So - my site has been hacked

New Member Joined: Mar 07, 2008 Posts: 10

My own stupidity for not learning and just going at it.
but - now for the question and (this is the part where your participation comes in) your answers
Ok - so I was dumb and did something wrong.
I don't know what - but something.
I had just uploaded the Sentinal last night and started getting that in line to put into opperational status but - I got tired.
Is there any way to salvage what I have right now?
How should I move forward from this moment?
What should my next move be?
Give a Noob a hand - or a smack in the mouth and an I told you so!
one way or the other - lend a hand here please.

I know - read.
but read what?
I have yet to find something that has a title of -

"So you have been hacked and you use PHP"

Chapter 1 - Dumb ass you should have read this before.

Check the site out - you'll get a kick out of it

Only registered users can see links on this board! Get registered or login!

Posted: Thu Mar 13, 2008 5:55 pm

I'm not quite sure what your question is. If you uploaded the NukeSentinel files last night you should be able to resume the installation following the instructions in the readme files. I looked quickly at your site and don't see any evidence that you were hacked.

Nobody here is interested in smacking a noob. But you need to state your problem more clearly and give more specifics on what exactly you did to get to the point of thinking you had a problem. What version of Sentinel did you upload for instance? Did you have Sentinel before? Things like that. And what version of Nuke are you running? Do you have custom modules?

Posted: Thu Mar 13, 2008 6:06 pm

Sorry - I feel like a dumb-arse
I finally got the site more or less the way I wanted it and now this -
OK when I logged on today after work - there was a large banner posted as a news article on the front page which showed a picture and the following text
"Welcome to h4x0r3d By XTech Inc - Pablin77 Was Here - IvisSs Te QuieroOo!"

Then I noticed the top tab on the browser was reading as the following:
"Welcome to h4x0r3d By XTech Inc - Pablin77 Was Here - IvisSs Te QuieroOo!"

Then I went to log in as admin and go to delete the news article and I noticed the same text on the log in page.

I thought oh crap. So I went back to the front page and noticed the Forum Scroll at the end it reads the same text as above.

So now I am thinking - uhoh

then I look down to see who is in my team speak and I see accross the top of the TeamSpeak block the same text.

thats a member only item - then it dawns on me - so is the forum scroll - now I am really thinking uhoh.

So I log into my main box - and I can't find a thing changed in any file or in any block?

what has happened?
I don't understand - I think that is the main point here - I don't understand what to do to fix a problem that I can't see what has been changed.

I'm sorry - I just should have known this was going to happen.

Posted: Thu Mar 13, 2008 6:17 pm

sorry - so I go to the front page and do a "View Source"

and I see this:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>h4x0r3d By XTech Inc - Pablin77 Was Here - IvisSs Te QuieroOo </title>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
<META HTTP-EQUIV="EXPIRES" CONTENT="0">
<META NAME="RESOURCE-TYPE" CONTENT="DOCUMENT">
<META NAME="DISTRIBUTION" CONTENT="GLOBAL">
<META NAME="AUTHOR" CONTENT="h4x0r3d By XTech Inc - Pablin77 Was Here - IvisSs Te QuieroOo">
<META NAME="COPYRIGHT" CONTENT="Copyright (c) by h4x0r3d By XTech Inc - Pablin77 Was Here - IvisSs Te QuieroOo">

I'm starting to think I'm a ding bat but -

You asked if I had custom modules - I have one custom module and several blocks - some from here and some I built from other PHP blocks I found. I am sure I messed something up in one of them and left an open door or window somehow.

You asked what version of nuke I am running:
ready for another ding bat question?
How do I find out? I know I found a post in the forums on how - but I can't remember where right now.

(Probably under the - faq)

What version of Sentinel did you upload for instance:
Nuke Sentinal 2515 66-81
Does that help? I didn't get it here - but incidentally - it is how I found my way here last week.

Posted: Thu Mar 13, 2008 6:36 pm

Ok - Rebuilt from a back up
so - now - I need to know how to put up sentinal and go forward from here.
I know I know RTFM

Posted: Thu Mar 13, 2008 7:14 pm

If you can look in the nuke_config table using phpmyadmin it will tell you what version of Nuke you are using. There is a field called Version_number (or something similar) to look at.

However, you have to figure that the hackers have access to your id's and passwords and the ability to put files and alter files on your server. So you really need to go back and change every administrative password both in the author's table for nuke but also at your server level and for FTP. They may also have planted a file that gives them the ab ility to write to your server so you need to look thru your files or just delete everything and reload the server from scratch. Because if they have a file like that they can hack you anytime they want.

The latest version of Sentinel is 2.5.16. You can get that at nukescripts.net. However, you might be better off installing Ravennuke 2.20.01 which is available on this site. It comes with the latest Sentinel plus many other security enhancements. I'd suggest you get that running. There are many posts here about upgrading to it.

I'd also suggest that you leave your custom blocks out of the picture until you have the base Ravennuke up and running for a week or so. Then maybe post them here and we can look to see if there are vulnerabilities. But first things first.

Right now you can't trust anything on your site. They may have access to your CPANEL or whatever tool it is you use to manage your server. They may have planted files. You really need to make sure that any of that stuff is wiped clean and that all admin id's and passwords are reset or you may very well wind up in the same situation a week or two from now.

Posted: Thu Mar 13, 2008 7:51 pm

You need also to activate http auth. Check your NukeSentinel administration.

Posted: Thu Mar 13, 2008 7:58 pm

thank you folks - I have a feeling I am going to become a regular pest around here

Thank you for the quick responses

I can't find a thing showing what version I am running - I only find copyright 2005 on almost everything

Posted: Thu Mar 13, 2008 8:04 pm

The Nuke version is usally in db table nuke_config.Maybe you removed it. In older Nuke versions its also in the statistic overview and database table.
E.g. in Nuke 6.5

Posted: Thu Mar 13, 2008 8:21 pm

Not in statistics - already checked that one.
For some reason I think it is 7.6
but - can't find nuke_config
however - have been in ever config file I have seen and again only see copyright 2005

Posted: Thu Mar 13, 2008 8:41 pm

Your site is the first site without a config database table I´ve heard about. Smile

Anyway activate all blockers and read about how to do the rest to protect your site with http auth and what to do with .htaccess and stacess .

So long

Posted: Sat Mar 15, 2008 8:26 am

Found it - it took 2 days - but I found it
Not where anyone said it would be
it's version 7.8

I was handed this site by the former admin in the state it is.
I do not know how it was originally setup so finding things is not the easiest to do.

Posted: Sat Mar 15, 2008 8:58 am

For safety reasons better switch over to RavenNuke. We do not recommend Nuke Version 7.8, 7.9 etc.

Posted: Sat Mar 15, 2008 9:17 am

There are issues with TeamSpeak as well. As much as I like TS....I would not run it. Susann told you right. RN is the way to go. Nothing above 7.6 is secure.

Dawg

registered · Posted: Sat Mar 15, 2008 10:37 am

The TeamSpeak block or a TeamSpeak server?

Posted: Sun Mar 16, 2008 11:27 am

You only need to search for Team speak security I believe and you ´ll find a lot of interesting search results.