You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 373 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - My site running phpnuke 6.9 got hacked :( [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
CBA
Nuke Soldier
Nuke Soldier


Joined: Oct 30, 2003
Posts: 15

Location: Belgium

PostPosted: Fri Dec 19, 2003 12:23 pm Reply with quoteBack to top

I was posting news on my site when i just realised my site got hacked.

I'm running PHPnuke 6.9

There was a new msg on top of my site, with just a picture, this picture:

Image
http://www.antishare.bitum.ru/Files/Defaces/logo2.jpg

I look around on there site and saw some other sites that got hacked or something. How can i make sure this doesn't happen again ? Sad
Find all posts by CBAView user's profileSend private messageVisit poster's website
maciekp
Sergeant
Sergeant


Joined: Sep 09, 2003
Posts: 94

Location: Perth, WA

PostPosted: Fri Dec 19, 2003 10:21 pm Reply with quoteBack to top

See my post below.


Last edited by maciekp on Sat Dec 20, 2003 3:30 am; edited 1 time in total
Find all posts by maciekpView user's profileSend private messageVisit poster's website
CBA
Nuke Soldier
Nuke Soldier


Joined: Oct 30, 2003
Posts: 15

Location: Belgium

PostPosted: Sat Dec 20, 2003 12:38 am Reply with quoteBack to top

maciekp wrote:
That's too bad, so what?

Search the forum.


That doesn't help me, i already look around on the forum, and i'm running PHPnuke 6.9 with all security fixes that are released.
Find all posts by CBAView user's profileSend private messageVisit poster's website
maciekp
Sergeant
Sergeant


Joined: Sep 09, 2003
Posts: 94

Location: Perth, WA

PostPosted: Sat Dec 20, 2003 3:27 am Reply with quoteBack to top

You should've said so. I apologise for my remark.

Here's what you need t do:

1. Check the files on your server against your latest backup to check for any modifications
2. Reset all admin passwords
3. Search the logs for the message posting URL, e.g. *admin.php?op=messages , find the perp.'s IP and notify the person responsible for the network
3. If using Apache, create "admin" user group, add a new user to this group and create the appropriate .htaccess file
4. Limit access to admin.php to a "tight" IP range/subnet
5. Install the Protector System, which gives you "high level" logs of session activity on your PHP-Nuke site
6. Re-evaluate the security of installed 3rd party modules/blocks

I've missed a few steps but I'm sorry I need to get back to work, I'm sure you'll get more replies soon.
Find all posts by maciekpView user's profileSend private messageVisit poster's website
spiderx
Nuke Cadet
Nuke Cadet


Joined: Dec 01, 2003
Posts: 6


PostPosted: Sat Dec 20, 2003 3:12 pm Reply with quoteBack to top

the same guy got me! I have my server logs
Find all posts by spiderxView user's profileSend private messageVisit poster's website
Daniel-cmw
Site Admin
Site Admin


Joined: Mar 02, 2003
Posts: 1662

Location: The UK!

PostPosted: Sat Dec 20, 2003 3:34 pm Reply with quoteBack to top

Can you email me the log spiderx?

daniel -at - casemodworld.com is my address.

Cheers

_________________
Read Me
Find all posts by Daniel-cmwView user's profileSend private message
Raven
General
General


Joined: Mar 22, 2003
Posts: 5233

Location: USA

PostPosted: Sat Dec 20, 2003 5:12 pm Reply with quoteBack to top

Spiderx, can you also email a zipped copy of the log to raven -at- ravenphpscripts -.- com. Thanks.

_________________
Those who hear not the music think the dancers mad.
Raven Web Hosting|My Scripts & Stuff
Find all posts by RavenView user's profileSend private messageVisit poster's website
m00
Corporal
Corporal


Joined: Sep 02, 2003
Posts: 59


PostPosted: Sat Dec 20, 2003 6:10 pm Reply with quoteBack to top

Anyone got the block "Site Info PS" from that site ??
Find all posts by m00View user's profileSend private message
spiderx
Nuke Cadet
Nuke Cadet


Joined: Dec 01, 2003
Posts: 6


PostPosted: Sat Dec 20, 2003 11:01 pm Reply with quoteBack to top

Hope this helps Very Happy
Find all posts by spiderxView user's profileSend private messageVisit poster's website
maciekp
Sergeant
Sergeant


Joined: Sep 09, 2003
Posts: 94

Location: Perth, WA

PostPosted: Sat Dec 20, 2003 11:09 pm Reply with quoteBack to top

Uhu, conspiracy?

_________________
ElectricDice 0.8 - password & MD5, sitekey generator tool

Use SHA1 in Nuke
Find all posts by maciekpView user's profileSend private messageVisit poster's website
spiderx
Nuke Cadet
Nuke Cadet


Joined: Dec 01, 2003
Posts: 6


PostPosted: Sun Dec 21, 2003 8:02 am Reply with quoteBack to top

Is there a fix for this? Confused
Find all posts by spiderxView user's profileSend private messageVisit poster's website
Daniel-cmw
Site Admin
Site Admin


Joined: Mar 02, 2003
Posts: 1662

Location: The UK!

PostPosted: Sun Dec 21, 2003 8:03 am Reply with quoteBack to top

Did you apply the admin.php, weblinks & downloads patches that were available a while back?

_________________
Read Me
Find all posts by Daniel-cmwView user's profileSend private message
CBA
Nuke Soldier
Nuke Soldier


Joined: Oct 30, 2003
Posts: 15

Location: Belgium

PostPosted: Sun Dec 21, 2003 8:13 am Reply with quoteBack to top

I also have the logs & the ip Sad

the ip is: 200.53.64.221

Somewhere in Mexico Sad
Find all posts by CBAView user's profileSend private messageVisit poster's website
Daniel-cmw
Site Admin
Site Admin


Joined: Mar 02, 2003
Posts: 1662

Location: The UK!

PostPosted: Sun Dec 21, 2003 8:17 am Reply with quoteBack to top

Can you send me your logs too CBA?

Address is in another post above, cheers.

_________________
Read Me
Find all posts by Daniel-cmwView user's profileSend private message
maciekp
Sergeant
Sergeant


Joined: Sep 09, 2003
Posts: 94

Location: Perth, WA

PostPosted: Sun Dec 21, 2003 6:05 pm Reply with quoteBack to top

The address given above is located in Mexico City, it's very likely it was spoofed.

Can you post/PM the exact URL they used to post the message? Did they use the standard admin.php?op=messages ?

If yes, then you must restrict admin.php to a group of users on your system - both Apache and IIS allow you to do this, as well as restricting access to a given IP only.

See attached diagram:

Image

_________________
ElectricDice 0.8 - password & MD5, sitekey generator tool

Use SHA1 in Nuke
Find all posts by maciekpView user's profileSend private messageVisit poster's website
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.047 Seconds - 234 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::