You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 361 guest(s) and 11 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - (trick) How to "hide" your admin.php file? [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
madman
Support Mod
Support Mod


Joined: Feb 15, 2004
Posts: 806


PostPosted: Fri Jul 30, 2004 2:51 pm Reply with quoteBack to top

Prolog

This is a trick to "hide" PHP-Nuke admin.php file and preventing unauthorized access to PHP-Nuke administration panel. The scenario is, even someone got your admin username and MD5 password, they'll have no idea to find admin.php file. This trick requires PHP-Nuke running under Apache web server and configured to allow .htaccess overrides (AllowOverride settings in main Apache .conf file). In addition, mod-rewrite module must be enable in Apache configuration.

Before you go, backup original admin.php file on your PHP-Nuke root directory. For example, rename admin.php into admin_backup.php or whatever. If exists, also backup/rename existing .htaccess file stored in PHP-Nuke root directory.

Ok, now let's begin.

First, you need to modify admin.php file. Append these lines at the beginning of your admin.php. Because admin.php may vary among PHP-Nuke version, usually you may append the code below either after PHP start tag (<?php), before $checkurl = $_SERVER['REQUEST_URI']; line, or before require_once("mainfile.php"); line. Here the "template" code:

Code:
$admin_pass_cname  = "admin_pass";
$admin_pass_cvalue = "whatever";
$admin_pass_env    = 0;
if (isset($_SERVER['ADMIN_PT']) && ($_SERVER['ADMIN_PT'] == 1)) $admin_pass_env = 1;
if (isset($_SERVER['REDIRECT_ADMIN_PT']) && ($_SERVER['REDIRECT_ADMIN_PT'] == 1)) $admin_pass_env = 1;
if ($admin_pass_env == 1) { setcookie($admin_pass_cname, $admin_pass_cvalue, time()+86400); }
unset($admin_pass_cname);
unset($admin_pass_cvalue);
unset($admin_pass_env);


Second, you need to create (or modify) .htaccess file in your PHP-Nuke root dir, and then put these identifiers:

Code:
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{SCRIPT_FILENAME} ^.*/admin.php.*$ [NC]
  RewriteCond %{HTTP_COOKIE} !^.*admin_pass=whatever.*$ [NC]
  RewriteRule ^.*$ - [G,L]
  RewriteCond %{SCRIPT_FILENAME} ^.*/newadmin.php$
  RewriteRule ^.*$ admin.php [env=ADMIN_PT:1]
</IfModule>


Third, you need to change all default values/signals in this trick. This is necessary otherwise your admin.php access no longer secure since everyone else also read this article. These are default values/signals on both files above:

ADMIN_PT
This is a signal for access validity and stored as server variable. In common situations, you no need to change this string but if this is the case then you should change it on both admin.php and .htaccess files. As noticed in admin.php insertion code, there are two ADMIN_PT variable checkings, one is ADMIN_PT itself and another is the clone, REDIRECT_ADMIN_PT. You can safely change ADMIN_PT string but do not alter "REDIRECT_" string since it is a default behavior in Apache server. Consider to use search/replace function on your text editor to change this string from both code above.

admin_pass
This is a string that will be stored as cookie name (key pair). If you in doubt to change this string, be sure to use only native letters (A-Z, a-z) and underscores. The .htaccess instertion code above treat this string as case insensitive. Consider to use search/replace function on your text editor to change this string from both code above.

whatever
This is a string that will be stored as cookie value (value pair). If you in doubt to change this string, be sure to use only native letters (A-Z, a-z), numbers (0-9), and underscores. The .htaccess instertion code above treat this string as case insensitive. Consider to use search/replace function on your text editor to change this string from both code above.

newadmin.php
This string only appear once in .htaccess insertion code. This will be used as "virtual" admin.php call replacement and doesn't have to be exists in your actual PHP-Nuke root directory. If you in doubt to change this string, be sure to use only native letters (A-Z, a-z), numbers (0-9), and underscores, followed by file extension. The extension doesn't have to be restricted only to .php, but you may experimenting with another extensions.

