Forum Management displays "Hacking Attempt"

Worker Joined: May 27, 2006 Posts: 157

About 2 days ago i had a hack attempt of my site which sentinel picked up on and all seemed ok. Then today i went on to the forum admin. the preview forum link comes up with page cannot be displayed. Then when i try to go to forum management or permissions it comes up with "Hacking attempt!". Why is it doing that?
Rolling Eyes

Sells PC To Pay For Divorce Joined: Posts: 5661

Is ?? a description ?

and see if this helps..
http://www.ravenphpscripts.com/postp75678.html?highlight=#75678

Posted: Tue Aug 22, 2006 5:30 pm

that is about removing a title bar, i have a problem with the admin for the forum.

registered · Posted: Wed Aug 23, 2006 9:24 pm

Nice description... Wink

Thx.

Now, please logout out of admin and normal user (if logged in), delete cookies and cache, close the browser and come back in to admin.php. First, before doing anything, make sure you can still get to Forums admin.... one step at a time.

Please post what the ban from Sentinel was (remove anything that could be specific to your paths, etc., if there in the text).

Also, check your web server logs from the time NS tripped the ban and see if anything looks suspicious. And, you may want to check your files to make sure nothing has been overwritten / deleted.

This may all be for nothing, but this is "Triage", just to make sure there isn't really a hack that occurred. If you find nothing, then we can work more methodically on trying to figure out what is wrong.

Posted: Wed Aug 23, 2006 9:46 pm

ok well i removed cookies and cache and restarted web browser and no change.. The ban from sentinel was someone else and i dont think it was connected. although heres what the report said:

Code:

Date &amp; Time: 2006-08-21 21:57:28 BST GMT +0100


Blocked IP: 71.201.247.*


User ID: Guest (1)


Reason: Abuse-Union


--------------------


User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)


Query String: www.mydomain.co.uk/modules.php?name=Search&type=comments&query=not123exists&instory=/**/UNION/**/SELECT/**/0,0,pwd,0,aid/**/FROM/**/nuke_authors


Get String: www.mydomain.co.uk/modules.php?name=Search&type=comments&query=not123exists&instory=/**/UNION/**/SELECT/**/0,0,pwd,0,aid/**/FROM/**/nuke_authors


Post String: www.mydomain.co.uk/modules.php


Forwarded For: none


Client IP: none


Remote Address: 71.201.247.1


Remote Port: 2354


Request Method: GET


--------------------


Who-Is for IP


OrgName:    Comcast Cable Communications, Inc.


OrgID:      CMCS


Address:    1800 Bishops Gate Blvd


City:       Mt Laurel


StateProv:  NJ


PostalCode: 08054


Country:    US





NetRange:   71.192.0.0 - 71.207.255.255


CIDR:       71.192.0.0/12


NetName:    ATT-COMCAST


NetHandle:  NET-71-192-0-0-1


Parent:     NET-71-0-0-0-0


NetType:    Direct Allocation


NameServer: DNS.INFLOW.PA.BO.COMCAST.NET


NameServer: DNS.CMC.CO.DENVER.COMCAST.NET


Comment:    


RegDate:    2005-07-27


Updated:    2006-07-11





OrgAbuseHandle: NAPO-ARIN


OrgAbuseName:   Network Abuse and Policy Observance


OrgAbusePhone:  +1-856-317-7272


OrgAbuseEmail:  abuse@comcast.net





OrgTechHandle: IC161-ARIN


OrgTechName:   Comcast Cable Communications Inc


OrgTechPhone:  +1-856-317-7200


OrgTechEmail:  CNIPEO-Ip-registration@cable.comcast.com

Which i believe is an attack to get to the admin section?

Anyway, i can see anything overwritten in my files and i dont know how to check my web server logs.

Im pretty sure that was a hack attempt as sentinel block says "We have caught 1 shameful hacker(s)"

Thanks montego.

