Have I been hacked?

Private Joined: Jul 08, 2003 Posts: 39 Location: Arizona

Hi,

I installed the ip tracker mod and as I looked at it this morning I noticed this address ( 67.68.234.117 Toronto-HSE-ppp3783410.sympatico.ca ) had made 141 hits. I then checked your banned ips. I did not see this ip but I say several others from sympatico.ca.

My main concern is that there is 1 hit that signifies it was "Admin" in the ip tracker and it had the ip address from above. (see below the line from ip tracker)

Admin 67.68.234.117 Toronto-HSE-ppp3783410.sympatico.ca 2003-07-18 05:58:17 1

How can they be specified as "Admin"? I checked my database and there is no new users. So did they somehow get my password information? What do I need to do? I am new to nuke as well as securtiy issues so any help will be greatly appreciated.

I have added this ip to my htaccess file to be denied but is it to late?

Thanks

Rick

Private Joined: Jul 08, 2003 Posts: 39 Location: Arizona

Could someone please give me a hand here. Right now I have a visitor on my site that IP tracking is showing as one of the member name I have created to test things. There is one page hit showing this profile and then so far there are 85 hits to other pages. Here is what IP Tracker is showing:

64.158.138.48 64.158.138.48 2003-07-19 10:25:48 85

Disciple_Maker 64.158.138.48 64.158.138.48 2003-07-19 10:22:28 1

You can see 1 hit as the member name and then right above it 85 hits so far.

Can anyone tell me if I have been hacked. I know you are all busy but I really don't know much about anything and need some direction.

Thanks,

Rick

Lieutenant Joined: May 29, 2003 Posts: 231

Look at your logs. What user-agent/referrer does your logs show associated with those IPs? Are the pages being called at a somewhat set frequency? If so, they are probably bots. Do the logs show these IPs actually logging into the Admin Panel or calling some outside script? Are they focused on a particular part of your site or just following a bunch of different pages?

The first one is someone using Bell Canada as their ISP. The second has an IP which is very close to one that Intelliseek normally uses. Intelliseek is a spy bot which hits sites looking for copyright and brand violations. Theirs usually gives a user-agent.

Hackers often limit their activities to pages where there is known or discovered vulnerabilities. After breaking in, they usually mess something up and then leave. Rip off artists and bots usually hit pages one after the other successively. Look at your logs and see how these guys have acted and where they have gone.

Posted: Sat Jul 19, 2003 11:15 am

You could check Nuke's sessions table to see if you can find a nickname associated with that ip

Private Joined: Jul 08, 2003 Posts: 39 Location: Arizona

Thank you both. I will check into these areas.

Rick

Private Joined: Jul 08, 2003 Posts: 39 Location: Arizona

Hello again,

I had another incident this morning with an ip address showing as "Admin" in the IP Tracker mod.

Here is what I found:
Admin 216.39.48.61 trek3.sv.av.com 2003-07-21 06:47:25 1

When I followed this in tracker here is one of the places it went:
/modules.php?name=Your_Account&op=userinfo&username=Admin 2003-07-21 06:47:25

When I clicked on that link I came to this page in my site:
Personal Information: Admin
My HomePage: http://www.discipleshipresourcecenter.com
Actual User Status: Offline
You're not subscribed to our Newsletter
[ Edit User ] [ Suspend User ] [ Delete User ]

[ Send a Private Message to Admin ]

So I went and checked my database and found nothing unusual.

I then checked my log files and found this:
216.39.48.61 - - [21/Jul/2003:00:05:15 -0400] "GET /robots.txt HTTP/1.1" 200 2842 "-" "Scooter/3.2"
216.39.48.61 - - [21/Jul/2003:00:05:15 -0400] "GET /church_photos HTTP/1.1" 301 363 "-" "Scooter/3.2"
68.106.17.166 - - [21/Jul/2003:00:06:46 -0400] "POST /admin.php HTTP/1.1" 200 9383 "http://www.discipleshipresourcecenter.com/admin.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR

Here is the portion of my robots.txt file that should be disallowing access to those files:

Disallow: temp/
Disallow: church_photos/
Disallow: admin.php
Disallow: /admin/
Disallow: /images/
Disallow: /includes/
Disallow: /themes/
Disallow: /blocks/
Disallow: /modules/
Disallow: /language/

I am still new to all this and I am not sure if I need to be worried. I am not sure what the "POST /admin.php HTTP/1.1" 200 9383 "http://www.discipleshipresourcecenter.com/admin.php" really means.

Could someone tell me?

It really concerned my when I followed the links in IP Tracking and came to a page that allowed my editing, suspending and/or deletion of users. I was of course logged in as admin at that time so I don't know if that is the reason or not.

Anyway I am somewhat confused and if you could help me to understand a little better I would greatly appreciate it.

Thanks in advance,

Rick

Lieutenant Joined: May 29, 2003 Posts: 231

This line here from your logs shows you were visited by "Scooter" which is Altavista's search engine. Good bots always go for the robots.txt first which from what you posted looks like he did.

216.39.48.61 - - [21/Jul/2003:00:05:15 -0400] "GET /robots.txt HTTP/1.1" 200 2842 "-" "Scooter/3.2"

These three lines are malformed in your robots.txt:
Disallow: temp/
Disallow: church_photos/
Disallow: admin.php

If you want to disallow a entire directory it needs a leading and trailing slash like this:
Disallow: /temp/
Disallow: /church_photos/

If you want to disallow URLs starting with temp or church_photos, then you use a leading slash like this:
Disallow: /temp
Disallow: /church_photos

Files should have a leading slash (then any directory names from the upper one) then the filename. The third one should be like this:
Disallow: /admin.php

If you have badly formed directives, many spiders will completely ignore them. Here's a validator you can run on your robots.txt and it'll tell if you have any other problems in that file. http://www.searchengineworld.com/cgi-bin/robotcheck.cgi

This guy here appears to be on a Cox cable customer:
68.106.17.166 - - [21/Jul/2003:00:06:46 -0400] "POST /admin.php HTTP/1.1" 200 9383 "http://www.discipleshipresourcecenter.com/admin.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR

If this IP does not belong to you and the first thing he did was grab your admin.php, then I would recommend banning the sucker. What do your logs show he did after grabbing that file??

It appears the IP tracker you're using is somewhat off. It showed Scooter accessing admin.php when in reality it was another IP.

Private Joined: Jul 08, 2003 Posts: 39 Location: Arizona

Thanks very much for the info. It was very helpful. I ran the validator that you suggested before I made any changes and it validated as ok.

I did go ahead and make the changes you suggested.

And as far as the user that that grabbed the admin.php well, I hate to admit it but that was me Embarassed

So I guess that's ok.

I appreciate your information though. I am learning so much each day my head hurts.

Rick

Lieutenant Joined: May 29, 2003 Posts: 231

Quote:

I ran the validator that you suggested before I made any changes and it validated as ok.

Oh really....guess it doesn't catch everything...sorry. Crying or Very sad

Quote:

And as far as the user that that grabbed the admin.php well, I hate to admit it but that was me Embarassed

Hey great...it's good it was you rather than some jerk messing around.

Quote:

I am learning so much each day my head hurts.

Yeah, it is mindboggling the amount of new info to learn. Here's a neat tool you can try out: http://gritechnologies.com/tools/about_poodle.html It gives you an idea what a spider sees when he crawls your pages.

Private Joined: Jul 08, 2003 Posts: 39 Location: Arizona

The poodle predictor is an interesting link. It seems to spider the top level items with no problem. It says that you can click on them and it will spider down those links but I get an error on every single page saying it can't display the page.

It must be something to do with poodle predictor I think because the pages are all fine.