Recently Hacked

New Member Joined: Apr 02, 2006 Posts: 7

Today I tried to access the admin area of my website and found I couldn't as it said password incorrect. When I checked the nsnst_admins area of the database the password and username were still as set but still I couldn't login.

I then checked the .staccess file to find "This Site Hacked By Mr & Miss SuZuki A Hacker From Iran"

I am using Sentinel 2.4.2pl4 and php nuke 7.7 patched 3.2 (I think)

Nothing else seems to have changed, but I am limited in knowledge and cannot find anything on the forum similar to give me some idea of the damage they have done, and how to rectify it. Any help would be appreciated.

Posted: Fri Jun 09, 2006 5:53 pm

did u leave ur .staccess chmod to 777?

Posted: Fri Jun 09, 2006 5:55 pm

I honestly cannot remember, but it is set at 666 at the present so I suspect not !

Posted: Fri Jun 09, 2006 5:59 pm

ok ...well all they did was write to it.. did sentinel setup the .htaccess or did u?

Posted: Fri Jun 09, 2006 6:04 pm

I would have set it up as I used the instructions found at nukescripts.net

Posted: Fri Jun 09, 2006 6:31 pm

pls post the contents of ur .htacess without any personal info...plz fill the personal info in with somethin to let me know its actually there..just not ur info

ex

username:XXXX

registered · Worker Joined: Oct 07, 2003 Posts: 211

He has been busy. Just do a google search for Mr & Miss SuZuki.

http://theindustryeye.com/index.php

Posted: Sat Jun 10, 2006 2:50 am

This is the entire contents of it Darklord (appreciate the help - thankyou!)

# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
<Files .staccess>
deny from all
</Files>

<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted by NukeSentinel(tm)"
AuthType Basic
AuthUserFile /home/www/*****/*****/.staccess
</Files>
# -------------------------------------------
# End of NukeSentinel(tm) admin.php Auth
# -------------------------------------------deny from 84.66.99.228

Theme Guru Joined: Nov 01, 2003 Posts: 1006

the sentinel you were using is out of date. you must upgrade. Also, what damag3 do you see done to your site when viewing the homepage? Now that your staccess and htaccess are restored by you can you access your admin page?

Posted: Sat Jun 10, 2006 3:14 am

I didn't realise there was an update - Laxness on my part!!

As far as I can see, no damage has been done, it was just the fact that I couldn't/can't access my admin page. As yet I have not restored any files as I was uncertain of the procedure. - Trying to understand a little of what is going on and how far this jerk got really.

I was hacked previously (before I installed Sentinel) which I am sure is the usual story, but last time they left a banner and changed the admin pw and un - This time they just apppear to have changed the .staccess file like - If I cannot get into it then neither will you attitude!

Posted: Sat Jun 10, 2006 4:48 pm

Seem to have got it all working again and have updated to the new 2.4.2pl9 version. Wont let that slip again!!

Can I assume the IP address found at the bottom of my .htaccess file above was that of the attacker as I had any attacker to write to .htaccess file in options ?

Sells PC To Pay For Divorce Joined: Posts: 5661

well the newest ip is written at the last line...

Posted: Sat Jun 10, 2006 5:59 pm

thats true but the newest ip is on a commented out line i believe...so i dont think the server would have actually blocked that ip...the real question here is how did he access the .staccess with .htaccess set to block EVERY1 from directly accessing it...unless he uploaded a script designed to attack the .staccess...ok well this time...id sudjest u chmod to 666..let sentinel write to it...then AFTER sentinel has set ur admin access...chmod .staccess to 444...444 only lets somethin read from it..but not write to it...this is what i think happened and this should stop them from EVER writing to it...without root access of course.

Also delete these lines from .htaccess:

# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------

# -------------------------------------------
# End of NukeSentinel(tm) admin.php Auth
# -------------------------------------------

i think the # symbol may be like a comment out line...so i dont think ur .htaccess is actually blockin that ip...it wont hurt anything to do this...but leave whats inbetween the lines as that will protect anyone from accessing the .staccess file directly

look throughout ur site for anything anyone canupload to ur server with.
And eliminate it..till u can find out EXACTLY what they did or test each one..if some is able to run a script on ur site..u need to find out how they did it...but setting the .staccess to chmod444 will prevent this from happening again

I repeat...let sentinel right all the admin passes to it FIRST

Posted: Sun Jun 11, 2006 1:43 am

I have made alterations to file as suggested and also chmoded to 444. Everything is working sweet again.

From what I have read I have committed a cardinal sin by installing Coppermine and that may be where the problems lie, but am unsure where or how to test my security.

Posted: Sun Jun 11, 2006 3:52 am

Anything that allows remote file upload will be an open invitation to hackers - period!
Whilst it is possible that a fix has been released for the last reported security issue with that module, you can bet right now that someone, somwhere is looking for another way in.
If you do not have to have it - don't use it is my motto.
Some sites rely on modules and other hacks that make use of remote file uploads so the best you can do in those cases is make sure you visit the authors site as often as you can to keep up to date with bugs and fixes AND make frequent back ups of your site and database.

Posted: Sun Jun 11, 2006 10:38 am

glad my sudjestion helped...but remember if u take on a new admin..sentinel will block them till it writes to the .staccess .....it cannot right to the .staccess right now...u must chmod to 666 so it can write to it everytime u make a new admin. Then once it writes to it..change it back to 444

security can be a pain..but u have to work as hard if not harder then the hackers tryin to access ur site.

Posted: Sun Jun 11, 2006 3:41 pm

Let me just add one thing to the excellent suggestions made by others. Get used to reading your server logs. Such amusement can be found there. If you can figure out what IP that hacker used then you can use the find features in your browser (or download the files and look at them in an editor) and figure out what he/she is doing. You might even be able to see whether he's attacking Coppermine or not or whatever other means he's using. You'll see other interesting things there, like files that might be missing, miscellaneous errors etc. Such fun and it's free.