SMF and PHP Nuke integration is ready! Take a look at it by clicking on the link above.
deech Nuke Soldier
Joined: Jun 29, 2005
Wed Aug 23, 2006 11:28 am
I've recently been getting a lot of people registering on my site lately about 4-6 a day now. A lot of them have lotto or something like that in there name. My site requires registration and I haven't been getting any spam posts in the forums, but my question is ... is there anything I should be concerned about? Anything else they can do?
HalJordan Support Staff
Joined: Aug 07, 2004
Location: Somewhere around Hunan, China
Wed Aug 23, 2006 5:44 pm
They could overwhelm your host's server, launch a DOS attack on you or someone else, or maybe try other mischief. Do you require the security code to log in?
Yeah, we do require the security code to register. Anything else I need to do?
Supertex Nuke Cadet
Joined: Apr 27, 2003
Thu Sep 28, 2006 1:27 pm
Uh...let me warn you..
That is EXACTLY what preceeded my site getting hacked. I noticed several account names....names that begged to be deleted. I went to the forums, which sadly were 2.0.2, and began one by one removing them. From the very start of it, after the deletion, it went into debug mode. I thought that was strange, but continued to delete the accounts. After the 3rd one, I didnt think it was a good idea to continue in that way. So I then went straight to the DB, and began deleting the accounts there. Once I finished that, I went and did a complete DB backup. After the backup was done, I switched out of the admin panel, back to the main page...there I noticed that names VERY similar ( or perhaps the exact same) were suddenly logged into my site. I went back to the admin panel, only to find out that I'd been locked out...and I guess you can figure out what happened from that point forward. It ended up with complete deletion of my entire forum, and some of the block's contents as well. The guy replaced my forum with a single linked image, and left the image on the front page of the site as well.
It took some effort, but I had the site back up and completely restored in 4 hrs. My concern is whether or not the attack was qued from my deleting those accounts. When I look at my nuke_popsettings table, most of those user accounts (and curiously enough ONLY those user accounts) all have entries there. Very quickly after getting the site back up, I noticed more and more of the questionably named accounts began to show back up. I'm assuming that when the forum went into debug mode, that the DBNAME and DBPASS were snared and relayed back to the account owner. Or perhaps removing them on the phpMyAdmin side is what caused the compromise? I'm not sure exactly how this was done, but im fairly confident that this hack was somewhat automated, and was a response to my actions.
Question is...how do I safely remove these user accounts now?
At the time, I was using phpNuke v6.5, and have since moved to v7.6 + ChatServ 3.2 + NukeSentinel.
If they have a script that will report back to them an error when a username no longer exists, will the error report not specify the DBNAME and DBPASS in the body of the error report??
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum