What Makes PHP a Target for Hackers?

New Member Joined: May 05, 2008 Posts: 6

I am some what new to PHP sites. I'm getting ready to launch my site soon: Only registered users can see links on this board! Get registered or login!. But, before I even have allot if any content on it; I have had several banned ips already from NS. How or what makes my site a target and what do the hackers gain out of it?

Posted: Mon May 05, 2008 4:08 pm

Unfortunately the virgin phpNuke files are riddled with security issues and the community has been patching and fixing it with every release that was made. The author of phpNuke mostly ignored fixes given to him by the community and the odd time when fixes were included he gave no credit to the 'fixer', then dropped fixes from subsequent releases as well as creating even more problems.

With a reputation like that, it is a prime target for hackers/wannabe hackers. Most of the time they find sites by doing a simple Google search or use automated software to probe for vulnerabilities.

Posted: Mon May 05, 2008 4:31 pm

Well, A friend of mine pointed me to your RN package and has stated that 7.6 is the most secure of the nuke. They have tried to attack me 30 times today alone. As long as NS post the bans that means they have been stopped correct? It looks as they are trying to get in my Forums DB which has no content.

registered · Posted: Mon May 05, 2008 4:51 pm

Just to be clear here, it isn't PHP they are targeting, it is PHP-Nuke. As Guardian2003 said, it is the known security holes in past versions that draws these script kiddies to your site like a moth to a flame. PHP-Nuke was very widely deployed in the past (is it now?) and it had holes you could drive a truck through thanks to the author's carelessness.

And yes, if NS bans them then they are stopped. That doesn't mean they won't try again from a different IP address. But after a while they will move onto another site that isn't patched.

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

If you look at your search statistics, you'll probably notice several popular search terms used by attackers:

powered by phpnuke
powered by php-nuke
powered by php-nuke
copyright phpnuke

etc.

They use this to identify the sites they want to attack, using known security holes found by someone else. Because this is the least creative type of attack, because they use automated scripts written by someone else, and because they tend to be young, these punks are disparagingly known as script kiddies. They target PHP-Nuke not only because it has known security holes, but a long history and a large number of sites using it.

Posted: Mon May 05, 2008 5:46 pm

Well, its not only PHP Nuke you will notice similar attacks with a Joomla installation or other CMS and also blogsoftware because they are using PHP. And beneed this there have been in the past security holes for the popular phpBB forum and many sites where hacked just because running old software.
You can´t run a PHP Nuke site without additional protection like NukeSentinel because the standard protection is not enough in my opinion.

Posted: Mon May 05, 2008 7:35 pm

Good point, Susann. You will even see attacks on non-PHP sites. It's pretty sad - most kiddies are just blanketing sites to see what sticks...

Posted: Mon May 05, 2008 8:25 pm

Well from the time that I have posted here today I have been attacked and hacked to where now I cant login as a user nor the admin login. So I am using the latest RN and was getting ready to update NS to .17 and I have been highjacked. So were would the hole be to make this happen.

I have nothing againest Raven but I have a feeling they are feeding off of your members seeking help here. I had more traffic today after posting then the total of last week when I first installed RN.

Posted: Mon May 05, 2008 9:09 pm

Assuming "they" read this site, yes, posting your site's weaknesses and / or uncertainties here (or in any public forum) could certainly be compared to blood in shark-infested waters. But without any information about your site (e.g. what upgrades / addon modules you have, whether or not you have admin authentication working, whether or you use complex passwords, how your host has configured PHP and your webserver, and with no visibility to your access logs), it's very difficult to give you a specific answer. The bottom line is that we must all be vigilant about security - even if you use a secure base like RN, there are plenty of opportunities for weak links.

There are plenty of similar posts in the forums here, a la "How do I recover from an attack?" and "How do I prevent attacks?" Please search them for suggestions and answers from others. From experience (back in 2004, my sites were frequently attacked), I learned to follow the guidelines here. As some point, largely, but not completely, due to NukeSentinel and admin authentication, the attacks were no longer successful.

I'd suggest the following:
- disable any addons that allow uploading, even by members, unless you verify that it wasn't done by a member
- install / configure admin authentication for both admin.php and the /modules/Forums/admin directory
- change and have unique users and complex passwords for 1) database, 2) Nuke admin, 3) Nuke user, 4)admin authentication, 5) hosting account control panel
- review access logs for suspcious activity and file change dates on files on the webserver to see if any files were changed / added recently
- ask the host for assistance in verifying that this wasn't accomplished via another account on the same server or through some server configuration weakness

I know it's frustrating - especially when you have what you think is secure. The challenge is to remain calm and find the weak link(s).

Posted: Mon May 05, 2008 9:24 pm

Thanks kguske,

I havn't really done anything to the RN after installing it. I am the only user as I am in the process of getting the site set up to go live. Atleast it was the plan before this set back of getting hacked.

I will follow the steps that you have posted above. I was able to get back in my admin. I am trying to check to see if anything looks out of place. I still can't get my user account to login. I changed the user information and still no luck. when trying to login It just acts like the account isnt there. It just brings up a new blank user/password field with a new graphic code. It dosnt tell me that the USER or Password was in-correct or anything. Any ideas?

Posted: Mon May 05, 2008 10:13 pm

Well, I have narrowed it down to the $gfx_chk. When I disable it I can get logged in. But when I enable it. the codes are always wrong. What could I do to fix this error?

Posted: Tue May 06, 2008 2:15 am

Sounds like you have a cookie conflict. Clearing your browser cache and cookies, then close the browser before opening a new browser window and that should fix the conflict.

registered · Posted: Tue May 06, 2008 5:54 am

aap, there are also numerous threads here regarding issues with the captcha that might help you. All of the issues previously reported are related to your host setup BTW, so hopefully you can get that cleared up as that is one of the key features of RN is the newer captcha and its incorporation also as a spam stopper... Wink

Posted: Tue May 06, 2008 9:00 am

Hopefully this is a typo and not a script kiddie hack. . .

In your main news article you have 'Welcome to Advanced Aerail Photography!"

Check the word "Aerail"

Wink

-sting
is wishing he had a different pet peeve.

Posted: Tue May 06, 2008 9:31 am

Thanks for the info everyone. I will keep you posted on the issues.