Author |
Message |
Psycho
Worker


Joined: May 27, 2006
Posts: 157
|
Posted:
Tue Aug 22, 2006 12:32 pm |
|
About 2 days ago i had a hack attempt of my site which sentinel picked up on and all seemed ok. Then today i went on to the forum admin. the preview forum link comes up with page cannot be displayed. Then when i try to go to forum management or permissions it comes up with "Hacking attempt!". Why is it doing that?
 |
Last edited by Psycho on Wed Aug 23, 2006 10:45 am; edited 2 times in total |
|
|
 |
hitwalker
Sells PC To Pay For Divorce

Joined:
Posts: 5661
|
Posted:
Tue Aug 22, 2006 1:37 pm |
|
|
|
 |
Psycho

|
Posted:
Tue Aug 22, 2006 5:30 pm |
|
that is about removing a title bar, i have a problem with the admin for the forum. |
|
|
|
 |
montego
Site Admin

Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
Posted:
Wed Aug 23, 2006 9:24 pm |
|
Nice description... Thx.
Now, please logout out of admin and normal user (if logged in), delete cookies and cache, close the browser and come back in to admin.php. First, before doing anything, make sure you can still get to Forums admin.... one step at a time.
Please post what the ban from Sentinel was (remove anything that could be specific to your paths, etc., if there in the text).
Also, check your web server logs from the time NS tripped the ban and see if anything looks suspicious. And, you may want to check your files to make sure nothing has been overwritten / deleted.
This may all be for nothing, but this is "Triage", just to make sure there isn't really a hack that occurred. If you find nothing, then we can work more methodically on trying to figure out what is wrong. |
_________________ Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! |
|
|
 |
Psycho

|
Posted:
Wed Aug 23, 2006 9:46 pm |
|
ok well i removed cookies and cache and restarted web browser and no change.. The ban from sentinel was someone else and i dont think it was connected. although heres what the report said:
Code:Date & Time: 2006-08-21 21:57:28 BST GMT +0100
Blocked IP: 71.201.247.*
User ID: Guest (1)
Reason: Abuse-Union
--------------------
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Query String: www.mydomain.co.uk/modules.php?name=Search&type=comments&query=not123exists&instory=/**/UNION/**/SELECT/**/0,0,pwd,0,aid/**/FROM/**/nuke_authors
Get String: www.mydomain.co.uk/modules.php?name=Search&type=comments&query=not123exists&instory=/**/UNION/**/SELECT/**/0,0,pwd,0,aid/**/FROM/**/nuke_authors
Post String: www.mydomain.co.uk/modules.php
Forwarded For: none
Client IP: none
Remote Address: 71.201.247.1
Remote Port: 2354
Request Method: GET
--------------------
Who-Is for IP
OrgName: Comcast Cable Communications, Inc.
OrgID: CMCS
Address: 1800 Bishops Gate Blvd
City: Mt Laurel
StateProv: NJ
PostalCode: 08054
Country: US
NetRange: 71.192.0.0 - 71.207.255.255
CIDR: 71.192.0.0/12
NetName: ATT-COMCAST
NetHandle: NET-71-192-0-0-1
Parent: NET-71-0-0-0-0
NetType: Direct Allocation
NameServer: DNS.INFLOW.PA.BO.COMCAST.NET
NameServer: DNS.CMC.CO.DENVER.COMCAST.NET
Comment:
RegDate: 2005-07-27
Updated: 2006-07-11
OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: +1-856-317-7272
OrgAbuseEmail: abuse@comcast.net
OrgTechHandle: IC161-ARIN
OrgTechName: Comcast Cable Communications Inc
OrgTechPhone: +1-856-317-7200
OrgTechEmail: CNIPEO-Ip-registration@cable.comcast.com
|
Which i believe is an attack to get to the admin section?
Anyway, i can see anything overwritten in my files and i dont know how to check my web server logs.
Im pretty sure that was a hack attempt as sentinel block says "We have caught 1 shameful hacker(s)"
Thanks montego. |
|
|
|
 |
Psycho

|
Posted:
Wed Aug 23, 2006 9:54 pm |
|
rofl i clicked that link in the email and it said that ive been blocked and now i can't see my site! bit lost how to recover it:D |
|
|
|
 |
montego

|
Posted:
Wed Aug 23, 2006 11:25 pm |
|
You have to edit your .htaccess file to remove your IP address as use phpMyAdmin to remove your IP from the blockedips table.  |
|
|
|
 |
Psycho

|
Posted:
Thu Aug 24, 2006 1:33 am |
|
right, i logged in as one of my other admins on a different computer and sorted it out;) anyway, still got the problem! |
|
|
|
 |
montego

