Google says " I'm gonna find ya!"

Useless Joined: Aug 23, 2002 Posts: 213 Location: Chicago

That's right, there is no special note in Read Me file or anything for users who change their admin.php to make the changes in robots.txt.

You know what that means right?

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Little things mean so much!

Posted: Wed Dec 08, 2004 12:10 pm

Yeah, I was searching for a module on Google last night and happened to find the person's admin.php... Boy I was laughing so hard.

Posted: Wed Dec 08, 2004 1:58 pm

I read your Only registered users can see links on this board! Get registered or login!, but doesn't adding the newly renamed admin.php / "whatever.php" to your robots.txt defeat the obfuscation?

Anyone can bring up the robots.txt for any site to which they have access. Only registered users can see links on this board! Get registered or login!.

Did I miss the intention of your Only registered users can see links on this board! Get registered or login!? Or did I (not having used 7.6) miss the purpose of renaming the admin.php?

Subject Matter Expert Joined: Feb 23, 2004 Posts: 358

PHP-Nuke dot org wrote:

PHP-Nuke 7.6 Final version. This version big change is that you can now rename your admin.php file and hide it for security improvement.

That is the biggest scam FB has pulled EVER. Secure your site and you won't need to rename any script. My script is called admin.php, come get me...

Renaming files as a security layer... my goodness... it would be hilarious if it weren't so sad how many people buy this load. What's next? Shall we dynamically rename admin.php at the end of each Admin session..? Maybe we could hash the name of the admin file and email the new hash to the site admin... lol... this is crazy. Let's get creative and make things that are productive and useful instead of running around spinning our wheels. Sentinal was a valid and much needed contribution to the community. Renaming files is silly.. and if renaming admin.php is 'the really big change' in Nuke for 7.6, well... those poor club people grabbed their ankles again! How does he do it?!!!

PHrEEk

Posted: Wed Dec 08, 2004 4:45 pm

PHrEEk,

No, really, what's on your mind - tell us what you really think ROTFL

?

Posted: Wed Dec 08, 2004 5:11 pm

LoL... what I -really- think is all this has accomplished is successfully locking more Site Admins out of their own Nuke sites than they have locked out any potential hackers... hahah it's really quite funny! Gaylen my friend... you are an old salt like me... you've seen quite a few things over many years. Have you EVER in all your years seen a recommended security layer include renaming a file?? It's so absurdly hilarious! But at the same time, it's becoming a problem too. People who don't know any better and who are convinced that this is a sound security precaution are starting whole threads of SERIOUS discussions, posting news on their sites, adding workarounds to problems this non-solution create. In other words, spreading FB's manure for him! I'm not sure which aspect of this lunacy is more absurd! All I know is it's a waste of time and resources to act like this is a valid procedure, and to sit here discussing how to implement it. There's much bigger phish to phry, to say the least... but who cares what I think... I'm just a phreek Wink

PHrEEk

Posted: Wed Dec 08, 2004 5:17 pm

I feel the same way. Ever since v6.9 I have yet to see any reason to update. Just my personal opinion. He has not added anything of significanse and should have stopped a long time ago with these worthless upgrades and cleaned this nightmare up, secure it, optimize it, and then release it for $10.00. Yeah, uh-hu - if that ever happens we would do well to check the temperature in hell.

Posted: Wed Dec 08, 2004 5:50 pm

I see cPanel is dropping Nuke from Fantastico now as well.

By the way, if anyone wants manure, I can give you as much as you can cart away from my farm yard and guess what - I am not asking $10 - you can have it for free.
So please, save your $10 and spend it here in the form of a donation for fixing up the pile of manure.

Sorry, just had to have my hay lol

Posted: Wed Dec 08, 2004 6:23 pm

Posted: Wed Dec 08, 2004 6:24 pm

Yes, sometimes it is better to just tell the Emporer that he has no clothes!

I'll be honest about the real problem. FB is too comfortable with his software. Therefore, he is no longer on the cutting edge of PHP programming and has lost touch with things that scripts REQUIRE in 2004. His SQL queries are juvenile at best, although at the time 4 years ago, they were adequate. I have never seen an advanced query from him using a join or an alias, etc... he is old school, and that is no longer adequate to take Nuke to greener pastures. He does not posess the required PHP skills to secure his software, he relies on others to do it for us without recognition or compensation. From his FAQ:

PHP Nuke dot Org FAQ wrote:

Additionaly many people contributes with the code cleaning, problems (bugs) reports, addons, modifications, translations, etc, so at the end, PHP-Nuke, is the effort of so many cool people that helps day by day to improve it.

That is all he is willing to concede to. The truth to us that have been along for the ride these many years is, there is nothing significantly different about the Nuke core since he changed the config from a file server-side to the config table in the DB. The success story belongs to those unnamed people who 'clean' the code (LoL!) and those wonderful people who design great modules and add-ons for community-specific tasks.

