SQL injection

Hangin' Around Joined: Jun 15, 2006 Posts: 36

I use RN 2.10.01, My site was hacked with an SQL injection that overwrote some title page news messages. Looks like they, turkish hackers, were not able to post with HTML, thankfully, but used a long ASCII stretch of profanities, etc which posted on my main page since the news article were there. Is there a patch that I need to apply?

On a good note, this is the longest time we have gone on without a successful hack, after installing RN.
Smile

I removed the hacked posts and blocked all of Turkey. Also, what should I chmod my htaccess file to be able to autopost blocked ip's to it but without having outsiders edit it? We've had our .htaccess file also hacked once by the same people.

http://www.armeniansforchrist.com

Posted: Fri Apr 04, 2008 3:23 pm

First of all, I would like to know which blockers you had active in Nuke Sentinel and what other none RavenNuke modules you have installed as this will help determine how they got in.

Posted: Fri Apr 04, 2008 3:27 pm

Do you also have any copies of your server log files from when the incident occured?

You should start your htaccess at 644 and work your way up until Sentinel can write to it as sometimes it can vary due to server configuration.

Posted: Fri Apr 04, 2008 3:37 pm

Guardian2003 wrote:

Do you also have any copies of your server log files from when the incident occured?

You should start your htaccess at 644 and work your way up until Sentinel can write to it as sometimes it can vary due to server configuration.

non RN modules, Podcast and Kalendar, thanks for the htaccess tip.

Kalendar mod:

http://www.cloneportal.de/Downloads-cid-1.html

Its in German but the install will have the English option.

Podcast mod:

http://www.jaieproductions.com/products.php

I turned on all blockers, they're all active. The log files are huge, what should I be looking for?

Posted: Fri Apr 04, 2008 3:52 pm

If you can zip your log file and send them to
webmaster
ATcode-authorsDOTcom

I'll take a look at them - might be useful to have a date if you know what day it happened Smile

Interesting the you have Kalendar installed - I'm not aware of any problems with it but it does allow you to post events into the news module if I remember correctly and you say it was the news that got hit?

Was your RN install to upgrade an existing site?

Sorry for the questions, I'm just trying to help Smile

Posted: Fri Apr 04, 2008 4:07 pm

onnig did you checked in NukeSentinel the tracked IPs also ?
Is http Auth activated ?
I´m quite sure when you are up-to-date with your calendar version there shouldn´t be a problem with.

Posted: Fri Apr 04, 2008 4:09 pm

Guardian2003 wrote:

If you can zip your log file and send them to
webmaster
ATcode-authorsDOTcom

I'll take a look at them - might be useful to have a date if you know what day it happened Smile

Interesting the you have Kalendar installed - I'm not aware of any problems with it but it does allow you to post events into the news module if I remember correctly and you say it was the news that got hit?

Was your RN install to upgrade an existing site?

Sorry for the questions, I'm just trying to help Smile

I really appreciate your help!! The attack was today, I monitor daily, and so I'll send the zipped log for today, not too big, about 200k. Yes the News was hit. The RN install was a new install.

Posted: Fri Apr 04, 2008 4:16 pm

Susann wrote:

onnig did you checked in NukeSentinel the tracked IPs also ?
Is http Auth activated ?
I´m quite sure when you are up-to-date with your calendar version there shouldn´t be a problem with.

Yes httpAuth is activated but one problem, no tracked IPs they were working but I haven't looked for a while. Also other issues with Sentinel, like cannot add IP ranges but can add IP addresses to block. Weird

Posted: Fri Apr 04, 2008 4:24 pm

Make sure you are up-to-date with the NukeSentinel version (+ IP2Country) which is 2.5.17 and post your issues with NS in the correct forums.
So going through the log files should be the better way.

Posted: Fri Apr 04, 2008 4:25 pm

looks like chmod 666 did the trick, but doesn't that allow "others" to write?

Posted: Fri Apr 04, 2008 4:37 pm

Files with a dot before are special protected. I never had issues with that and don´t worry about this.

Quote:

We've had our .htaccess file also hacked once by the same people.

How did they do this ? Better don´t answer my question !
Its seldom.

Posted: Fri Apr 04, 2008 4:42 pm

Susann wrote:

Files with a dot before are special protected. I never had issues with that and don´t worry about this.

Quote:

We've had our .htaccess file also hacked once by the same people.

How did they do this ? Better don´t answer my question !
Its seldom.