|
Posted:
Fri Aug 25, 2006 5:59 am |
|
Psycho, yes, the original NS block was a hack attempt, there was never a question about that in my mind as it was a clear UNION attempt.
If you want me to look at it closer, PM me an admin login and if you can, even an FTP login. Also let me know what version of nuke you are running.
BTW, I am extremely busy at work right now so if you need this looked at quickly, I will not be your man. But, I will help you sort it out if you want me to (at least I will try). |
|
|
|
 |
Psycho

|
Posted:
Sat Aug 26, 2006 12:54 pm |
|
|
|
 |
montego

|
Posted:
Sun Aug 27, 2006 8:45 am |
|
I have looked at it briefly. I changed the forum style back to Subsilver and at least the Forum Preview is working again. Must be a problem with the AcidTechGreen style that you had previously.
However, I am a bit "stumped" by the "Hacking Attempt!" issue. I can find no references to this literal anywhere within the RavenNuke 2.02.02 distribution.
What version of nuke and patchset is this? If you feel more comfortable PM'ing me the info, that is fine. |
|
|
|
 |
Psycho

|
Posted:
Sun Aug 27, 2006 10:52 am |
|
patchset? not sure, version is the ravenuke package from this site. |
|
|
|
 |
montego

|
Posted:
Sun Aug 27, 2006 10:52 pm |
|
Ah, I think I found it now, but not in 2.02.02 (that you are using). Had you tried to upgrade to the 2.0.21 BBtoNuke patchset? I see now that that literal was just added to includes/functions.php. Odd thing is, though, we have integrated 2.0.21(+) into 2.10.00 (due out soon), and I am not seeing this issue. However, your site is a bit different in that you are somehow redirecting folks from one URL to another... I wonder if that has anything to do with it.
Did you, by chance, miss the upgrade db patch for that upgrade? |
|
|
|
 |
Psycho

|
Posted:
Mon Aug 28, 2006 7:20 am |
|
lol barely understood what i was reading there! I think i may have missed a db patch for an upgrade? but i dont remember tryin to upgrade 2.0.21 BBto Nuke patchset. |
|
|
|
 |
Psycho

|
Posted:
Mon Aug 28, 2006 8:25 am |
|
just on another note, i do have a redirect on my site because the url was one for my hosing company and i wanted a .co.uk address. |
|
|
|
 |
Psycho

|
Posted:
Mon Sep 25, 2006 1:35 pm |
|
Any more ideas about this?  |
|
|
|
 |
montego

|
Posted:
Tue Sep 26, 2006 5:38 am |
|
Unfortunately not. Have not had time to go back in and look either. Sorry.
What I would suggest is upgrading to 2.10.00 release once it comes out. I just won't have time to debug this on your site. You may want to try the "For Hire" forum and get someone to help you. |
|
|
|
 |
Psycho

|
Posted:
Tue Nov 14, 2006 11:35 am |
|
lol i got the new version.. installed it and now my forum admin section and actual forum are blank? |
|
|
|
 |
montego

|
Posted:
Wed Nov 15, 2006 10:51 am |
|
Psycho, not sure what "new version" you are talking about. My last post was talking about the RavenNuke release 2.10.00 which is still not out. So, not sure what you installed... |
|
|
|
 |
Psycho

|
Posted:
Wed Nov 15, 2006 2:08 pm |
|
lol the new forum bbphp thing that the admin panel suggested.. |
|
|
|
 |
evaders99
Former Moderator in Good Standing

Joined: Apr 30, 2004
Posts: 3221
|
Posted:
Wed Nov 15, 2006 11:39 pm |
|
You cannot install the original phpBB files on your phpNuke. You must use the BBToNuke files http://www.nukeresources.com
GIven that this is for RavenNuke, wait til 2.0.10 is out and it will come with the latest phpBB. |
_________________ - Only registered users can see links on this board! Get registered or login! -
Need help? Only registered users can see links on this board! Get registered or login! |
|
|
 |
Psycho

|
Posted:
Thu Nov 16, 2006 5:01 am |
|
i got those files ur on about and did an upgrade apparently and it wiped the forums lol |
|
|
|
 |
Psycho

|
Posted:
Thu Nov 16, 2006 1:34 pm |
|
how do i get them back? |
|
|
|
 |
jakec
Site Admin

Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom
|
Posted:
Thu Nov 16, 2006 1:51 pm |
|
Did you run a backup before upgrading? |
|
|
|
 |
evaders99

|
Posted:
Thu Nov 16, 2006 7:06 pm |
|
Restore the files from your RavenNuke package |
|
|
|
 |
|