You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 407 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - My site was HACKED BY EHSAN! [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
makuks
Nuke Soldier
Nuke Soldier


Joined: Aug 26, 2008
Posts: 14


PostPosted: Tue Aug 26, 2008 6:16 am Reply with quoteBack to top

Went to my site today to see a number of new news articles on the front page showing this:

www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk www.only4dl.tk

HACKED BY EHSAN!

It appears he has done no other damage, admin password still ok, and no new admin passwords etc, I can login to admin etc and delete those new news articles.

How did he do this and what can I do to prevent it happening again.

Can anyone help me.

I have tried to install Sentinel before but it kept locking me out, is there anything else I can do.

Please help, I am worried he will take my complete ite down and I do not have a current back up

Thanks in advance.
Find all posts by makuksView user's profileSend private message
Slackervaara
Captain
Captain


Joined: Sep 13, 2003
Posts: 355


PostPosted: Tue Aug 26, 2008 7:16 am Reply with quoteBack to top

Do you have access logs, so you can see how the hacker did hack your site?

Another way than Sentinel to secure the site is to use the latest patches.
I have this in my .htaccess, which protects against hacks against admin.php and cross-scripting. Most hackers and hacker robots use cross-scripting it seems to me.:

<Files "admin.php">
Order allow,deny
Allow from XX.XXX.XX.XX
</Files>

RewriteEngine On

RewriteCond %{THE_REQUEST} .*http:\/\/.* [OR]
RewriteCond %{THE_REQUEST} .*http%3A%2F%2F.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^libwww(-FM|-perl) [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteRule ^.* - [F]

XX.XXX.XX.XX is your ip-address.
Find all posts by SlackervaaraView user's profileSend private message
makuks
Nuke Soldier
Nuke Soldier


Joined: Aug 26, 2008
Posts: 14


PostPosted: Tue Aug 26, 2008 7:27 am Reply with quoteBack to top

Hi yes I do have access logs but i wouldnt know what to look for.

I am a bit warey of updating with the latest patches as I have made so many modifications to my site.

If I use this:

<Files "admin.php">
Order allow,deny
Allow from XX.XXX.XX.XX
</Files>

How could I allow one of my admins to access it who is not on a fixed IP address.

Thanks for your help.

I have now backed up my database and I am in thye process of backing up my complete site which is just short of 1GB !!!

Is he likely to return and try to do more damage?

Don't these sad c**ts have anything better to do!?!?
Find all posts by makuksView user's profileSend private message
makuks
Nuke Soldier
Nuke Soldier


Joined: Aug 26, 2008
Posts: 14


PostPosted: Tue Aug 26, 2008 8:05 am Reply with quoteBack to top

I notice he also entered data into nuke messages.
Find all posts by makuksView user's profileSend private message
Slackervaara
Captain
Captain


Joined: Sep 13, 2003
Posts: 355


PostPosted: Tue Aug 26, 2008 8:24 am Reply with quoteBack to top

If your admin has a dynamic address, but the first part is constant you can use the constant part. Like Allow from 132.28.103.

If you know the exact date and time, when the hacking occured it is just to check the logs for unusual or abnormal activity that time. If they use cross-scripting you could search the log for =http:// and you will find the attempt very easy.
Find all posts by SlackervaaraView user's profileSend private message
makuks
Nuke Soldier
Nuke Soldier


Joined: Aug 26, 2008
Posts: 14


PostPosted: Tue Aug 26, 2008 11:47 am Reply with quoteBack to top

I have checked the logs and there is nothing in them with =http, in fact there doesn;t appear to be anything unusual in them. Any ideas?

Thanks Mark.
Find all posts by makuksView user's profileSend private message
makuks
Nuke Soldier
Nuke Soldier


Joined: Aug 26, 2008
Posts: 14


PostPosted: Tue Aug 26, 2008 12:00 pm Reply with quoteBack to top

OK, I found this:

38.105.86.202 - - [26/Aug/2008:12:36:02 +0100] "POST /admin.php HTTP/1.0" 302 213 "http://www.quadheaven.co.uk/admin.php?op=EditStory&sid=192" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.9.0.1) Gecko/2008070208 Firefox/2.0.0.11, DynaWeb http://www.dit-inc.us/disclaimer.php"
38.105.86.202 - - [26/Aug/2008:12:36:02 +0100] "GET /admin.php?op=adminMain HTTP/1.0" 200 104261 "http://www.quadheaven.co.uk/admin.php?op=EditStory&sid=192" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.9.0.1) Gecko/2008070208 Firefox/2.0.0.11, DynaWeb http://www.dit-inc.us/disclaimer.php"

When I go to the link i get this:

Dear Webmaster:

If you followed referrer in your web log and found this link, please be ensured that we are not trying to mirror your site.

We are running an intelligent caching proxy network DynaWeb to help Interent users in China to get around Internet censorship in China. We try to block usage beyond this purpose. However, there are always few visits we missed.

If those visits to your websites through our network casue any further concern, please feel free to email to contact@dit-inc.us and we will be happy to make sure that your site can't be visited through our network.

You can find more links about our DynaWeb projects from here: http://www.dit-inc.us/

Sorry for any confusion this may caused.


