| Author |
Message |
twister
New Member
Joined: Apr 10, 2006
Posts: 4
|
 Posted:
Tue Apr 11, 2006 2:08 am |
|
Need some advice please, hope this is the right forum to use.
Currently using phpnuke 7.8 patched 3.2
After being hacked 5 times in the last week and last night within an hour of installing 7.8 patched 3.2, i am at my wits end what to do. After reading loads of forums and websites about the many vulnerabilities in phpnuke 7.7+ i have decided that my best option is to go back to 7.6 and hope that solves my problem.
I am torn between using ravens 7.6v2 distro or using this version
http://www.nukescripts.net/modules.php?name=Downloads&op=getit&lid=26
How easy is it to downgrade from 7.8 to 7.6 and what are the pitfalls, i only have about 400 users but i would hate to have to get every one to re register and re-install all our modules and blocks.
With the intrusions that have happened so far only to my mainfile.php and index.php filehave been affected will the intruders have got any admin passwords from my sql files do i need to delete my admin users only 2 and re-create them.
Sorry for the long winded post but i just dont know whick way to turn.
Thanks
Twister |
| |
|
|
|
daemon
Worker
Joined: Jan 07, 2005
Posts: 163
|
| Posted:
Tue Apr 11, 2006 2:59 am |
|
|
 
|
|
twister
|
| Posted:
Wed Apr 12, 2006 2:44 pm |
|
Guys i have found out how i was hacked, i can only assume using the bugs in 7.8 the managed to upload a trojan onto our site, which gave them virtual shell access to our server.
Keep an eye open for two files
VB_hack.php
log.php
both files are approx 159k in size the are a shell program called c99shell, do a google search and you will find out all about them.
Can i advise others to look out for these files if they are getting hacked continusly.
Twister |
| |
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Thu Apr 13, 2006 1:34 am |
|
Well figuring out what they uploaded is a good step, but figuring out how they got in is more critical. Use access logs to determine what files they accessed and what vulnerabilities they've used
Was your site Patched? And using Sentinel? |
_________________
- Only registered users can see links on this board! Get registered or login! -
Need help? Only registered users can see links on this board! Get registered or login! |
|
|
|
|
twister
|
| Posted:
Thu Apr 13, 2006 8:10 am |
|
I had patched it and added sentinel, but the trojan was still in place after i had patched it, so they were still able to get in. I am downgrading to 7.6 today and have removed all of the files that the hackers loaded, i will open my site back up tonight and hopefully that will be the end of it.
Twister |
| |
|
|
|
|
daemon
|
| Posted:
Thu Apr 13, 2006 1:31 pm |
|
|
|
|
|
twister
|
| Posted:
Thu Apr 13, 2006 2:55 pm |
|
No it was a heavily modded version of 7.8
I did how ever make sure i updated all of the modules that had security problems, so my initial problem could have been a rouge module not just phpnuke 7.8
So today i have downgraded my site to rn76 with sentinel working and updated all my modules, re inserted all my edits to language files etc.
I am at last happy that my site is more secure.
The update was easy to do, took some time but went along without any hitches.
Thanks raven for the hard work you have done with this package and i will be making my contribution for rn7.6 well worth it.
Twister |
| |
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
| Posted:
Thu Apr 13, 2006 3:51 pm |
|
twister - was this a virgin 7.8 install you were using or had you installed any additional modules such as file upload mods, chat mods, gallery mods etc? |
| |
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
