New update i think enabled a hacker

Worker Joined: Dec 01, 2008 Posts: 180

I have not been able to access my admin for over a week now, starting a few days after the update.
I originally thought it was nuke sentinal issue, but now i'm confused.

I have had several people look into this, with no-one able to provide any conclusive reason, until i just received an email stating:

[Regarding this email, it would appear that someone is trying to send email from your admin script using a potential exploit. Are you using the most recent version of phpnuke?

The IP address in question is a twtelecom.net email address. I'm assuming this isn't your ISP, would it be OK with you if we block this IP from the server?

That email was stopped by our server due to the From: header used.]

It would really be appreciated if someone could advice me please.

Posted: Sun Mar 08, 2009 5:22 pm

I believe there to be a step missing in the nuke sentinal configuration steps in the confns document, which is discussed upon a karakas-online forum topic:

Quote:

Log into your site's admin.php and click on the Nuke Sentinel icon. From the Nuke Sentinel Administration menu, select "Protected Range Menu". In that new menu, Click on "Add Protected Range." Add your IP, select your country and click on the "Add Protected Range" button. Be sure to complete both the "IP From:" and "IP To:" rows.

I forgot to do anything along this line, with so many things to think about with the upgrade, etc, now i'm not protected, and from looking into the IP address, i found the above to be my host themselves, which caused big confusion with them and myself.

It seems that within the upgrade somehow this has triggered something in admin, creating a potential exploit with email, although exactly what is the issue i and others looking into this for me can not quite work out.

Taking note of above and the fact i did not do this upon upgrade, and the fact now i can not get access to my admin properly, do you have any suggestions at all as to what i may do to solve this?

Please, please help me someone, i feel like i am going around in circles, of which having to rely on a few people aswel is becoming quite an headache of time, and the fact of having to ask in the first place.
eeergh. Bang Head

xx Bless xx

Involved Joined: Sep 15, 2008 Posts: 352

Did you check your database directly and make sure the admin name hasn't changed?

Posted: Sun Mar 08, 2009 7:13 pm

Admin names seem correct, although would it be correct for nsnst_admins, to show my password, without encryption, as isn't this a security problem:

password <- password_md5 password_crypt

Posted: Sun Mar 08, 2009 7:33 pm

no it should be encrypted.. Did you look into your email (Qmail etc... via SSH? It will show who really sent the email.

Example with qmail using plesk

var/qmail/bin/qmail-qread

Posted: Sun Mar 08, 2009 9:31 pm

Ok thank you for the tip, i have used function to encrypt the password; thought it were strange when supposed to be secure.
Anyway as i still can not get access and looking further into this, this is what part of one email states:

Quote:

Created By: NukeSentinel(tm) 2.6.02
Date & Time: 2009-03-08 21:06:44 CDT GMT -0500
Blocked IP: ***.***.**.***
User ID: Anonymous (1)
Reason: Abuse-Admin
--------------------
Referer: on site
User Agent: **************************************************
HTTP Host: mywebsite.com
Script Name: /admin.php
Query String: op=AdvertisingAdmin
Get String: op=AdvertisingAdmin
Post String: Not Available
Forwarded For: none
Client IP: none
Remote Address: ***.***.**.***
Remote Port: 26596
Request Method: GET

Apparently there's a problem with admin related links all being blocked to ips when they are clicked, and we can not figure out exactly what's blocking it, to look at a solution; even others looking into this all keep getting blocked after the CGIAuth login box access successful.
All ips get removed from nsnst_blocked_ips, then try all over again.
My .htaccess file has been removed for time being, and i have even tried just commenting out the code to staccess, but still no access and still everyone looking into this keeps getting blocked.

registered · Posted: Tue Mar 10, 2009 6:55 am

alien73 wrote:

no it should be encrypted.. Did you look into your email (Qmail etc... via SSH? It will show who really sent the email.

Example with qmail using plesk

var/qmail/bin/qmail-qread

No, it should NOT be encrypted. NukeSentinel has always stored the admin password this way. Yeah, its not the best, but if you change it, there is a chance it will not work - have not tried - just a warning.