My site was hacked

Regular Joined: Dec 15, 2008 Posts: 79

I've had my site hacked, parts of the forum deleted and then several modules deactivated.

Quote:

Created By: NukeSentinel(tm) 2.6.01
Date & Time: 2009-02-17 10:36:02 UTC GMT +0000
Blocked IP: 203.130.236.211
User ID: Anonymous (1)
Reason: Abuse-Filter
--------------------
Referer: none
User Agent: libwww-perl/5.805
HTTP Host: www.pekinheaven.com
Script Name: /main/modules.php
Query String: name=News&file=removed
Post String: Not Available
Forwarded For: none
Client IP: none
Remote Address: 203.130.236.211
Remote Port: 36367
Request Method: GET

Now I've put everything right but now can't turn on Admin Auth in Sentinel.
The .htaccess file is chmod 777 (is that right?) but all there is in the box to turn AA on is: Off and Admin CGIAuth. No option to turn it on, and the path in the box below that is correct to the .htaccess file.

Can someone advise please? thanks

registered · Posted: Tue Feb 17, 2009 8:40 pm

This was a hack against RavenNuke 2.30.00? Was this within an old addon or something different? Please send me the details

I don't know what's missing from Admin Auth, but yes.. it should be chmod 777

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Everyone needs to do this!

Please immediately download and replace the following file:

Download -> http://www.ravenphpscripts.com/public/captcha.zip
Unzip captcha.zip
Replace ->/images/captcha.php

Posted: Tue Feb 17, 2009 9:11 pm

Raven, your link is processing it as a .php file Smile

May need to zip it up or rename

Posted: Tue Feb 17, 2009 9:18 pm

"save as" for now

Posted: Tue Feb 17, 2009 9:20 pm

just displays an error message in the downloaded php file

Posted: Tue Feb 17, 2009 9:22 pm

You are correct Sad

I see what Evadors99 is talking about now.

Posted: Tue Feb 17, 2009 9:28 pm

I have corrected the file name/link.

Posted: Tue Feb 17, 2009 10:14 pm

Thanks for the fix, all my production domains contain the new file now.

Cheers

Posted: Tue Feb 17, 2009 10:27 pm

Perhaps you need to uncomment the section in .htaccess under:

# Start of NukeSentinel(tm) admin.php Auth

Posted: Tue Feb 17, 2009 10:28 pm

Thanks for that.

evaders99 I just have the straight RavenNuke 2.30.00 with no addons, extras or mods.

Still not able to put Admin Auth to ON, there's nothing there to do so.

I'll pm you my site details so you can check it if you like. Can't understand it.

Posted: Tue Feb 17, 2009 10:30 pm

Re: turning adminAuth on / off

You running PHP 4? If so, check out the setting for "register_globals" ... off or on?

Posted: Tue Feb 17, 2009 10:34 pm

Sorry where would I find that?

Heads spinning a bit at the moment after sorting the site out. Sorry.

PHP 5.2.5

Posted: Tue Feb 17, 2009 10:46 pm

cornishpixie wrote:

Thanks for that.

evaders99 I just have the straight RavenNuke 2.30.00 with no addons, extras or mods.

Still not able to put Admin Auth to ON, there's nothing there to do so.

I'll pm you my site details so you can check it if you like. Can't understand it.

Do you see HTTP Auth instead of CGI Auth?

Posted: Tue Feb 17, 2009 10:59 pm

All it says in the Admin Auth drop down box is OFF or Admin CGIAuth

Yet the path to the file is correct. There's no ON option in the box. The file .htaccess is chmodded 777 and I've just redownloaded RavenNuke 2.3.00 again and uploaded the .htaccess file again. Still doesnt show in the box.

Earlier I uncommented

# Start of NukeSentinel(tm) admin.php Auth as dad7732 suggested and got an internal server error, so hence downloading new file and reuploading it.

Posted: Tue Feb 17, 2009 11:05 pm

Admin CGIAuth is what you want. It is dependent on .htaccess and .staccess. There is an exact procedure to creating the ids and passwords that go into the .staccess file. Have you followed the instructions in the HowToInstall guide? I don't mean that as an insult!

Also, that line you uncommented is just a comment and the 500 error you received is the result of a syntax error in .htaccess since Apache had no idea what it meant Wink

Posted: Tue Feb 17, 2009 11:09 pm

I didnt take it as an insult Raven. It's 5am here and been trying to get the site working since 11pm. lol So I'm a bit fuzzy at the moment.

OK I'll switch to CGIAuth. I did read the instructions when I installed the site last year, and it's been fine til it was hacked tonight. But will change to CGIAuth now.

I'll read the install instructions again, as I will need to add something to .staccess file I think?

Posted: Tue Feb 17, 2009 11:14 pm

Yes, it's all in there. Tell you what. PM to me the following information and I'll set it up.

Site url, adminid, passwd
ftp url, id, passwd
phpmyAdmin url, id, passwd

The reason I need/want all that information is because I want to be sure that the buttwipe didn't leave any other back doors Wink

I am so very, very, very, sorry for the damage that was done through the hole in RN.

Posted: Tue Feb 17, 2009 11:30 pm

Sorry Raven was doing the CGIAuth thingie.

Ok will pm you the info now, thank you so much, I'm really tired at the moment.

Posted: Tue Feb 17, 2009 11:46 pm

All info pm'd Raven. Thanks for your help.

Off to bed now as it's 5.45AM here. Will check back here around 11AM my time.

Good luck. Hope he's not done much damage.

Raven it's not your fault, its such a complex piece of software, and you all do such a great job that someone somewhere is bound to want to challenge your skills. The price of fame eh? lol

Nite my friend.

Posted: Wed Feb 18, 2009 12:43 am

If you're sure this hack is due to vulnerable spot (time matches with log, code was executed, etc), then no need to message me. Seems like Raven has it covered.

Posted: Wed Feb 18, 2009 1:09 am

All should be well now. I will PM you back your information.

Posted: Wed Feb 18, 2009 6:24 am

Just as a matter of record ...

Quote:

Earlier I uncommented

# Start of NukeSentinel(tm) admin.php Auth

What I said was to uncommment the lines AFTER that entry. Wink

Cheers

Posted: Wed Feb 18, 2009 6:28 am

LOL Sorry dad7732.

I was half asleep last night, it was 6am UK time and I'd been trying to sort it out since 11pm, so my brain wasn't engaging properly.

Thank you to Raven, for getting it all up and running again for me, you are a STAR!!!!

Went onto my 50+ website for the silver surfers and the forum on there had been hacked. Thankfully I use the forum on RavenNuke on that site as a support forum, and link to an 'external' phpbb3 forum to the main site, so its on a seperate database, which is good cos they only managed to wipe half the forum on there and couldnt touch the main site.

So will be busy today getting that forum up and running again.

I have no idea why kids do this kind of thing. If they put that much energy into something constructive what a great place the world would be eh?

Thank you again everyone! Much much appreciated, and sorry if I was a bit doh! last night, was lack of sleep lol

Posted: Wed Feb 18, 2009 6:40 am

Quote:

I have no idea why kids do this kind of thing.

Because they can ... Also, the challenge.

Cheers and good luck!!
RavensScripts