But why would their spider etc try to login to my admin page?
Find all posts by makuksView user's profileSend private message
makuks
Nuke Soldier
Nuke Soldier


Joined: Aug 26, 2008
Posts: 14


PostPosted: Tue Aug 26, 2008 12:01 pm Reply with quoteBack to top

makuks wrote:
OK, I found this:

38.105.86.202 - - [26/Aug/2008:12:36:02 +0100] "POST /admin.php HTTP/1.0" 302 213 "http://www.myurl.co.uk/admin.php?op=EditStory&sid=192" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.9.0.1) Gecko/2008070208 Firefox/2.0.0.11, DynaWeb http://www.dit-inc.us/disclaimer.php"
38.105.86.202 - - [26/Aug/2008:12:36:02 +0100] "GET /admin.php?op=adminMain HTTP/1.0" 200 104261 "http://www.myurl.co.uk/admin.php?op=EditStory&sid=192" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.9.0.1) Gecko/2008070208 Firefox/2.0.0.11, DynaWeb http://www.dit-inc.us/disclaimer.php"

When I go to the link i get this:

Dear Webmaster:

If you followed referrer in your web log and found this link, please be ensured that we are not trying to mirror your site.

We are running an intelligent caching proxy network DynaWeb to help Interent users in China to get around Internet censorship in China. We try to block usage beyond this purpose. However, there are always few visits we missed.

If those visits to your websites through our network casue any further concern, please feel free to email to contact@dit-inc.us and we will be happy to make sure that your site can't be visited through our network.

You can find more links about our DynaWeb projects from here: http://www.dit-inc.us/

Sorry for any confusion this may caused.


But why would their spider etc try to login to my admin page?
Find all posts by makuksView user's profileSend private message
makuks
Nuke Soldier
Nuke Soldier


Joined: Aug 26, 2008
Posts: 14


PostPosted: Tue Aug 26, 2008 12:04 pm Reply with quoteBack to top

And this one goes to my delete admins

38.105.86.202 - - [26/Aug/2008:12:38:53 +0100] "GET /admin.php?op=deladmin&del_aid=admin HTTP/1.0" 200 92056 "http://www.myurl.co.uk/admin.php?op=mod_authors" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.9.0.1) Gecko/2008070208 Firefox/2.0.0.11, DynaWeb http://www.dit-inc.us/disclaimer.php"
Find all posts by makuksView user's profileSend private message
makuks
Nuke Soldier
Nuke Soldier


Joined: Aug 26, 2008
Posts: 14


PostPosted: Tue Aug 26, 2008 12:05 pm Reply with quoteBack to top

ANd this one actually trys to edit one of my admin usernames:

38.105.86.202 - - [26/Aug/2008:12:39:20 +0100] "GET /admin.php?op=modifyadmin&chng_aid=bansheeeee HTTP/1.0" 200 94544 "http://www.myurl.co.uk/admin.php?op=mod_authors" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.9.0.1) Gecko/2008070208 Firefox/2.0.0.11, DynaWeb http://www.dit-inc.us/disclaimer.php"
Find all posts by makuksView user's profileSend private message
makuks
Nuke Soldier
Nuke Soldier


Joined: Aug 26, 2008
Posts: 14


PostPosted: Tue Aug 26, 2008 12:08 pm Reply with quoteBack to top

Those are the only dodgy parts i can find in a complete log of 40,000 rows.

Any thoughts please?
Find all posts by makuksView user's profileSend private message
makuks
Nuke Soldier
Nuke Soldier


Joined: Aug 26, 2008
Posts: 14


PostPosted: Tue Aug 26, 2008 12:09 pm Reply with quoteBack to top

My admin now states that he is unable to login on his account with his username of admin and his password, he has been trying all day without success.

Interstingly his account is not a super user account which may suggest why they only placed messages on the front page of the site as his account does not allow him to do any more than this.

What would you suggest I do to stop this happening again.

Thanks
Find all posts by makuksView user's profileSend private message
makuks
Nuke Soldier
Nuke Soldier


Joined: Aug 26, 2008
Posts: 14


PostPosted: Tue Aug 26, 2008 12:50 pm Reply with quoteBack to top

By the way, I put this in my .htaccess and I got a server error:

RewriteEngine On

RewriteCond %{THE_REQUEST} .*http:\/\/.* [OR]
RewriteCond %{THE_REQUEST} .*http%3A%2F%2F.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^libwww(-FM|-perl) [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteRule ^.* - [F]
Find all posts by makuksView user's profileSend private message
makuks
Nuke Soldier
Nuke Soldier


Joined: Aug 26, 2008
Posts: 14


PostPosted: Tue Aug 26, 2008 1:58 pm Reply with quoteBack to top

I guess I picked a bad day for support !!
Find all posts by makuksView user's profileSend private message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Tue Aug 26, 2008 3:47 pm Reply with quoteBack to top

No one is available always immediately to answer your questions. So please be patient.

That IP address could be involved with DynaWeb (dit-inc.us), as they are hosted on "Performance Systems International Inc"
Then again, it is easy to fake such referrers

Your best bet is to install NukeSentinel to stop further hacks - http://www.nukescripts.net

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.044 Seconds - 248 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::