Protect your admin.php

Sergeant Joined: Aug 18, 2003 Posts: 82

All,
One measure that you can take is to change the name of your admin.php. For example, rename the file to mydomain_admin.php and in your config.php (which I rename also, but that's another post) add the following line:

$admin_php = "mydomain_admin.php";

then, where you had your original admin.php, change it, for example,

if (!eregi("$admin_php", $PHP_SELF)) { die ("Access Denied"); }

or

if ($radminsuper==1) {
adminmenu("$admin_php?op=backup", ""._SAVEDATABASE."", "backup.gif");
}

or

if ($radminsuper==1) {
adminmenu("$admin_php?op=mod_authors", ""._EDITADMINS."", "authors.gif");
}

etc. etc. etc. it should be a pretty simple search/replace task. by doing this, you can easily change the name of your "admin.php" whenever you feel like it.

this is by no means an anti-hack solution, however, it makes it a little difficult for all the automated admin.php hacks out there ('cause now they don't know your filename).

comments ? be glad to hear em from the real security experts.

Posted: Sun May 02, 2004 5:30 pm

If you are setting the variable $admin_php to the new name, why would you go do a search/replace for instances of that variable? Maybe I'm not reading what you wrote correctly, but that is what it seems to be saying to me.

Posted: Sun May 02, 2004 5:35 pm

oooooo i like that imma gonna install that right now Smile

Posted: Sun May 02, 2004 5:50 pm

Yes, I misread, it, cool

Posted: Sun May 02, 2004 7:35 pm

I've run into a problem with this apparently. Everything seems to work except when a new user signs up. The information is stored, but they never receive the activation email. Any thoughts?

Sergeant Joined: Aug 18, 2003 Posts: 82

shouldn't have anything to do with changing your admin.php file - i know if you search the boards you will see tons of problems with emails/activation/etc.

make sure that the replacements were successful - a quick scan of my site shows that I have 87 occurences in 109 documents - and using Dreamweaver MX I verified them all when I first made the change.

i also removed a ton of useless code and modules that i am not using, so our numbers will be different.

on a side note, if you feel comfortable with editing all of your source, the standard PHP mail() blows. i've switched all code over to use PHPMailer http://phpmailer.sourceforge.net/ and have never, ever had a mailing problem with PHP or Nuke or anything ever since.

mails have to be formed to exacting standards or these new fangled msn/hotmail/yahoo/etc. "spam" filters will not allow PHP script generated mail thru. i went 'round and 'round trying to get mail() to work 100% of the time, and never could.

to all nukers and PHPers, if you have problems with mail(), seriously, try PHPMailer (and NO, I have nothing to do w/the author or the project).

Retired Joined: Apr 04, 2004 Posts: 25

This also sounds great clam729 but lm a little confused to what files you mention to change is it striclty just the admin.php and the config.php file

can you elaberate just a little or do we need to do this to all the admin files in the admin folder...?

BlazeNuke Smile

Sergeant Joined: Aug 18, 2003 Posts: 82

well, the easiest way is to rename your admin.php to whatever you want, i.e. a25844FGuTh.php or whatever.

then, edit your config.php and add a line:

Code:

$admin_php = "mydomain_admin.php";

then, in any file that references "admin.php", change it
from admin.php to $admin_php.

where you need to change it depends on your version of nuke, what mods you have, etc. i used dreamweaver to search/replace, you can use whatever.

basically, wherever you have a hardcoded reference to admin.php you need to change it to $admin_php.

by doing this, if you ever want to change your file name again, you simply edit your config.php and change the value of the $admin_php string, and rename your file. if you want your file called "pooppants.php" your config.php would look like this:

Code:

$admin_php = "poopypants.php";

then, rename admin.php --> poopypants.php and upload (taking note to remove your old file)

make sense ?

Private Joined: Aug 31, 2004 Posts: 37

where in config.php do you put this line of code? Any place specific? Thanks!!!

Nuke Cadet Joined: Mar 05, 2004 Posts: 1

Concerning to renaming admin.php I have some questions:

1) Is there a way the hacker can find out the new name for my admin.php?
2) Robots.txt is "downloadable", If I add the new name for my admin.php there then the hacker can find out easily the new name. Is there any problem if I don't add the new name to robots.txt?
3) Instead of using a variable to store the new name in all the files that use admin.php I used the new name itself. Is it easier for the hacker to find out the new name?
Thanks a lot for your help.
Adilson Very Happy

Lieutenant Joined: Aug 23, 2003 Posts: 195

Ok l just renamed all my files but lm getting an error

In header,php on line 7 and it looks like this

Code:

require_once("mainfile.php");
if(!eregi("$admin_php",$_SERVER['PHP_SELF'])) {
require_once("includes/blocker.php"); }

and the error message is this how do l ficx this..?

Warning: eregi(): REG_EMPTY in /home/virtual/site13/fst/var/www/html/header.php on line 7

Anyone please...!

XtraX

Lieutenant Joined: Aug 23, 2003 Posts: 195

Ok never mind l fixed the Header.php all l added was the

include("config.php");

and the error message is no gone but l still cant get this one error fixed, the admin messages,

The link has been changed to $admin_php but when your on the main page and click the edit link that shows under the admin message it shows this..

?op=editmsg&mid=3

as you can see its not calling the $admin_php ..? so how do l fix this do l need to hard code it directly in..

XtraX

Lieutenant Joined: Aug 23, 2003 Posts: 195

May l point out by changing the variables around as l did and tested this it simply does not work..

1>) you change the admin.php to $admin_php and set the new name of admin in config.php

2>) Now you cant delete comments because changing the admin.php to the new global $admin_php simply does not work

3>) The comments link stays the same but you get page cant be found!

4>) This also affects the admin message on the main page where it normally displays the edit or delete again No page exist yet you view the files and it has been changed to the $admin_php but does not seem to call the new Admin.php file..

Any ideas how to fix these as it would be helpful to actually rename the admin.php to hide it centrally on your server.

May l also add l even attempted to include("config.php"); in those files and still no success!

So for now l use the

<?php include("......../admin.php"); ?>

anyhelp would be appreciated!

XtraX

Posted: Fri Oct 29, 2004 3:44 pm

It's useless idea to rename admin.php file.
What the sense?
Hacker anyways will have no problem to discover name of this file, so if you site can be hacked, it'll be hacked in second minute, not in first:-)

We are to lazy to copy and paste, but if someone pay attention to our post there
http://euronuke.org/fortopic20.html
you'll find good way to protect admin.php with real method.
with this way you even can almost give away your php-nuke native password:-) unless u use coppermine and etc.

Sergeant Joined: Aug 26, 2004 Posts: 75

there's a way much better way as described here
http://ravenphpscripts.com/postp24365.html#24365

It seems some people can't or will not understand the one and only security that does work