| Author |
Message |
RaDiKaL
New Member
Joined: Jun 10, 2004
Posts: 23
|
 Posted:
Mon Sep 06, 2004 7:20 am |
|
Well my time came 
I have Sentinel 2.0.1+ latest patches, yet some Albanian dude desided that I am against him(I don't know why...) and hacked my site...
Take a look... www.blaze.gr
Sentinel did not caught any attempts and I have every filtre on
Any ideas where the breach may came from?
Thnanks...
[I have backup, so only my pride and hard work is damaged  ] |
| |
|
|
|
RaDiKaL
|
| Posted:
Mon Sep 06, 2004 7:41 am |
|
Sorry the bastards are still in so I'm taking it down. Basically they created new admin account(not God) and messed around with the prefferences, changing the language to albanian etc...
I had taken every precaution yet...
Oh well...
Funny thing is that all the hoopla is because they won a soccer game[world cup qualifiers...) and I was about to say that the greek fans over over reacted... I was on their side for crying out loud!
Stupid mofos...
Sorry for the post...
I guess I'll load the backup...
Any tips for extra protection? |
| |
|
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2496
|
| Posted:
Mon Sep 06, 2004 7:47 am |
|
Did you use the admin http auth layer Nuke Sentinel provides? (Dual Login) |
_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 |
|
|
|
|
RaDiKaL
|
| Posted:
Mon Sep 06, 2004 7:55 am |
|
| sixonetonoffun wrote: | | Did you use the admin http auth layer Nuke Sentinel provides? (Dual Login) |
My server(host) doesn't support htaccess files, so...
But i noticed that phpmyadmin wrote "Server localhost" that's impossible!
They probably hacked right to the Dbase right? |
| |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Mon Sep 06, 2004 8:49 am |
|
Without the HTTP Auth, your admin is wide open unless you have installed the patches to admin.php, which you say you have. Please post your admin.php because the patches from Chatserv should have stopped any hacking into authors. They may have found another way. |
| |
|
|
|
|
RaDiKaL
|
| Posted:
Mon Sep 06, 2004 12:50 pm |
|
I'm pretty sure that my host doesn't support HTTP Auth but I'll double check. Here's ths admin.php
Code:<?php
/************************************************************************/
/* PHP-NUKE: Advanced Content Management System */
/* ============================================ */
/* */
/* Copyright (c) 2002 by Francisco Burzi */
/* http://phpnuke.org */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/* */
/************************************************************************/
/* Additional security checking code 2003 by chatserv */
/* http://www.nukefixes.com -- http://www.nukeresources.com */
/************************************************************************/
if(stristr($_SERVER["QUERY_STRING"],'AddAuthor') || stristr($_SERVER["QUERY_STRING"],'UpdateAuthor')) {
die("Illegal Operation");
}
$checkurl = $_SERVER['REQUEST_URI'];
if ((preg_match("/\?admin/", "$checkurl")) || (preg_match("/\&admin/", "$checkurl"))) {
echo "die";
exit;
}
require_once("mainfile.php");
|
[Admin note: Truncated because the rest of the code was not needed to see what level of protection you were using] |
| |
|
|
|
|
Raven
|
| Posted:
Mon Sep 06, 2004 12:58 pm |
|
HTTP Auth does NOT require .htaccess. It is part of the HTTP protocol. Try to activate it with NukeSentinel™. Unfortunately, that admin.php will not stop the admin hacks if they use some encoding like base64. I am working on enhancements to my stand alone HackAlert script that will basically be a NukeSentinel™ (lite) version. |
| |
|
|
|
|
RaDiKaL
|
| Posted:
Mon Sep 06, 2004 1:42 pm |
|
Thanks Raven. No site is 100% secure, even when running the mighty Sentinel 
I'll activate HTTP Auth for sure next time. I think I tried it offline and I got banned 
Keep up the good work!
