My site running phpnuke 6.9 got hacked :(

Posted: Fri Dec 19, 2003 12:23 pm

I was posting news on my site when i just realised my site got hacked.

I'm running PHPnuke 6.9

There was a new msg on top of my site, with just a picture, this picture:

http://www.antishare.bitum.ru/Files/Defaces/logo2.jpg

I look around on there site and saw some other sites that got hacked or something. How can i make sure this doesn't happen again ? Sad

Posted: Fri Dec 19, 2003 10:21 pm

See my post below.

Posted: Sat Dec 20, 2003 12:38 am

maciekp wrote:

That's too bad, so what?

Search the forum.

That doesn't help me, i already look around on the forum, and i'm running PHPnuke 6.9 with all security fixes that are released.

Posted: Sat Dec 20, 2003 3:27 am

You should've said so. I apologise for my remark.

Here's what you need t do:

1. Check the files on your server against your latest backup to check for any modifications
2. Reset all admin passwords
3. Search the logs for the message posting URL, e.g. *admin.php?op=messages , find the perp.'s IP and notify the person responsible for the network
3. If using Apache, create "admin" user group, add a new user to this group and create the appropriate .htaccess file
4. Limit access to admin.php to a "tight" IP range/subnet
5. Install the Protector System, which gives you "high level" logs of session activity on your PHP-Nuke site
6. Re-evaluate the security of installed 3rd party modules/blocks

I've missed a few steps but I'm sorry I need to get back to work, I'm sure you'll get more replies soon.

Nuke Cadet Joined: Dec 01, 2003 Posts: 6

the same guy got me! I have my server logs

Posted: Sat Dec 20, 2003 3:34 pm

Can you email me the log spiderx?

daniel -at - casemodworld.com is my address.

Cheers

General Joined: Mar 22, 2003 Posts: 5233 Location: USA

Spiderx, can you also email a zipped copy of the log to raven -at- ravenphpscripts -.- com. Thanks.

Corporal Joined: Sep 02, 2003 Posts: 59

Anyone got the block "Site Info PS" from that site ??

Nuke Cadet Joined: Dec 01, 2003 Posts: 6

Hope this helps Very Happy

Posted: Sat Dec 20, 2003 11:09 pm

Uhu, conspiracy?

Nuke Cadet Joined: Dec 01, 2003 Posts: 6

Is there a fix for this? Confused

Posted: Sun Dec 21, 2003 8:03 am

Did you apply the admin.php, weblinks & downloads patches that were available a while back?

Posted: Sun Dec 21, 2003 8:13 am

I also have the logs & the ip Sad

the ip is: 200.53.64.221

Somewhere in Mexico Sad

Posted: Sun Dec 21, 2003 8:17 am

Can you send me your logs too CBA?

Address is in another post above, cheers.

Posted: Sun Dec 21, 2003 6:05 pm

The address given above is located in Mexico City, it's very likely it was spoofed.

Can you post/PM the exact URL they used to post the message? Did they use the standard admin.php?op=messages ?

If yes, then you must restrict admin.php to a group of users on your system - both Apache and IIS allow you to do this, as well as restricting access to a given IP only.

See attached diagram: