked, probably the hacker, and their bot has gone to investigate.

Posted: Sun Jun 25, 2006 10:58 am

The "hackers" are coming from, or representing a site at http://cyber-raiders.com

And they are just injecting some text, img links and an easy META refresh tag into the News mod.

Nuke Cadet Joined: Jun 25, 2006 Posts: 3

Thanks for the tip on the .htaccess file for zone-h.org. I've made that change. And you're right this was not the source of the attack, just a mirroring of it.

Can I make a change to the news module that will prevent the defacement?

Posted: Sun Jun 25, 2006 1:02 pm

What version are you using?
Have you got NukeSentinel and using the latest patches?

Nuke Cadet Joined: Jun 25, 2006 Posts: 3

nuke_config says a start date of 10/17/2004 and a version of 7.4. Does that version jibe with that date?

I surprised myself when I checked the version. I thought I was in the 6.5-6.7 range but I may not be as bad off as I thought I was.

I am not using NukeSentinel and am behind in patching as well.

Nuke Cadet Joined: Feb 15, 2004 Posts: 8

Well... this is very funny.. Laughing

A totally indifferent discussion is carried below my post, that has nothing to do with it! I suppose a split would be appropriate.

Getting back to it, any ideas on my issue? Thanks.

Posted: Tue Jun 27, 2006 12:23 pm

Sorry about that, saw the 2nd post and thought it was about the same thing.

I don't think the message module is the problem, they probably just use it once they have got in.
They are probably getting in from somewhere else, do you have any logs, or does anything show up in NukeSentinel?

I've never use 6.5, so I could be wrong. What other modules/MODS etc are you using?

Nuke Cadet Joined: Feb 15, 2004 Posts: 8

Enhanced search 2.0, which recently I've found it has security issues, Sommaire, Nuke C 2.1, Jinzora.

Site Admin Joined: Jun 18, 2004 Posts: 217

many modules do have security issues with there addons, with the 6.5 i would upgrade to latest patch files.

even if your unable overwrite your current files update maunally by checking nukefixes.com.

and 3rd party addons there not much support as many projects have stopped support by there developer like nukestyles search module and downloads module.

if any of these sites still are active you should contact the developer they may be able to help you.

we at nukecops will soon start upgrading some popular scripts where development has stopped.

like nukestyles and bring them upto date with phpnuke 7 & 8 releases.

along with our own addons where full support will be provided by our team.

thanks

Steve