I am webmaster-a newbie one- in www.iesjorgemanrique.com, a PHP-Nuke 6.0 site in a linux box, dedicated to an spanish higschool. In 21-August some one has hacked our site. The hack activates itself when the browser goes to www.iesjorgemanrique.com/index.php, the main page. Then appears the main page an quickly the browser goes to an image in l337-zide.net (66.218.79.40). This is an strange site with PHP-Nuke.
I have found 66.218.79.40 listed in some spammers lists, but my sendmail appears to be not relaying nothing yet.
I suspect that this hacker has used some PHP-Nuke vulnerability in version 6.0. The redirection is not in the apache conf files, and not in the database of mysql/nuke.
What do you recommend? My main concern are the users in PHP-Nuke version 6.0 and the more than a hundred webmail users I have in the school.
Thank you for your work
mcdrum
aka juan fernandez
Zhen-Xjell Nuke Cops Founder
Joined: Nov 14, 2002
Posts: 5939
Posted:
Thu Aug 21, 2003 6:24 pm
Hi sounds like they may have hacked the news or a your account. Best bet is to upgrade to 6.5 with our security fixes.
_________________ Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
jank Nuke Soldier
Joined: Apr 30, 2003
Posts: 23
Posted:
Sat Aug 23, 2003 11:39 am
[quote="mcdrum"]Hi all.
Quote:
Then appears the main page an quickly the browser goes to an image in l337-zide.net (66.218.79.40). This is an strange site with PHP-Nuke.
I have found 66.218.79.40 listed in some spammers lists, but my sendmail appears to be not relaying nothing yet.
Are you sure? 66.218.79.40 is mail.yahoo.com... As a matter of fact, th whole block is owned by yahoo.
Connecting to whois.arin.net...
OrgName: Yahoo!
OrgID: YAOO
Address: 701 First Avenue
City: Sunnyvale
StateProv: CA
PostalCode: 94089
Country: US
NetRange: 66.218.64.0 - 66.218.95.255
CIDR: 66.218.64.0/19
NetName: A-YAHOO-U23
NetHandle: NET-66-218-64-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.YAHOO.COM
NameServer: NS2.YAHOO.COM
NameServer: NS3.YAHOO.COM
NameServer: NS4.YAHOO.COM
NameServer: NS5.YAHOO.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-01-15
Updated: 2002-06-27
# ARIN WHOIS database, last updated 2003-08-22 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
bwcbwc Nuke Soldier
Joined: Jul 25, 2003
Posts: 34
Location: FL
Posted:
Sun Aug 24, 2003 8:00 am
Well mail.yahoo.com would explain why it appears in the spam lists. It also sounds like someone may have hacked a DNS to redirect the IP to l337-zide.net (more likely: l337-zide.net is just a site hosted by Yahoo). There's a fair chance that this site was also hacked and is just one in a chain of victims.
mcdrum Nuke Soldier
Joined: Aug 21, 2003
Posts: 12
Posted:
Sun Aug 24, 2003 4:44 pm
Sorry for the delay in answering
I did a search in www.dnsstuff.com to get the info about the IP of "my" hacker.
Today, after reading your post, I have done the same. The thing now is that dnsstuff reports the IP being
66.218.79.140
the arp data and the reverse DNS seems to say that l337-zide.net is a premium service offered by yahoo.
GREAT!!. Obviously there are some DNS servers tricked here
I have sent an email to r00t@l337-zide.net, and he-or she-answered me. I hope to understand what happened.
By now I have in an isolated box a new php-nuke version 6.5, with all the patches and fixes I have found here( I was unable of getting the NC securiity 6.5 version at work). My hope is that the only problem in my server is phpnuke, and patching iit, not being hacked that way again.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
