Hacked

Nuke Soldier Joined: Oct 03, 2005 Posts: 34

I dont think they got admin access just injected the html in the prefernces. But to be sure verify that no new admins are added by going into the admin area and clicking on admins.

I would also recommend raven nuke 7.6. It has all the patches and updates, sentinel and a few other addons that will make your site easy to maintain and secure.

Anyway if you still need help email me at nickhuffman74@yahoo.com

Private Joined: Oct 08, 2005 Posts: 43 Location: York UK

they dont need to add an admin to gain admin access. They can use a known sql injection to trick a module to show an admins username and md5 hash of that admins password. They go with the md5 hash to a hash lookup site and heypresto they have your admin username and password. Then they login go to prefrences and add code to the footer message. Then logout of admin. Also if the hacker knows what they are doing they can use a remote file funrability and with the file they use they can run some MySQL code.

Installing just nuke sentinal and patched nuke doesnt fully protect you. There are one or 2 other things you need to take into consideration

Nuke Soldier Joined: Oct 03, 2005 Posts: 34

Like?

Already do admin auth with my httaccess files. Any recommendations would be welcome.

Also if they had got the admin login why not insert the hacked message and then change the admin login so the site admin couldnt do jack about it?

Private Joined: Oct 08, 2005 Posts: 43 Location: York UK

because when they do the message it stops you from seeing the actual site so you wouldnt be able remove the message anyway. plus changing the password is more work. Hackers like to be in and out as quick as possible.

Nuke Soldier Joined: Oct 03, 2005 Posts: 34

I am going to have to disagree with you on this one. The sql injection is an exploit of the code not checking for the variables that would allow visitors to insert code into the sql tables without needing the admin privileges of the site since most people give the sql user complete and full rights to the database.

To fix this "hack (script kiddie crap)" go into phpmyadmin and edit out the code in the preferences table that causes the page not to display,this should take ess than 5 minutes from start to finish. This is an old school trick that has been around for ages but with your nuke patched with the latest patch it is no longer a major threat. You used to be able to insert the code by adding the insert commands in the URL of the site but now that is not the case with properly patched and secured sites (Raven Nuke for one).

They did not technically "hack" into the server or gain any type of admin access to the site. All they did was some script kiddie crap to insert the html code into the site preference table. Think about it, these guys like the “fame” they get when they report they defaced a site over at http://www.zone-h.org/. So with that in mind if they had admin access why wouldn’t they lock you out of your site so they could keep it defaced for a longer period of time? Your “Hackers like to be in and out as quick as possible.” Theory just doesn’t hold water with this in mind.

Nuke Cadet Joined: Sep 16, 2004 Posts: 7

I believe my site was hacked in a similar fashion. They just modified the footer column in nuke_config with html that ends up blocking most of the site with their message. They were also able to add an admin account in nuke_authors. I removed that row and deleted the footer, but am honestly at a loss at how to prevent this going forward. We're using the regular version of nuke 7.8. If sentinel won't protect me, what are my other options?

Site Admin Joined: Aug 17, 2003 Posts: 12372

Did you have the latest version of Patched files + Sentinel? If it has bypassed those, let us know. We will need access_logs to determine exactly how they got in

Lieutenant Joined: Sep 13, 2003 Posts: 295

Did you remember to configure Sentinel after it's installation? I forgot to do that the first time I used it and it does not work then. Has Sentinel stopped any hacking attempts for you and sent you e-mail about the hacking attempt? (Happens very often for me)

Captain Joined: Apr 30, 2004 Posts: 566

You need to put in the patch files for this security fix. Sentinel is not going to stop that kind of SQL Injection hack.

I have to fully agree with RuTHlezz1 on this one....

Nuke Cadet Joined: Sep 16, 2004 Posts: 7

Actually I had not yet had a chance to install sentinel or a patched nuke version. TBH, I am having a hard time figuring out where to d/l sentinel from, the ravenscripts page is...confusing. There is definitely some sql injection going on with this hack, can I assume sentinel or a certain patch will cover that? As for the access_logs, what are we looking for? Thanks for the help.

Nuke Cadet Joined: Sep 16, 2004 Posts: 7

On a related note, why are we still seeing issues with sql injection in Nuke? I am a php/nuke newbie, but a java developer by trade. I learned my lesson and always sanitise queries or make them prepared statements on the backend. Do these patched nuke versions cover this better?

Site Admin Joined: Aug 17, 2003 Posts: 12372

Download Nuke Sentinel from http://www.nukescripts.net
A new version 2.5.03 should be coming out soon

Yes, the Patched versions do cover many vulnerabilities in the existing phpNuke versions. Mostly because FB does not patch his code in full. His latest code (8.0) is full of untested new code, while he has used an older version of the Patched files. He does not even patch known vulnerabilities in older versions.

It is a problem because FB, the creator, refuses to yield anything. While the phpNuke community does what it can, with the Patched files, Sentinel, other distributions such as RavenNuke, we really cannot solve the problem until FB grants control to do so.

Nuke Cadet Joined: Sep 16, 2004 Posts: 7

Evaders99 wrote:

Download Nuke Sentinel from http://www.nukescripts.net
A new version 2.5.03 should be coming out soon

Yes, the Patched versions do cover many vulnerabilities in the existing phpNuke versions. Mostly because FB does not patch his code in full. His latest code (8.0) is full of untested new code, while he has used an older version of the Patched files. He does not even patch known vulnerabilities in older versions.

It is a problem because FB, the creator, refuses to yield anything. While the phpNuke community does what it can, with the Patched files, Sentinel, other distributions such as RavenNuke, we really cannot solve the problem until FB grants control to do so.

Thanks for the reply. Kind of disturbing that an author/creator would treat his product like that. So if I were to stay on 7.8/7.9, which patched version should I take a look at, is RavenNuke sufficient? This fiasco is really turning me off from nuke as my cms solution. It shouldn't be this difficult Sad

Posted: Thu Nov 02, 2006 11:22 am

RavenNuke is based on 7.6 and is probably one of the best & safest distributions around, so I would go with that.

Site Admin Joined: Aug 17, 2003 Posts: 12372

Depends on what functionality you want. If you want to use the WYSIWYG editor, 7.8 + Patched. Otherwise 7.6 + Patched.

If you want an integrated solution, 7.6 + Patched + Sentinel + various other good stuff, RavenNuke is the way to go