Hey is there any way to track the little $%^%$^ down? What traces he might have left? |
| |
|
|
|
|
sixonetonoffun
|
| Posted:
Mon Sep 06, 2004 2:35 pm |
|
I'd search the logs for any access like this on the date of the attack using your own path of course:
"POST /pnuke74/admin.php HTTP/1.1"
"GET /pnuke74/admin.php?op=mod_authors HTTP/1.1" |
| |
|
|
|
|
RaDiKaL
|
| Posted:
Tue Sep 07, 2004 1:40 am |
|
Hmm in which logs? SQL?
Because I'm in shared hosting, not in a seperate server...
thanks |
| |
|
|
|
|
Raven
|
| Posted:
Tue Sep 07, 2004 4:21 am |
|
| RaDiKaL wrote: | | Thanks Raven. No site is 100% secure, even when running the mighty Sentinel |
Mighty? Hmmmm. Agreed that no site is 100% secure, but had you been using all the protection that NukeSentinel™ and the Patches from Chat, you wouldn't have gotten hacked, either. I don't mean that as a smartaleck remark. I just want those that read this to understand that NukeSentinel™ may not be perfect, but I've yet to see a site that has been hacked who has it installed and is using HTTP Auth for the admin panel. New exploits are always just around the corner though |
| |
|
|
|
|
RaDiKaL
|
| Posted:
Tue Sep 07, 2004 4:54 am |
|
I meant that as a good remark Raven  Sorry If you took it as something else
Thanks for all your work amd support! And I really mean it |
| |
|
|
|
|
Raven
|
| Posted:
Tue Sep 07, 2004 5:22 am |
|
I hesitated before I wrote that because I did not want to come across like that. I know you did not mean anything by it and no apology was necessary! As I said, it was for the benefit of those that don't yet know the product |
| |
|
|
|
|
RaDiKaL
|
| Posted:
Tue Sep 07, 2004 10:55 pm |
|
Ok
Then to those that do no have the product yet, let me say that it has caugh noumerous attempts before and I know now that I left a security hole by mistake...
It's by far the best and easiest to setup security you can add to your Nuke site. And it has amazing support to boot
So I tried activating HTTP Auth locally and even though I set a password it doesn't accept it. What am I doing wrong here?
[Apache and MySQL running on WinXP]
Thanks again! |
| |
|
|
|
|
Raven
|
| Posted:
Tue Sep 07, 2004 11:02 pm |
|
The default id/pass is your admin id/pass. You have to log in with that and then you can change it, or should be able to. |
| |
|
|
|
|
RaDiKaL
|
| Posted:
Tue Sep 07, 2004 11:40 pm |
|
Well now I see why I haven't set it up before
It reads Admin HTTP Auth: Not Available
What do I do now? |
| |
|
|
|
|
Raven
|
| Posted:
Tue Sep 07, 2004 11:47 pm |
|
Your PHP is probably compiled as a stand-alone CGI instead of an Apache module. Ask your host if they will recompile PHP as an Apache module so you can use HTTP Authentication. I am almost complete with the rewrite of my Hack Alert script also. |
| |
|
|
|
|
RaDiKaL
|
| Posted:
Wed Sep 08, 2004 12:02 am |
|
I'll give it a go but I don't think they 'll even bother...
They didn't even install the GR local 
So I'm holding my breath and await for Hack Alert
Thanks Raven |
| |
|
|
|
|
chatserv
Member Emeritus
Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico
|
| Posted:
Wed Sep 08, 2004 12:19 am |
|
I'm more interested in finding out how they got in, contact your webhost and ask them for a copy of your site's access.log, once you have it check it for odd entries as suggested by sixonetonoffun and post any findings. |
| |
|
|
|
RaDiKaL
|
| Posted:
Wed Sep 08, 2004 2:05 am |
|
Ok I'll do that.
In the mean time since I don't have HTTP Auth capabilities I took a dramatic measure  I took admin.php off the web. If he got to me once, he can do it again.
Tnanks for all the help guys |
| |
|
|
|
|
64bitguy
The Mouse Is Extension Of Arm
Joined: Mar 06, 2004
Posts: 1164
|
| Posted:
Wed Sep 08, 2004 2:47 am |
|
I'm compiled in CGI mode as well so I don't have HTTP Auth capabilities, but I always assumed (I know, bad Idea to assume anything) between Protector and Sentinal I would have pretty good converage of securing my admin.php file.
Are there other methods beyond HTTP Auth of locking down the admin functions beyond the methods employed now by these two security applications, or should I not worry and assume they are doing their things adequately?
Just curious.
Thanks! |
_________________
Steph Benoit
100% Section 508 and W3C HTML5 and CSS Compliant (Truly) Code, because I love compliance. |
|
|
|
|
Raven
|
| Posted:
Wed Sep 08, 2004 4:29 am |
|
Yes there are. But as has been noted, we need to determine the method used for the breach to fix this particular case. However, I will post back shortly at least one alternative method as there could be several. |
| |
|
|
|
|
Raven
|
| Posted:
Wed Sep 08, 2004 6:52 am |
|
HTTP Authentication is a process that challenges the user to enter an id and password. So, technically, you could write any number of SSI type scripts to do this. I do not have a CGI installation to test this on, but this does work on my setup. Please test it under a CGI installation and let me know.
This is only valid under Apache. You will need 2 files. One is .htaccess and the other is a file to hold the users and passwords that are allowed access to the file. The .htaccess file will be stored in the folder where admin.php is located, which is your root nuke folder. If you already have a .htaccess just add this code to it. Otherwise you will have to create a .htaccess file. Add this code to .htaccessCode:<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile REAL_PATH_TO_ID_PASS_FILE
</Files>
|
Now the REAL_PATH_TO_ID_PASS_FILE will be site specific, but many *nix sites have a realpath to your public_html/www folder that looks like thisCode:/home/USERNAME/public_html/
|
So, let's assume that your secret file is named 64bitsecret. I would make it hidden by naming it .64bitsecret. Now, the contents will be a username:password, like 64bitguy:secretpass, except secretpass needs to be encrypted with the crypt() function. I will not attempt an explanation of the function, but I will provide a short script I wrote to help you . The salt value can be whatever you like.Code:<form method='post'>
Enter password to be encrypted using crypt(): <input name='pw'><br /><br />
Enter the 'salt' value for the encryption (2 long): <input name='salt' maxlength='2'><br /><br />
<input type='submit' name='submit' value='Encrypt'><br /><br />
<?
if (isset($_POST['submit'])&&isset($_POST['pw'])&&!empty($_POST['pw'])) {
echo "Password <b>".$_POST['pw']."</b> translated is <b>".crypt($_POST['pw'],$_POST['salt'])."</b>";
}
?>
|
So, upon entering your password of 'secretpass' with a salt of '64' (remember it can be anything you want), we get an encrypted value of '64hH0OZjEnJyQ'. So, we now place 64bitguy:64hH0OZjEnJyQ in the .64bitsecret file.
Now we upload .htaccess and .64bitsecret to the nuke root folder and hopefully when you try to access the admin.php file you will be challenged appropriately. Pleas note that you cannot use both http auth in NukeSentinel and .htaccess http auth. It will give the browser a migraine . Please let me know your results.
Also, here is a quick little diddy to find out your REALPATH. Save this to your root nuke folder to discover the path and then delete it!Code:<?
echo 'rp = '.realpath('index.php');
?>
|
|
| |
|
|
|
|
kguske
Site Admin
Joined: Jun 04, 2004
Posts: 6437
|
| Posted:
Wed Sep 08, 2004 9:22 am |
|
Raven, you are awesome.  I'll test this on a CGI installation tonight and let you know. |
| |
|
|
|
|
kguske
|
| Posted:
Wed Sep 08, 2004 10:01 am |
|
I was so excited, I couldn't wait. This worked BEAUTIFULLY. Thank you, thank you, thank you... |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
