Help Please - Site Hacked

Client Joined: Dec 04, 2004 Posts: 757

Hi all, I checked my site out this evening to find all my right blocks had fanished? I havnt updated or changed anything but they just dissapeared ?
Any idea`s all would be much apreciated as I am at a total loss.

I just noticed that my footer was missing also so I checked my footer.php and it basically had thousands of urls in it from sex sites to god knows what else Confused

How on earth could this be possible as the file had permissions 644 ????

thanks
mrix

Posted: Thu Aug 28, 2008 7:30 pm

What version of Nuke? Are you running Raven Nuke and what version of Nuke Sentinel?

registered · Posted: Thu Aug 28, 2008 8:14 pm

Check your server logs for any funny business.

Posted: Fri Aug 29, 2008 12:41 am

Hi I am running the latest ravennuke and the very latest sentinal.
I`ll also check my server logs
cheers
mrix

Posted: Fri Aug 29, 2008 2:03 am

What additional modules are you running?

Is this site hosted with Raven? If it is you might want to let him know so he can look at tracking down the culprit as well.

Posted: Fri Aug 29, 2008 2:52 am

No this site is hosted on a dedicated server ...
my site is here...
www.online-gaming-forums.com

If a file is 644 can it be changed ? is it possible for some who is not server side to change files like this ?

mrix

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

It shouldn't be possible unless there is an addon with a hole. Which files have 644 permissions?

It's important to check the server log to see how it happened. Are you using admin authentication?

Regarding addons, the teamspeak and NukeTube addons are one possible sources for attacks. Uploaded images can also be used for attacks.

Were any files changed / uploaded?

Posted: Fri Aug 29, 2008 6:16 am

Hi I am using admin authentication in sentinal.
When you explain about site log files is this something I would find in cpanel for the site or on the dedicated server its self?
cheers
mrix

Posted: Fri Aug 29, 2008 6:46 am

IF you are running Teamspeak....I would bet a dime to a dollar that is how they got in. There are well known "Issues" with TS.

Log Files....IF you look in your control panel....There should be a link to your Log Files. Every panel I have ever used has some sort of method of accessing them.

Dawg

Posted: Fri Aug 29, 2008 6:47 am

I have run this add on for around 3 years on the site with no problems at all Confused

cheers
mrix

Posted: Fri Aug 29, 2008 6:58 am

I ran it for less than 6 mos and got attacked through it. I no longer use TS.

Dawg

Posted: Fri Aug 29, 2008 7:26 am

Yes, check your cpanel access log to see if there are attacks on the teamspeak addon (or other types of attacks).

Posted: Fri Aug 29, 2008 8:09 am

Dawg, are you talking about the actual TS server or some TS nuke block/module?

Posted: Fri Aug 29, 2008 11:56 am

When it happened to me they came in through the TS server. It was a remote injection through the admin panel if I recall correctly. Once in the dbase...they had their way....

Was it TS's fault or the Nuke Modules fault? Heck if I know. I have not reinstalled it to find out.

This was several years ago.

Dawg

Posted: Fri Aug 29, 2008 1:32 pm

Dawg, that is strange. I know earlier versions of TS had problems, but I think recent versions are much better. Did you have TS configured to share the same database as your Nuke site? By default TS uses SQLite, so even if they got in via the TS admin panel I'm not sure what they could do to my Nuke site.

mrix, it is also possible they mangled your files via a hole in your server, completely unrelated to your site. You'll have to talk to your host about it and look at your logs.

Did they actually modify footer.php or just the footer fields that are in the database?

registered · Posted: Sun Aug 31, 2008 7:31 am

Quote:

Did they actually modify footer.php or just the footer fields that are in the database?

mrix, very key question... what is the latest?

New Member Joined: Jan 08, 2006 Posts: 7

Hi I have a simillar problem RN2.20 working well, havent changed anything in months. Now right blocks, news header all mising any help would be aprecheated dont know where to start looking?

Posted: Tue Sep 02, 2008 3:02 pm

mac2712 - is this an upgrade from a previous nule installation or a clean, new install.
What additional modules or other stuff have you added?

Posted: Tue Sep 02, 2008 3:55 pm

Guardian this is an upgrade no additional modules

Just set display_errors = true and found the following
Parse error: syntax error, unexpected T_STRING in themes/fisubice/theme.php(171) : eval()'d code on line 1

Parse error: syntax error, unexpected T_LNUMBER in themes/fisubice/theme.php(307) : eval()'d code on line 1

Parse error: syntax error, unexpected T_LNUMBER in themes/fisubice/theme.php(307) : eval()'d code on line 1

Parse error: syntax error, unexpected T_LNUMBER in themes/fisubice/theme.php(307) : eval()'d code on line 1

Parse error: syntax error, unexpected T_STRING in themes/fisubice/theme.php(178) : eval()'d code on line 1

Has the host changed something ?

Posted: Tue Sep 02, 2008 4:06 pm

I edited your post to remove the full server path for safety.
If you have not edited the theme, re upload all the files but make sure your ftp software is set to use BINARY transfer mode though I would normally expect to see those errors due to a typo on an edited file.

Posted: Tue Sep 02, 2008 4:22 pm

Just renamed fisubice and uploaded from the distubution and its the same also uploaded SoftBlue and Sand_Journey. SoftBlue has the same errors Sand_Journey is ok.

Posted: Tue Sep 02, 2008 5:48 pm

SoftBlue? I don't recall RavenNuke (tm) having a theme called SoftBlue.
Any way after re reading your post, it is clear that it was working at one time then stopped. Given the nature of the errors I suspect you might be right about the host changing something.
They are possibly preventing the use of PHP's built in eval() function.
You may have to raise this as a support issue with your host.

If they are not prepared to re-enable this built in PHP function then it is possible to recode the theme to do without it but I do not have time right now to do that.
Any of the themes that do not have seperate html files should work but sadly there are not many of them.

Posted: Tue Sep 02, 2008 6:00 pm

I will raise a ticket with my host. As a quick fix I changed the colors in Sand_Journey to make it look like like fisubice.

Thanks for your help Guardian

Posted: Wed Sep 03, 2008 1:10 am

The footer.php had hundreds of spam like urls`s in it? I basically uploaded another default file and all was ok...
Unfortunately there is nothing to stop it happening again.
cheers
mrix

Posted: Wed Sep 03, 2008 6:22 am

You are going to need host help to review the logs to see how they got in.

This can happen in a shared environment if the server is compromised, but if your file permissions are 644 and the file is owned by your user account, they would either have to be root or have compromised your account. I would change all your passwords.

It can also happen through a hole in code somewhere. But, we need to find out where!