Cookie expiration time
By default, cookie will be expire within 24 hours after first login. The expiration value is defined in admin.php insertion code above as 86400 seconds (60 seconds x 60 minutes x 24 hours = 86400 seconds, does this ringing the bells on you?). You may modify this value for your own needs. Consider to set this value as small as possible, depend on how long you usually taken to administering your own site.

Ok, at this point you've done with the setups. Now you need to know how this thing works and proper procedures on how to login to your PHP-Nuke administration menu. On every first login, you'll need to call "virtual" admin script from the browser (default is newadmin.php as noted above). During the call, it will setup server variable to trigger cookie storing code. If cookie already stored, any call to admin.php will be considered valid, until the cookie itself expires.


An alternative
This is an alternative trick without altering actual admin.php file. The difference is, storing the cookie are handled from .htaccess file as well and no need additional code to be inserted into admin.php file. However, this trick may not work with most common Apache version and configuration. If you get Internal Server error, stop from using it. The only thing to do is by putting this code into .htaccess file in PHP-Nuke root directory:

Code:
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{SCRIPT_FILENAME} ^.*/admin.php.*$ [NC]
  RewriteCond %{HTTP_COOKIE} !^.*admin_pass=whatever.*$ [NC]
  RewriteRule ^.*$ - [G,L]
  RewriteCond %{SCRIPT_FILENAME} ^.*/newadmin.php$
  RewriteRule ^.*$ admin.php [CO=admin_pass:whatever:{DOMAIN}:1440:/]
</IfModule>


Change {DOMAIN} string above with your actual domain, e.g. example.com (without www prefix). If you running under subdomain, put them instead e.g. home.example.com (without any prefix). If you get 500 Internal Server Error message, indicate that your Apache/mod-rewrite does not support cookie set through RewriteRule flag.


Does this trick always works?
It may not work on specific Apache configuration, especially if your site is hosted using host management software (Plesk, cPanel, Ensim, etc). I has few problems working with .htaccess under Ensim management panel, but in contrast I never had any problems under Plesk. I'm not so sure with cPanel since I never use it. It also may or may not work with Apache configured as virtual host mapping, you need to do some experiments with it. This trick always work on my local server, either with Apache version 1.x or version 2.x with all requirements accomplished (allowoverride, mod-rewrite).


Why Cookie?
You can use PHP session to replace cookie, but you'll need longer code. You can also combining them both for additional security. Additionally, some tricks using Javascript can also be used for client-side security scripting consideration. Javascript is very powerfull againts bots (non-human controlled) hack engine.


Is this trick work if Admin Secure installed?
Yes or no. If you enable Auth Login (HTTP Authentification) in Admin Secure configuration panel, it may (or may not) conflict with the trick describes here. If you want to apply this trick in the companion of Admin Secure installation, do it with your own risk.


What is .htaccess file?
This is an Apache special file to control common HTTP requests, usually resides in www directories. This file work per directory basis and can override Apache default settings. This file also provides mechanisms to communicate with Apache modules to perform specific tasks. Consult to your Apache manual or visit Apache Website for more information.

_________________
I'm Image
Find all posts by madmanView user's profileSend private messageVisit poster's websiteYahoo MessengerMSN Messenger
Hajduk
Corporal
Corporal


Joined: Apr 03, 2003
Posts: 50


PostPosted: Wed Aug 04, 2004 11:52 pm Reply with quoteBack to top

Ok, you hide your admin file and I will find it within 5 mins. Rename it, htaccess it, move it, chmod it.