See you PM for my answer

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Do you allow anonymous to post? What 3rd party addons are you using? Do you have admin auth turned on?

registered · Posted: Sat Apr 05, 2008 6:01 am

onnig, it might help too if you can give Guardian what the data looked like within the database before you removed it. It might help him while searching through the logs. Just PM it to him if you have it...

Posted: Sun Apr 06, 2008 2:47 am

I checked the logs several times.
There was one failed attempt at the usual phpbb root path exploit (r57 . txt) and the only other thing that is out of place was this line which I cannot make sense of (GET request)

Code:

/w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 414 "-" "-"

That IP for that GET request does not appear any where else.

I have also checked every image path that appears in the logs to ensure they were genuine images so I'm stumped.

Posted: Sun Apr 06, 2008 7:56 am

onnig, some additional questions:

You have not responded in a while to some questions, what is the state of things now?

You mentioned that your .htaccess file hacked by the "same guys". When was that and was it RavenNuke at that time?

What, exactly, did the data look like prior to you deleting it? Feel free to PM me if you have those details.

Unfortunately, if this is a shared hosted environment, it is possible that you were compromised via another account. But, given that only the news was affected and not a bunch of other stuff, I am guessing that it is not that.

Around the same time (earlier actually), were there any UNION blocks seen by NukeSentinel? (I.e., they might have been probing an exploit, but using proxies or other ways to cover their tracks.)

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

Sorry to jump in late on this - were any new files added or files changed?

Posted: Mon Apr 07, 2008 1:26 pm

montego wrote:

onnig, it might help too if you can give Guardian what the data looked like within the database before you removed it. It might help him while searching through the logs. Just PM it to him if you have it...

Sorry Montego, I deleted the text they posted, I was in panic mode.

Posted: Mon Apr 07, 2008 1:35 pm

montego wrote:

onnig, some additional questions:

You have not responded in a while to some questions, what is the state of things now?

You mentioned that your .htaccess file hacked by the "same guys". When was that and was it RavenNuke at that time?

What, exactly, did the data look like prior to you deleting it? Feel free to PM me if you have those details.

Unfortunately, if this is a shared hosted environment, it is possible that you were compromised via another account. But, given that only the news was affected and not a bunch of other stuff, I am guessing that it is not that.

Around the same time (earlier actually), were there any UNION blocks seen by NukeSentinel? (I.e., they might have been probing an exploit, but using proxies or other ways to cover their tracks.)

All I have done so far is block all of Turkey, I hope, maybe some remote village still has access Wink

.

Anyway, I will PM you the hacker site it came from. I did a search on the logs myself, I remember, and nothing came up with their name they pasted. I just hope there are no lingering files on the site that they are waiting for an opportune time to use to hit us with.

I've been having problems just recently with NukeSent, even upgraded to latest a couple of days ago and still, not tracking IP's even though it is set to track. I want to upgrade the entire site to latest RN. HTTPAuth is turned on, so everything is good, how do I see if there are any attacks? I get emails about abuse being blocked. They are always "Abuse-Filter". I don't see UNION.

Can I get help with the tracking issue and maybe I haven't setup something right with Nuke Sentinel. I followed the instructions, great instructions, as much as I could.

Posted: Mon Apr 07, 2008 1:36 pm

kguske wrote:

Sorry to jump in late on this - were any new files added or files changed?

How can I tell?

Posted: Mon Apr 07, 2008 1:37 pm

Raven wrote:

Do you allow anonymous to post? What 3rd party addons are you using? Do you have admin auth turned on?

Kalendar mod:

http://www.cloneportal.de/Downloads-cid-1.html

Its in German but the install will have the English option.

Podcast mod:

http://www.jaieproductions.com/products.php

Posted: Tue Apr 08, 2008 11:59 am

anyone, anyone?

Posted: Tue Apr 08, 2008 5:52 pm

The podcast mod is for Nuke 1.8 quess the meant 8.1 so its not directly for your version. I don´t anything about this module so I can´t comment.
For you as webmaster it should be quite easy to find out weird things because only you know your site and the uploaded files.
As long as there is a security hole its only a matter of time and you ´ll get the same issue again and a banned country means nothing it isn´t a real handicap.

About the scan tool:

http://www.directadmin.com/forum/showthread.php?threadid=12664
Do a search and you ´ll find out more about this.

Related to NukeSentinel there isn´t much to set up because its preconfigured.
I would check the settings in the NS administration and also the settings of the NSN blockers. Make sure they are activated. I´ve not seen a site where the tracking function doesn´t work. Don´t know what you did.Excluded ranges will not be tracked. But I quess you know this already.

Posted: Tue Apr 08, 2008 11:20 pm

Thank you