So instead of spending the money the 'club' and his site advertising generates on actually PAYING Chatserv and others to FIX these security vulns and bring this software into 2004/5, he instead tells everyone to just rename admin.php!!! ROTFL

FB is no longer a coder, he is a magician! Houdini would shite his britches at the ease and confidence FB exhibits while using his smoke and mirrors to fool people!

Make a donation to this site, and then immediately make a donation to nukefixes.com so Chatserv can be compensated as well. You will be ensuring that when you upgrade your Nuke or phpBB a few months from now, you will get the right security patches instead of being told by FB to rename a few files...

PHrEEk

Posted: Wed Dec 08, 2004 7:54 pm

oprime2001 wrote:

I read your Only registered users can see links on this board! Get registered or login!, but doesn't adding the newly renamed admin.php / "whatever.php" to your robots.txt defeat the obfuscation?

Anyone can bring up the robots.txt for any site to which they have access. Only registered users can see links on this board! Get registered or login!.

Did I miss the intention of your Only registered users can see links on this board! Get registered or login!? Or did I (not having used 7.6) miss the purpose of renaming the admin.php?

Hmm, I must have override the file when I was checking the GT (was trying to figure out about forums problem) else my htaccess wouldn't have let you read my robots.txt file Very Happy

But thanks, I will add that to my suggestions Very Happy

Posted: Wed Dec 08, 2004 8:46 pm

Mesum wrote:

Hmm, I must have override the file when I was checking the GT (was trying to figure out about forums problem) else my htaccess wouldn't have let you read my robots.txt file Very Happy

What criterion can you use in your .htaccess to limit access to your robots.txt without locking out "legitimate" access e.g. by search bots like googlebot?

Posted: Thu Dec 09, 2004 5:36 am

Hiyas,

Why not remove any reference to the admin file in robots.txt and place the admin file in /admin/. robots.txt disallows access to everything in /admin/.

Then as default have the admin file titled index.php so it is accessable via site.com/admin/index.php, manipulate mainfile.php to declare admin_file as /admin/ and leave everything in config.php the same so people still have to just rename the filename to something else without having to worry about /admin/. This is where the admin file should be, i don't see a point in moving it to another folder outside /admin/ unless beginner users want to have google crawl there admin file.

Usage of .htaccess files could make it possible too, but waste of time since .htaccess isn't used/compatible on all servers.

I should email this to FB, im sure he will get back to me asap, sigh.

My 2 cents.

Posted: Thu Dec 09, 2004 6:04 am

This is getting complicated, I think I will stick to just uploading my admin.php when i need to work on the site and then delete it again when not in use lol

Posted: Thu Dec 09, 2004 7:53 am

Techgfx wrote:

Hiyas,

Why not remove any reference to the admin file in robots.txt and place the admin file in /admin/. robots.txt disallows access to everything in /admin/.

Then as default have the admin file titled index.php so it is accessable via site.com/admin/index.php, manipulate mainfile.php to declare admin_file as /admin/ and leave everything in config.php the same so people still have to just rename the filename to something else without having to worry about /admin/. This is where the admin file should be, i don't see a point in moving it to another folder outside /admin/ unless beginner users want to have google crawl there admin file.

Usage of .htaccess files could make it possible too, but waste of time since .htaccess isn't used/compatible on all servers.

I should email this to FB, im sure he will get back to me asap, sigh.

My 2 cents.

That is yet another good point please do let us know how things work out with your e-mail to FB.

I am just as confused as anyone else on why this feature was being added.
The question is to protect it now with whatever the ideas we have, we apply security patches, we install tools but what else can we do to secure what we have in or hands right now?

Where exactly are we going with this?

Posted: Thu Dec 09, 2004 8:10 am

I exactly does the author finds out what his users want? Does he bother reading any of his official support websites when everyone is singing the same song "Oh fix the distro first" Or he waits for the e-mails from people like TechGFX, who tell him "Umm, maybe we should fix the distro first" or he dreams a lot of people users standing outside of his house just like the AOL commercial and ask him to add a feature where people can rename their admin.php.... How exactly does it works?

Posted: Thu Dec 09, 2004 9:00 am

From his website:

FB wrote:

NOTE: Being a member doesn't give right to you to receive technical support. PHP-Nuke is distributed AS IS without warranty and without technical support. Any technical support email will be ignored.

There's customer service at it's finest!

Posted: Thu Dec 09, 2004 7:19 pm

Techgfx wrote:

I should email this to FB, im sure he will get back to me asap, sigh.

New Member Joined: Dec 21, 2004 Posts: 7

well after reading this post, I will definately be contributing to the efforts of Chatserv, I use nuke cause its a great tool and if someone is making it better then I for one want to make sure they can financially afford to do so. I will make money with Nuke sites and definately invest in it's SECURE future.