Getting hacked severely with CHATSERV patches and NS 2.42

New Member Joined: Dec 07, 2004 Posts: 7

Hi All,

There must be a new exploit out. My site and all of my member sites keep getting owned by http://pure-pwnage.org/index.html

I have to keep SSH and FTP off so I am guessing that there is an exploit for the password somehow.

We have the latest and greatest. Any help will be greatly appreciated.

I found this lying around and wonder if that is what they are using.

Code:




/modules.php?name=Downloads&d_op=viewsdownload&sid=-1/**/UNION/**/SELECT/**/0,0,aid,pwd,0,0,0,0,0,0,0,0/**/FROM/**/nu ke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*

I found it here.

http://bluetac.proboards66.com/index.cgi?board=exploitsandvulnerabilitys&action=display&thread=1132207919

Thanks,
Springmill

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

NukeSentinel(tm) always has stopped that so that is not the issue. I would look for an uploads module exploit. The patches and NukeSentinel(tm) don't control those.

registered · Posted: Sat Dec 03, 2005 5:24 pm

There's a patch for some problems with phpBB in the latest BBToNuke 2.0.18 release. Please check and make sure they didn't install any backdoors into your system.

As Raven said, also disable anything that allows uploading and check all files that have been uploaded.

Posted: Sat Dec 03, 2005 7:06 pm

springmill wrote:

Hi All,

There must be a new exploit out. My site and all of my member sites keep getting owned

Server is hacked on the root level.

Check AWStats, Apache and PHP versions.
Check /tmp for malicious files
Change root password

Posted: Mon Dec 05, 2005 5:22 pm

Hi All,

I would like to clarify my issue. After getting an email from the "CRACKERS" demanding protection Money from Hacking I have a little more insight. They say my server is not secure on it's own and the hacks have nothing to do with PHPNUKE.

I have implemented the hosts.deny file with some luck. But I fear I have not totally fixed all of the issues. FTP and SSH both allowed root login and I fixed that. I changed my root password, all web site owners passwords but the sites have still be owned.

I am a noob so if I am missing somethign please let me know. I have no upload programs in use.

Fedora Core 4, Webmin, Usermin, and Virtualmin
are the software packages in use.

To answer the following questions:

Server is hacked on the root level.

Check AWStats, Apache and PHP versions.
Check /tmp for malicious files
Change root password

Not sure what AWSTATS is: Apache and PHP are standard Fedora Core releases. I believe php is 5.x something.

root password is easy to change again.

In my /tmp folder I have
.ICE-unix
.font-unix
.webmin
backup-config-manifests

Any help would be greatly appreciated.

Posted: Mon Dec 05, 2005 5:26 pm

You should have stayed with RWH Wink

- Sorry, couldn't resist it, especially after .....

Posted: Mon Dec 05, 2005 5:54 pm

AWStats is a common website stat package. Usually it is preinstalled if you're using some package. There was a major vulnerability with the scripts. If you've set up your server yourself, then you'd know if it was installed.

Posted: Mon Dec 05, 2005 6:53 pm

Gaylen,

I appreciate your grace and timing on the issue. As well as your usual sensitivity.
However, you should know that smarty remarks like that is exactly why I created
freephpnukehosting.com

Greg McAbee

Does anyone have any other insight other than nanner nanner boo boo?

Posted: Mon Dec 05, 2005 8:23 pm

Now Greg, that's not the whole story and you know it. If you want a public bruhaha we could do that. It's your call.

Posted: Tue Dec 06, 2005 1:07 pm

No Thank You