Posted: Wed Aug 23, 2006 9:54 pm

rofl i clicked that link in the email and it said that ive been blocked and now i can't see my site! bit lost how to recover it:D

Posted: Wed Aug 23, 2006 11:25 pm

You have to edit your .htaccess file to remove your IP address as use phpMyAdmin to remove your IP from the blockedips table. Laughing

Posted: Thu Aug 24, 2006 1:33 am

right, i logged in as one of my other admins on a different computer and sorted it out;) anyway, still got the problem!

Posted: Fri Aug 25, 2006 5:59 am

Psycho, yes, the original NS block was a hack attempt, there was never a question about that in my mind as it was a clear UNION attempt.

If you want me to look at it closer, PM me an admin login and if you can, even an FTP login. Also let me know what version of nuke you are running.

BTW, I am extremely busy at work right now so if you need this looked at quickly, I will not be your man. But, I will help you sort it out if you want me to (at least I will try).

Posted: Sat Aug 26, 2006 12:54 pm

Thanks Montego!

Posted: Sun Aug 27, 2006 8:45 am

I have looked at it briefly. I changed the forum style back to Subsilver and at least the Forum Preview is working again. Must be a problem with the AcidTechGreen style that you had previously.

However, I am a bit "stumped" by the "Hacking Attempt!" issue. I can find no references to this literal anywhere within the RavenNuke 2.02.02 distribution.

What version of nuke and patchset is this? If you feel more comfortable PM'ing me the info, that is fine.

Posted: Sun Aug 27, 2006 10:52 am

patchset? not sure, version is the ravenuke package from this site.

Posted: Sun Aug 27, 2006 10:52 pm

Ah, I think I found it now, but not in 2.02.02 (that you are using). Had you tried to upgrade to the 2.0.21 BBtoNuke patchset? I see now that that literal was just added to includes/functions.php. Odd thing is, though, we have integrated 2.0.21(+) into 2.10.00 (due out soon), and I am not seeing this issue. However, your site is a bit different in that you are somehow redirecting folks from one URL to another... I wonder if that has anything to do with it.

Did you, by chance, miss the upgrade db patch for that upgrade?

Posted: Mon Aug 28, 2006 7:20 am

lol barely understood what i was reading there! I think i may have missed a db patch for an upgrade? but i dont remember tryin to upgrade 2.0.21 BBto Nuke patchset.

Posted: Mon Aug 28, 2006 8:25 am

just on another note, i do have a redirect on my site because the url was one for my hosing company and i wanted a .co.uk address.

Posted: Mon Sep 25, 2006 1:35 pm

Any more ideas about this? Rolling Eyes

Posted: Tue Sep 26, 2006 5:38 am

Unfortunately not. Have not had time to go back in and look either. Sorry. Sad

What I would suggest is upgrading to 2.10.00 release once it comes out. I just won't have time to debug this on your site. You may want to try the "For Hire" forum and get someone to help you.

Posted: Tue Nov 14, 2006 11:35 am

lol i got the new version.. installed it and now my forum admin section and actual forum are blank?

Posted: Wed Nov 15, 2006 10:51 am

Psycho, not sure what "new version" you are talking about. My last post was talking about the RavenNuke release 2.10.00 which is still not out. So, not sure what you installed...

Posted: Wed Nov 15, 2006 2:08 pm

lol the new forum bbphp thing that the admin panel suggested..

registered · Posted: Wed Nov 15, 2006 11:39 pm

You cannot install the original phpBB files on your phpNuke. You must use the BBToNuke files http://www.nukeresources.com

GIven that this is for RavenNuke, wait til 2.0.10 is out and it will come with the latest phpBB.

Posted: Thu Nov 16, 2006 5:01 am

i got those files ur on about and did an upgrade apparently and it wiped the forums lol

Posted: Thu Nov 16, 2006 1:34 pm

how do i get them back? Sad

Posted: Thu Nov 16, 2006 1:51 pm

Did you run a backup before upgrading?

Posted: Thu Nov 16, 2006 7:06 pm

Restore the files from your RavenNuke package