You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 191 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - Hacked [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
RuTHlezz1
Nuke Soldier
Nuke Soldier


Joined: Oct 03, 2005
Posts: 34


PostPosted: Tue Oct 10, 2006 8:26 am Reply with quoteBack to top

I dont think they got admin access just injected the html in the prefernces. But to be sure verify that no new admins are added by going into the admin area and clicking on admins.

I would also recommend raven nuke 7.6. It has all the patches and updates, sentinel and a few other addons that will make your site easy to maintain and secure.

Anyway if you still need help email me at nickhuffman74@yahoo.com
Find all posts by RuTHlezz1View user's profileSend private messageVisit poster's website
scott2500uk
Private
Private


Joined: Oct 08, 2005
Posts: 43

Location: York UK

PostPosted: Tue Oct 10, 2006 3:20 pm Reply with quoteBack to top

they dont need to add an admin to gain admin access. They can use a known sql injection to trick a module to show an admins username and md5 hash of that admins password. They go with the md5 hash to a hash lookup site and heypresto they have your admin username and password. Then they login go to prefrences and add code to the footer message. Then logout of admin. Also if the hacker knows what they are doing they can use a remote file funrability and with the file they use they can run some MySQL code.

Installing just nuke sentinal and patched nuke doesnt fully protect you. There are one or 2 other things you need to take into consideration
Find all posts by scott2500ukView user's profileSend private messageSend e-mailVisit poster's websiteYahoo MessengerMSN Messenger
RuTHlezz1
Nuke Soldier
Nuke Soldier


Joined: Oct 03, 2005
Posts: 34


PostPosted: Thu Oct 12, 2006 9:40 am Reply with quoteBack to top

Like?

Already do admin auth with my httaccess files. Any recommendations would be welcome.

Also if they had got the admin login why not insert the hacked message and then change the admin login so the site admin couldnt do jack about it?
Find all posts by RuTHlezz1View user's profileSend private messageVisit poster's website
scott2500uk
Private
Private


Joined: Oct 08, 2005
Posts: 43

Location: York UK

PostPosted: Fri Oct 13, 2006 1:58 pm Reply with quoteBack to top

because when they do the message it stops you from seeing the actual site so you wouldnt be able remove the message anyway. plus changing the password is more work. Hackers like to be in and out as quick as possible.
Find all posts by scott2500ukView user's profileSend private messageSend e-mailVisit poster's websiteYahoo MessengerMSN Messenger
RuTHlezz1
Nuke Soldier
Nuke Soldier


Joined: Oct 03, 2005
Posts: 34


PostPosted: Thu Oct 19, 2006 10:31 am Reply with quoteBack to top

I am going to have to disagree with you on this one. The sql injection is an exploit of the code not checking for the variables that would allow visitors to insert code into the sql tables without needing the admin privileges of the site since most people give the sql user complete and full rights to the database.

To fix this "hack (script kiddie crap)" go into phpmyadmin and edit out the code in the preferences table that causes the page not to display,this should take ess than 5 minutes from start to finish. This is an old school trick that has been around for ages but with your nuke patched with the latest patch it is no longer a major threat. You used to be able to insert the code by adding the insert commands in the URL of the site but now that is not the case with properly patched and secured sites (Raven Nuke for one).

They did not technically "hack" into the server or gain any type of admin access to the site. All they did was some script kiddie crap to insert the html code into the site preference table. Think about it, these guys like the “fame” they get when they report they defaced a site over at http://www.zone-h.org/. So with that in mind if they had admin access why wouldn’t they lock you out of your site so they could keep it defaced for a longer period of time? Your “Hackers like to be in and out as quick as possible.” Theory just doesn’t hold water with this in mind.
Find all posts by RuTHlezz1View user's profileSend private messageVisit poster's website
mruhn
Nuke Cadet
Nuke Cadet


Joined: Sep 16, 2004
Posts: 7


PostPosted: Wed Nov 01, 2006 4:24 pm Reply with quoteBack to top

I believe my site was hacked in a similar fashion. They just modified the footer column in nuke_config with html that ends up blocking most of the site with their message. They were also able to add an admin account in nuke_authors. I removed that row and deleted the footer, but am honestly at a loss at how to prevent this going forward. We're using the regular version of nuke 7.8. If sentinel won't protect me, what are my other options?
Find all posts by mruhnView user's profileSend private message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Wed Nov 01, 2006 8:53 pm Reply with quoteBack to top

Did you have the latest version of Patched files + Sentinel? If it has bypassed those, let us know. We will need access_logs to determine exactly how they got in

