Hacker

The_cobra666 · Posted: Sat Jan 21, 2006 3:00 pm

Hi,

I've got the original phpnuke platinum with the patch pack from platinummods. But now I'm having trouble with a cracker. I don't know how to stop him! He's using a proxy to get in. I've set the proxy blocker to it's max in nukesentinal but not helping at all. I'm realy realy stuck right now and don't know what to do anymore.

He's hacking accounts. I've disabled the memberlist and made it only avaibable to admin's. And still he's getting his user name's. I'm realy stuck and going out of my mind. I've tryid almost everything. It just ain't helping. I hope anybody of you got an idea. He is using the same password each time ==> downfo.

Guardian2003 · Site Admin Joined: Aug 28, 2003 Posts: 4653

I'm not too familiar with Platinum but I presume you have;
Sentinel settings to block union and other attacks
Have changed ALL admin passwords etc etc.
Checked for any new admin accounts you did not create and deleted them.

If you have block proxy turned on then he should be getting blocked anyway.

If all else fails, remove your admin.php file - that may give you some breathing space hopefully.

The_cobra666 · Posted: Sat Jan 21, 2006 6:26 pm

Nukesentinal proxy blocker is @ max, every blocker of sentinal is on and directly writing to .htaccess, but sentinal isn't blocking the proxy. He never toucht the admin. Only user and spamming on the forum. I've installed the mod_security on my server but he's still getting in. I've got not a clue were to look now Sad

Guardian2003 · Site Admin Joined: Aug 28, 2003 Posts: 4653

So he is spamming the forums - are these set for registered users only?
He can still register a new account of course but atleast you can keep deleting his accounts. I'm sure he will get fed up before you.

I'm not too sure on how well they managed to integrate Sentinel with Platinum, I know some other 'forks' of phpNuke did not work well so perhaps the Platinum authors can answer why the proxy blocker is not working as it works on phpNuke site.

There are also some tweaks you can try that will prevent people signing up with free email accounts like hotmail, msn etc. At least if they start registering with proper domains, you can persue other courses of action.

The_cobra666 · Posted: Sat Jan 21, 2006 6:38 pm

The forum is not visible if your not a registerd user. He's not registering any new accounts only hacking old one's. I've tried everything to stop that guy but I can't find it. I'm going to delete the admin.php like you say, so he can't do anything wrong.

evaders99 · Moderator Joined: Apr 30, 2004 Posts: 2795

Do you have access logs? That should show how exactly he is getting in

The_cobra666 · Posted: Sun Jan 22, 2006 4:11 am

I have access log's but the problem is, I can't make any out of them. It seems like because he's behind a proxy it does not logs everything he does. I mean the ip is there, the date is there, but the link is "dissapeared". I do know he's using firefox. From 20:25:45 until 20:25:51 he entired like 10 times this link ==> modules.php?name=Your_Account&op=userinfo&bypass=1&username=Flash"

And let that be the account that has been hacked yesterday. This is something I do find a lot if he's busy.

Guardian2003 · Site Admin Joined: Aug 28, 2003 Posts: 4653

That is a normal log-in url for nuke.
That would suggect to me that either the user had forgotten their password and were trying different ones or possibly someone else trying to 'guess' the users password.
If there are no url's after thatis then it would seem to indicate an unsuccesffull attempt.

Do you have the log-in code activated where a user has to type in his username/pasword and code? This may slow him down especially if they are using some automated scripting.

The_cobra666 · Posted: Sun Jan 22, 2006 6:13 am

If I activate that, the users can't login anymore from the block, for some reason it's not accepting the security code, but in the account module it is.

technocrat · Involved Joined: Jul 07, 2005 Posts: 492

The proxy blocker is untouch in the PNP patched packs. It should be working normally. The problem with proxies are that the newer ones can fool the proxy blockers by sending in the correct headers. If he is using one then you have a problem.

The_cobra666 · Posted: Mon Jan 23, 2006 1:19 pm

Is there away to block proxy's on server level?