You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 186 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - Admin messages module vulnerability [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
yameth
Nuke Cadet
Nuke Cadet


Joined: Feb 15, 2004
Posts: 8


PostPosted: Sun Jun 25, 2006 1:11 am Reply with quoteBack to top

My site based on Nuke 6.5 with updated patches and Nukesentinel, has been running since 2003 and has been hacked several times, mostly by turkish hackers.

9 out of 10 times they posted on the admin messages module.

Is there a vulnerability on the module that has been addressed to so I can just upgrade that module or there is nothing I can do about it?

Is it more vulnerable when a message is activated?

And what is the story behind these turks... do they mean harm or they just want to put their political message across?
Find all posts by yamethView user's profileSend private message
corto11
Nuke Cadet
Nuke Cadet


Joined: Jun 25, 2006
Posts: 3


PostPosted: Sun Jun 25, 2006 7:14 am Reply with quoteBack to top

88.224.202.147 - - [25/Jun/2006:11:01:43 -0500] "GET /index.php HTTP/1.1" 200 8663 "http://www.zone-h.org/component/option,com_attacks/Itemid,45/filter_defacer,SanalYargic/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


Does anyone have any information about how to stop this (IP banned now of course)?
Find all posts by corto11View user's profileSend private message
jakec06
Sergeant
Sergeant


Joined: Jan 30, 2006
Posts: 75

Location: Surrey, UK

PostPosted: Sun Jun 25, 2006 10:24 am Reply with quoteBack to top

Have a look at this thread on RavenPHPScripts:

http://ravenphpscripts.com/posts8988-highlight-.html

The last post by kguske gives some details to add to your .htaccess file, which redirects them back to themself.
Find all posts by jakec06View user's profileSend private message
jakec06
Sergeant
Sergeant


Joined: Jan 30, 2006
Posts: 75

Location: Surrey, UK

PostPosted: Sun Jun 25, 2006 10:53 am Reply with quoteBack to top

I should of said it's not actually an attack, someone will have reported your site being attacked, probably the hacker, and their bot has gone to investigate.
Find all posts by jakec06View user's profileSend private message
Black_Spider
Lieutenant
Lieutenant


Joined: Aug 06, 2004
Posts: 285

Location: NW USA

PostPosted: Sun Jun 25, 2006 10:58 am Reply with quoteBack to top

The "hackers" are coming from, or representing a site at http://cyber-raiders.com

And they are just injecting some text, img links and an easy META refresh tag into the News mod.

_________________
ßlå¢k §ÞîÐèR
Find all posts by Black_SpiderView user's profileSend private messageYahoo MessengerMSN MessengerICQ Number
corto11
Nuke Cadet
Nuke Cadet


Joined: Jun 25, 2006
Posts: 3


PostPosted: Sun Jun 25, 2006 12:53 pm Reply with quoteBack to top

Thanks for the tip on the .htaccess file for zone-h.org. I've made that change. And you're right this was not the source of the attack, just a mirroring of it.

Can I make a change to the news module that will prevent the defacement?
Find all posts by corto11View user's profileSend private message
jakec06
Sergeant
Sergeant


Joined: Jan 30, 2006
Posts: 75

Location: Surrey, UK

PostPosted: Sun Jun 25, 2006 1:02 pm Reply with quoteBack to top

What version are you using?
Have you got NukeSentinel and using the latest patches?
Find all posts by jakec06View user's profileSend private message
corto11
Nuke Cadet
Nuke Cadet


Joined: Jun 25, 2006
Posts: 3


PostPosted: Sun Jun 25, 2006 1:24 pm Reply with quoteBack to top

nuke_config says a start date of 10/17/2004 and a version of 7.4. Does that version jibe with that date?

I surprised myself when I checked the version. I thought I was in the 6.5-6.7 range but I may not be as bad off as I thought I was.

I am not using NukeSentinel and am behind in patching as well.
Find all posts by corto11View user's profileSend private message
yameth
Nuke Cadet
Nuke Cadet


Joined: Feb 15, 2004
Posts: 8


PostPosted: Tue Jun 27, 2006 12:04 pm Reply with quoteBack to top

Well... this is very funny.. Laughing
A totally indifferent discussion is carried below my post, that has nothing to do with it! I suppose a split would be appropriate.

Getting back to it, any ideas on my issue? Thanks.
Find all posts by yamethView user's profileSend private message
jakec06
Sergeant
Sergeant


Joined: Jan 30, 2006
Posts: 75

Location: Surrey, UK

PostPosted: Tue Jun 27, 2006 12:23 pm Reply with quoteBack to top

Sorry about that, saw the 2nd post and thought it was about the same thing.

I don't think the message module is the problem, they probably just use it once they have got in.
They are probably getting in from somewhere else, do you have any logs, or does anything show up in NukeSentinel?

I've never use 6.5, so I could be wrong. What other modules/MODS etc are you using?
Find all posts by jakec06View user's profileSend private message
yameth
Nuke Cadet
Nuke Cadet


Joined: Feb 15, 2004
Posts: 8


PostPosted: Wed Jul 12, 2006 4:38 am Reply with quoteBack to top

Enhanced search 2.0, which recently I've found it has security issues, Sommaire, Nuke C 2.1, Jinzora.
Find all posts by yamethView user's profileSend private message
perfect-games
Site Admin
Site Admin


Joined: Jun 18, 2004
Posts: 217


PostPosted: Wed Jul 12, 2006 4:47 am Reply with quoteBack to top

many modules do have security issues with there addons, with the 6.5 i would upgrade to latest patch files.

even if your unable overwrite your current files update maunally by checking nukefixes.com.

and 3rd party addons there not much support as many projects have stopped support by there developer like nukestyles search module and downloads module.

if any of these sites still are active you should contact the developer they may be able to help you.

we at nukecops will soon start upgrading some popular scripts where development has stopped.

like nukestyles and bring them upto date with phpnuke 7 & 8 releases.

along with our own addons where full support will be provided by our team.

thanks

Steve
Find all posts by perfect-gamesView user's profileSend private messageSend e-mailVisit poster's website
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.189 Seconds - 144 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::