Fix For All Admin.php Exploits (Maybe?)

Posted: Tue May 18, 2004 6:28 pm

It has to be md5 coded in the myprivatefile.php
Here is an online tool that can do that.
http://pajhome.org.uk/crypt/md5/
Try that and if it works maybe we can put up a mod like that here to simplify this for users.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

I also included the md5 script for you on the first page/post Smile

Posted: Tue May 18, 2004 10:49 pm

anfer wrote:

Hi....my web page just got hacked...and im looking for security....i tried this system of two passwords, everything worked propertly, execpt that when I try to get in the admin page, my pass or login is not accepted. I type the same that i used for myprivatefile.php but i cant get in. I dont know what happen...plz help me. is a good security system for admin.

PD: (sorry for my bad english)

ANFER

Did you fix what the hack "broke"? I had to go into my website control panel and dump my SQL database and restore from a week old backup. I then removed a false waraxe2 God admin that had been in there since the backup. From there I went ahead and patched all my PHPNuke files and added this HTTP authentication security fix.

Your admin username and password should still work if you fixed what the hacker changed.

Client Joined: Jul 18, 2003 Posts: 977

anfer wrote:

Hi....my web page just got hacked...and im looking for security....i tried this system of two passwords, everything worked propertly, execpt that when I try to get in the admin page, my pass or login is not accepted. I type the same that i used for myprivatefile.php but i cant get in. I dont know what happen...plz help me. is a good security system for admin.

PD: (sorry for my bad english)

ANFER

Raven, this is what I posted. I do not believe the system of multiple passwords works. I did two and only the second one I entered worked.

Posted: Wed May 19, 2004 10:25 am

He is not talking about the same issue. He is just referencing the 2 password authentication, not 2 passwords in the same file for authentication. I will test the code I have posted and will get back to you.

Posted: Wed May 19, 2004 11:01 am

Blith,

Please check your md5 passwords. I tried this several times and it seems to work perfectly each time.

Posted: Wed May 19, 2004 11:36 am

Quote:

Blith,

Please check your md5 passwords. I tried this several times and it seems to work perfectly each time

okay...darn it. i try to test so many times before I say something.

Client Joined: Jan 29, 2004 Posts: 624

GanjaUK wrote:

I will have to try this again later, tried it earlier and it didnt work, it displayed the contents of basicauthfile.php above the header when viewing admin.php. Its late though, so I probably messed something up. HitsFan

Got an error myself trying to post to this topic but it's fixed now or I couldn't post. Smile

I'm not sure if what you saw was an error per se or just a print() sort of thing but if you want to hide errors from non-admins put this in your header.php:

Code:




if(is_admin($admin)) error_reporting (E_ALL ^ E_NOTICE); else error_reporting (0);

right under require_once("mainfile.php");

Posted: Thu May 20, 2004 12:10 pm

No, the error he was talking about had nothing to do with what you saw Southern. I had been testing something and forgot to put 1 change back. Thanks.

Posted: Thu May 20, 2004 12:21 pm

Ok Glad to help in a tiny way. Smile

Does the line of code I put up suppress errors for non-admins?

Posted: Thu May 20, 2004 12:30 pm

southern wrote:

Ok Glad to help in a tiny way. Smile

Does the line of code I put up suppress errors for non-admins?

I'd have to test it to know for sure, but syntactically it looks right. Thanks!

New Member Joined: May 21, 2004 Posts: 21

Ok, I "tried" to install this thing, but it doesn't work. I get the dialog for the username and pass, but when I enter the username and the pass (and yes, I did encrypt the password first), I get three tries and it gives me the "Get out of here" message. Can you please help me find out what is wrong with my installation? Thanks in advance. Very Happy

Posted: Fri May 21, 2004 5:30 am

Please PM me your site url and creat an admin account for me. Also, PM me your ftp url, id, and password and I will take a look. If it is kicking you out, then either your id or password is not matching. That's all it can be.

Posted: Sun May 23, 2004 2:54 pm

Hi,

I installed HTTP Authentication script , it works perfectly, Laughing

Thanks again Raven...

Posted: Sun May 23, 2004 4:21 pm

Great!

Posted: Sun May 23, 2004 9:16 pm

Hi, not sure what I have done wrong, but the http auth works fine, but when i logged out of admin, then attempted to get back in, the security code does not show, http auth works tho Smile

, but without security code, i cannot get aby further. any ideas?

Posted: Sun May 23, 2004 10:20 pm

Should not be related at all. Make sure that your admin.php file and mainfile.php and config.php do not have any blank lines after the closing ?> tag. Also any of the new files you made for http auth.

Posted: Sun May 23, 2004 10:39 pm

Thanks, that worked, had one blank line after the closing tag in the auth code, would have never thought of looking there.

Many thanks again.

Posted: Mon May 24, 2004 1:16 pm

Thanks very much, Raven, for your PM tech advice. My brand new admin http auth is working perfectly now. If I haven't said so lately I think you're a very smart dude, for a bird haha Smile

Posted: Mon May 24, 2004 1:23 pm

EXCUSE ME? Evil or Very Mad

The Raven is much more thana "bird". Be careful! http://www.ravenfamily.org/nascakiyetl/obs/rav1.html

Posted: Mon May 24, 2004 1:49 pm

Hey, I know that! Raven is among my guardian spirits, along with Deer, Owl, Frog, Lizard and, of course, Wolf. I meant no disrespect, kind sir, but was merely celebrating my accomplishment in installing a superb security measure, and indulged in a tasteless joke. Many pardons, Raven!

Posted: Mon May 24, 2004 2:12 pm

Ha there was a rather large Raven sitting on a post at the store today. One of my 5 yr olds had to chase him off his perch. Of course he didn't move far but it was quite a site. Her waving her arms like a bird with her open jacket as if she had wings and squaking at him. He returned a slight sqauk in protest at being disturbed. For a second I thought they might butt heads since he was as detirmined to stay as she was to chase him off his perch.

Inside she told the clerk she chased away the Black Pheasant.

Posted: Tue Jun 08, 2004 10:35 pm

Raven,

Thanks go to you, and all who help you here. The multi admin HTTP Auth works great.

Being very new to PHP (a little over a month now), your site has helped me tremendously. Your scripts, ChatServ's patches, everyone's comments, help, hints, and suggestions are priceless.

Thanks again to all of you!

And by the way, the Raven is considered a 'messenger'. And you Raven, are a messenger I want to listen to

Posted: Tue Jun 08, 2004 10:52 pm

You're welcome!

http://www.ravenphpscripts.com/posts1325-highlight.html
http://www.ravenfamily.org/nascakiyetl/obs/rav1.html

Posted: Mon Jul 19, 2004 4:33 am

Hi Raven,

As you probanly know, I use this script on your advise Wink

on a earlyer post.
Now this happend, there are some kiddie's for sometime aming on my site with succes, now that I use this script they couldn't get in the website and have crached the server by bruteforce or something similar.

Last night they created an overload and the server went down untill this morning Twisted Evil

the pc-killer did his job also on the server with a loopback or something, thats what my hostingprovider told me.

So, with this script you will have a lot of security extra Twisted Evil

A very happy Fred Razz

Thanks Raven.