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
Slackervaara
Captain
Captain


Joined: Sep 13, 2003
Posts: 355


PostPosted: Wed Nov 01, 2006 10:00 pm Reply with quoteBack to top

Did you remember to configure Sentinel after it's installation? I forgot to do that the first time I used it and it does not work then. Has Sentinel stopped any hacking attempts for you and sent you e-mail about the hacking attempt? (Happens very often for me)
Find all posts by SlackervaaraView user's profileSend private message
spottedhog
Captain
Captain


Joined: Apr 30, 2004
Posts: 561


PostPosted: Thu Nov 02, 2006 4:45 am Reply with quoteBack to top

You need to put in the patch files for this security fix. Sentinel is not going to stop that kind of SQL Injection hack.

I have to fully agree with RuTHlezz1 on this one....

_________________
SMF-Nuke admin

SMF and PHP Nuke integration is ready! Take a look at it by clicking on the link above.
Find all posts by spottedhogView user's profileSend private messageSend e-mailVisit poster's website
mruhn
Nuke Cadet
Nuke Cadet


Joined: Sep 16, 2004
Posts: 7


PostPosted: Thu Nov 02, 2006 8:41 am Reply with quoteBack to top

Actually I had not yet had a chance to install sentinel or a patched nuke version. TBH, I am having a hard time figuring out where to d/l sentinel from, the ravenscripts page is...confusing. There is definitely some sql injection going on with this hack, can I assume sentinel or a certain patch will cover that? As for the access_logs, what are we looking for? Thanks for the help.
Find all posts by mruhnView user's profileSend private message
mruhn
Nuke Cadet
Nuke Cadet


Joined: Sep 16, 2004
Posts: 7


PostPosted: Thu Nov 02, 2006 8:53 am Reply with quoteBack to top

On a related note, why are we still seeing issues with sql injection in Nuke? I am a php/nuke newbie, but a java developer by trade. I learned my lesson and always sanitise queries or make them prepared statements on the backend. Do these patched nuke versions cover this better?
Find all posts by mruhnView user's profileSend private message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Thu Nov 02, 2006 9:18 am Reply with quoteBack to top

Download Nuke Sentinel from http://www.nukescripts.net
A new version 2.5.03 should be coming out soon

Yes, the Patched versions do cover many vulnerabilities in the existing phpNuke versions. Mostly because FB does not patch his code in full. His latest code (8.0) is full of untested new code, while he has used an older version of the Patched files. He does not even patch known vulnerabilities in older versions.

It is a problem because FB, the creator, refuses to yield anything. While the phpNuke community does what it can, with the Patched files, Sentinel, other distributions such as RavenNuke, we really cannot solve the problem until FB grants control to do so.

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
mruhn
Nuke Cadet
Nuke Cadet


Joined: Sep 16, 2004
Posts: 7


PostPosted: Thu Nov 02, 2006 9:23 am Reply with quoteBack to top

Evaders99 wrote:
Download Nuke Sentinel from http://www.nukescripts.net
A new version 2.5.03 should be coming out soon

Yes, the Patched versions do cover many vulnerabilities in the existing phpNuke versions. Mostly because FB does not patch his code in full. His latest code (8.0) is full of untested new code, while he has used an older version of the Patched files. He does not even patch known vulnerabilities in older versions.

It is a problem because FB, the creator, refuses to yield anything. While the phpNuke community does what it can, with the Patched files, Sentinel, other distributions such as RavenNuke, we really cannot solve the problem until FB grants control to do so.


Thanks for the reply. Kind of disturbing that an author/creator would treat his product like that. So if I were to stay on 7.8/7.9, which patched version should I take a look at, is RavenNuke sufficient? This fiasco is really turning me off from nuke as my cms solution. It shouldn't be this difficult Sad
Find all posts by mruhnView user's profileSend private message
jakec06
Sergeant
Sergeant


Joined: Jan 30, 2006
Posts: 75

Location: Surrey, UK

PostPosted: Thu Nov 02, 2006 11:22 am Reply with quoteBack to top

RavenNuke is based on 7.6 and is probably one of the best & safest distributions around, so I would go with that.
Find all posts by jakec06View user's profileSend private message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Thu Nov 02, 2006 12:44 pm Reply with quoteBack to top

Depends on what functionality you want. If you want to use the WYSIWYG editor, 7.8 + Patched. Otherwise 7.6 + Patched.

If you want an integrated solution, 7.6 + Patched + Sentinel + various other good stuff, RavenNuke is the way to go

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.123 Seconds - 324 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::