You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 63 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - hacked by Jesus? [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

hacked by Jesus?
 
Post new topic  Reply to topicprinter-friendly view Nuke Cops Forum Index » Nuke Security
View previous topic Log in to check your private messages View next topic
Author Message
Nicotine
Nuke Cadet
Nuke Cadet


Joined: Aug 09, 2003
Posts: 7
PostPosted: Thu Apr 08, 2004 11:21 am Reply with quoteBack to top
my site (http://www.antitelemarketer.com) was recently hacked.

Is there a way to fix what damage has been done without restoring an unsecure backup?

I am running v6.5 with patches.
Find all posts by NicotineView user's profileSend private message
miniPC
Nuke Cadet
Nuke Cadet


Joined: Dec 26, 2003
Posts: 9
PostPosted: Thu Apr 08, 2004 11:24 am Reply with quoteBack to top
Yes it can be fixed. Can you get to the Admin page? Do you have phpadmin installed on the server to access mysql database? I can help if you want.
Find all posts by miniPCView user's profileSend private messageVisit poster's website
Nicotine
Nuke Cadet
Nuke Cadet


Joined: Aug 09, 2003
Posts: 7
PostPosted: Thu Apr 08, 2004 11:28 am Reply with quoteBack to top
They have changed the god account so that I cannot get access to the admin panel. Is there a back door to access the admin panel without logging in from /nuke/admin.php?

I should still be able to access phpmyadmin. Where specifically would I go to fix the admin login account in phpmyadmin?

Thanks!
Find all posts by NicotineView user's profileSend private message
miniPC
Nuke Cadet
Nuke Cadet


Joined: Dec 26, 2003
Posts: 9
PostPosted: Thu Apr 08, 2004 11:36 am Reply with quoteBack to top
Go to your phpmyadmin. Browse to Nuke_Authors. Find the "Jesus" account and reset the password field to "dc647eb65e6711e155375218212b3964" without the quotes. You can then log into your admin page with the username of Jesus and password of Password (capital P). Delete all of the admin accounts you have except the one you want.

Also, install Ravens Hack Attempt script and the Protector script. This will help you ban and keep them from doing this again. Find out in your web hosts log files who ran that script.

I can help you install it if you wish. I have been a victim of these guys and I will volunteer my time to install this to help stop them.

Let me know.

PCguy
Find all posts by miniPCView user's profileSend private messageVisit poster's website
Nicotine
Nuke Cadet
Nuke Cadet


Joined: Aug 09, 2003
Posts: 7
PostPosted: Thu Apr 08, 2004 11:47 am Reply with quoteBack to top
Thank You!

I will have to attempt this from home (work firewall issues).

I take it that I will have to rebuild the nuke main page from scratch once I log in by re-activating blocks and modules, is this correct?

I will share any findings.

Thanks again!
Find all posts by NicotineView user's profileSend private message
miniPC
Nuke Cadet
Nuke Cadet


Joined: Dec 26, 2003
Posts: 9
PostPosted: Thu Apr 08, 2004 11:48 am Reply with quoteBack to top
Yes that is correct. My hacker deleted some content pages as well. I don't know if you were running any, but if you were, they are gone. Unless of course you have a backup.
Find all posts by miniPCView user's profileSend private messageVisit poster's website
Doodle
Premium
Premium


Joined: Sep 13, 2003
Posts: 50
PostPosted: Thu Apr 08, 2004 1:47 pm Reply with quoteBack to top
Do you have any IP's or URL's in your logs? Just curious Rolling Eyes

_________________
Doodle
Independent Network Solutions
webmaster@indnet.ca
Find all posts by DoodleView user's profileSend private messageSend e-mailVisit poster's website
Nicotine
Nuke Cadet
Nuke Cadet


Joined: Aug 09, 2003
Posts: 7
PostPosted: Thu Apr 08, 2004 4:23 pm Reply with quoteBack to top
worked like a charm! I can't find any fishy IPs.
Find all posts by NicotineView user's profileSend private message
miniPC
Nuke Cadet
Nuke Cadet


Joined: Dec 26, 2003
Posts: 9
PostPosted: Thu Apr 08, 2004 6:24 pm Reply with quoteBack to top
Do you have your web logs?
Find all posts by miniPCView user's profileSend private messageVisit poster's website
Nicotine
Nuke Cadet
Nuke Cadet


Joined: Aug 09, 2003
Posts: 7
PostPosted: Fri Apr 09, 2004 2:08 pm Reply with quoteBack to top
Yes, I have logs but I wouldn't know where to begin to look since I don't know what time the actual exploit took place.

I did get another hack attempt, Thanks to your suggestion of Raven's script I got them.



195.5.12.251




OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL

ReferralServer: whois://whois.ripe.net

NetRange: 195.0.0.0 - 195.255.255.255
CIDR: 195.0.0.0/8
NetName: RIPE-CBLK3
NetHandle: NET-195-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS2.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH03.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 1996-03-25
Updated: 2004-03-16

TechHandle: RIPE-NCC-ARIN
TechName: RIPE NCC Hostmaster
TechPhone: +31 20 535 4444
TechEmail: search-ripe-ncc-not-arin@ripe.net

OrgTechHandle: RIPE-NCC-ARIN
OrgTechName: RIPE NCC Hostmaster
OrgTechPhone: +31 20 535 4444
OrgTechEmail: search-ripe-ncc-not-arin@ripe.net
Find all posts by NicotineView user's profileSend private message
Casper_2k3
Nuke Soldier
Nuke Soldier


Joined: Feb 24, 2004
Posts: 21

Location: UK
PostPosted: Fri Apr 09, 2004 3:52 pm Reply with quoteBack to top
I suggest you install Admin Secure 1.4. All new admin accounts created will require god approval and if you get hacked and get your admin passwords changed, you can very easily restore them to what they used to be before you got hacked. Very Happy

Also, in case you get hacked in future, I reccomend you install some IP tracking features. On my site I have a Site Meter, IP Tracking module and a Live Help system . All of the above show me what pages have been accessed and by what IP number. They all help a lot in finding people accessing pages they shouldn't be!
Find all posts by Casper_2k3View user's profileSend private messageVisit poster's websiteMSN Messenger
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view Nuke Cops Forum Index » Nuke Security
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by · TOGETHER TEAM srl ITALY http://www.togetherteam.it · DONDELEO E-COMMERCE http://www.DonDeLeo.com
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.340 Seconds - 266 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::