And even still, hacking Nuke can be done throughout the whole system not just the admin file.
Find all posts by HajdukView user's profileSend private message
madman
Support Mod
Support Mod


Joined: Feb 15, 2004
Posts: 806


PostPosted: Thu Aug 05, 2004 1:50 pm Reply with quoteBack to top

This trick doesn't rename/move admin.php elsewhere.
Someone need glasses here. Cool

_________________
I'm Image
Find all posts by madmanView user's profileSend private messageVisit poster's websiteYahoo MessengerMSN Messenger
d0d0ls
Nuke Cadet
Nuke Cadet


Joined: Mar 10, 2004
Posts: 2

Location: Indonesia

PostPosted: Fri Aug 06, 2004 11:54 am Reply with quoteBack to top

I try your suggestion

Code:
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{SCRIPT_FILENAME} ^.*/admin.php.*$ [NC]
  RewriteCond %{HTTP_COOKIE} !^.*admin_pass=whatever.*$ [NC]
  RewriteRule ^.*$ - [G,L]
  RewriteCond %{SCRIPT_FILENAME} ^.*/newadmin.php$
  RewriteRule ^.*$ admin.php [CO=admin_pass:whatever:{DOMAIN}:1440:/]
</IfModule>


And i check the error log at my site it show like this

Quote:
[Fri Aug 6 15:48:08 2004] [alert] [client 202.155.150.16] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:48:08 2004] [alert] [client 202.155.150.16] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:48:06 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:48:06 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:47:52 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:47:52 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:47:50 2004] [alert] [client 202.155.150.16] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:47:50 2004] [alert] [client 202.155.150.16] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:47:26 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:47:26 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:47:12 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:47:12 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:46:50 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:46:50 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:46:42 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:46:42 2004] [alert] [client 202.159.50.103] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:37:36 2004] [alert] [client 202.146.253.4] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:37:36 2004] [alert] [client 202.146.253.4] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:37:33 2004] [alert] [client 202.146.253.4] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n
[Fri Aug 6 15:37:33 2004] [alert] [client 202.146.253.4] /home/dbests/public_html/.htaccess: RewriteRule: unknown flag 'CO'\n


Is this normal or the script is not work at my server by the way I using a cPanel

Thanks for your helpmy site just been added a GOD ADMIN
Find all posts by d0d0lsView user's profileSend private messageVisit poster's websiteYahoo Messenger
madman
Support Mod
Support Mod


Joined: Feb 15, 2004
Posts: 806


PostPosted: Fri Aug 06, 2004 1:46 pm Reply with quoteBack to top

d0d0ls wrote:
Is this normal or the script is not work at my server by the way I using a cPanel

That mean Apache on your server does not support cookie through rewrite flag. I re-quote the warning notes for this alternative:
Quote:
However, this trick may not work with most common Apache version and configuration. If you get Internal Server error, stop from using it.

You'll have to use the main trick. Smile

_________________
I'm Image
Find all posts by madmanView user's profileSend private messageVisit poster's websiteYahoo MessengerMSN Messenger
d0d0ls
Nuke Cadet
Nuke Cadet


Joined: Mar 10, 2004
Posts: 2

Location: Indonesia

PostPosted: Fri Aug 06, 2004 5:59 pm Reply with quoteBack to top

Thanks MadMan The reason I use the second one cause is not to confusing me and my bad english and bad programing knowlaedge

I will try your first 1

Thanks and Peace
Find all posts by d0d0lsView user's profileSend private messageVisit poster's websiteYahoo Messenger
Hajduk
Corporal
Corporal


Joined: Apr 03, 2003
Posts: 50


PostPosted: Sun Aug 08, 2004 11:39 pm Reply with quoteBack to top

So why did my post get removed?
Find all posts by HajdukView user's profileSend private message
madman
Support Mod
Support Mod


Joined: Feb 15, 2004
Posts: 806


PostPosted: Mon Aug 09, 2004 12:41 pm Reply with quoteBack to top

Hajduk wrote:
So why did my post get removed?

Split them to another topic: http://www.nukecops.com/postt32676.html
Posts that not related to the topic was moved.

_________________
I'm Image
Find all posts by madmanView user's profileSend private messageVisit poster's websiteYahoo MessengerMSN Messenger
marius26
Nuke Cadet
Nuke Cadet


Joined: Apr 19, 2004
Posts: 9

Location: Great Britain

PostPosted: Sat Apr 23, 2005 5:28 am Reply with quoteBack to top

Quote:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SCRIPT_FILENAME} ^.*/admin.php.*$ [NC]
RewriteCond %{HTTP_COOKIE} !^.*admin_pass=whatever.*$ [NC]
RewriteRule ^.*$ - [G,L]
RewriteCond %{SCRIPT_FILENAME} ^.*/newadmin.php$
RewriteRule ^.*$ admin.php [CO=admin_pass:whatever:{DOMAIN}:1440:/]
</IfModule>


i would like to know why you included port: 1440 into this file. explain yourself.

_________________
Steves Network & Free Advertising

Last edited by marius26 on Sun Jun 17, 2007 1:48 pm; edited 1 time in total
Find all posts by marius26View user's profileSend private messageVisit poster's website
ishadami
Nuke Cadet
Nuke Cadet


Joined: Aug 01, 2005
Posts: 1


PostPosted: Mon Aug 01, 2005 4:17 am Reply with quoteBack to top

hi i am new at both php nuke and this site
i like phpnkue so much but it has lots of security problems
i want to add code here which bloks to access admin.php except the real admin
* i add this code here for two reasons
1. i wonder is it really works as i thought
2. if work everybody can use it
open admin.php
after <?php
add this:
Code:
$ip = "my-ip";
if($ip != $_SERVER['REMOTE_ADDR']) {
Header("Location: index.php");
exit;
}

Find all posts by ishadamiView user's profileSend private messageVisit poster's website
marius26
Nuke Cadet
Nuke Cadet


Joined: Apr 19, 2004
Posts: 9

Location: Great Britain

PostPosted: Mon Aug 01, 2005 9:53 am Reply with quoteBack to top

[quote="d0d0ls"]I try your suggestion

Code:
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{SCRIPT_FILENAME} ^.*/admin.php.*$ [NC]
  RewriteCond %{HTTP_COOKIE} !^.*admin_pass=whatever.*$ [NC]
  RewriteRule ^.*$ - [G,L]
  RewriteCond %{SCRIPT_FILENAME} ^.*/newadmin.php$
  RewriteRule ^.*$ admin.php [CO=admin_pass:whatever:{DOMAIN}:1440:/]
</IfModule>


i would like to know why is port 1440 needed? cause i personaly dont think its needed.

_________________
Steves Network & Free Advertising
Find all posts by marius26View user's profileSend private messageVisit poster's website
Legno_Genova
Private
Private


Joined: Nov 16, 2005
Posts: 39


PostPosted: Wed Oct 25, 2006 6:07 am Reply with quoteBack to top

Is it always better to hide it?

_________________
Legno
Cornici per foto
Multistrati compensato
Bricolage fai da te
Find all posts by Legno_GenovaView user's profileSend private messageSend e-mailVisit poster's website
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Wed Oct 25, 2006 6:19 am Reply with quoteBack to top

It is a pretty good security trick, security through obscurity. Doesn't mean you should slack by not keeping up with patches though

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
saho
Nuke Soldier
Nuke Soldier


Joined: Jun 26, 2005
Posts: 12

Location: Turkey

PostPosted: Tue Jun 26, 2007 4:09 pm Reply with quoteBack to top

change name admin file this better
Find all posts by sahoView user's profileSend private messageSend e-mailVisit poster's websiteYahoo MessengerMSN Messenger
38super
Nuke Cadet
Nuke Cadet


Joined: Jan 15, 2008
Posts: 3


PostPosted: Wed Jan 16, 2008 6:02 am Reply with quoteBack to top

i'm new to phpnuke and such. would just deleting the admin.php file, then uploading it when your wanting to change something work?

i'm talking about a small site here.
Find all posts by 38superView user's profileSend private message
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.069 Seconds - 461 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::