| Author |
Message |
TheLoneInventor
New Member
Joined: Jun 06, 2005
Posts: 7
Location: Oregon, USA
|
 Posted:
Mon Jun 06, 2005 2:57 pm |
|
Hi all,
I have searched this site, and the net for any information releated to the problem I'm currently having, but to no avail. I truly hope this is not a repeat post, and believe I have done due dilligence in assuring that it isn't.
With that in mind, here's what happened. I'm running 7.3, had protector on the system, but a very old version meant for 6.7, which I didn't realize until I went back and looked at it, after being hacked.
June 2nd 2005, hacker named kralkayra signed up evidently. I wasn't back at the site until the 4th, and noticed that the admin login screen came up. There was no security code displayed, only the text security code. It was the standard issue message, there are no admin accounts yet, you must create one.
Immidiately alarmed, knowing full well that there were two admin accounts that should be there, I tried to create one through the admin page. No luck, it just kept bringing me back to the same page with the same message.
Went into the phpMyAdmin, discovered that the nuke_authors table was entirely empy. No admins whatsoever. I had another install of 6.8 as a subdomain, so I went over, exported the nuke authors table from the 6.8 install and did an sql query through phpMyAdmin to bring it into the 7.3 site's database, dropping the current and empty 7.3 table in the process.
Logged into the site with the password of the admin in the 6.8 installation. All good, got control of the site back, and found that nothing had been touched as far as I could tell, the hacker must have locked himself out as well... Changed the password, reinstalled the protector system, latest version 1.15b2 and started to look around. Again, everything seemed fine.
I posted a news story about the hack, and why I had shut the site down for about a day. All went well, but when I created my wife's admin account again as it was deleted as well, she logs in and notices that the news story I posted is in Italics with the TheLoneInventor writes"..." so obviously I didn't appear to have full admin privilages. She also saw that there appeared to be a news submission, she clicks on the submission link and is taken to the profile page for my user account which now says "There is no information available for this user" mostly blank, no avatar etc. only shows my last news submissions at the bottom left.
Ok, so I go to stories that she has posted in the past, they also say the same thing "Jade writes"..." to me, not to her, and vise versa... Also, the profile pages in the phpbb2 forums contained within the 7.3 site seem to come up fine, it's the profile pages for the phpnuke 7.3 that are all seeming to point to my username "TheLoneInventor" and coming up blank.
I checked the nuke_authors table from the 6.8 install against the .sql file for the 7.3 and they do not seem to have different fields, extra or missing. They both contain, radminblocker for the protector which is in addition to the stock .sql file that ships with the distro but that's it.
The URLs in the signature at the bottom, although currently the site is locked with the protector system. I can unlock it briefly if anyone wants to have a look at it. I still have it locked as I'm sure in it's current state it's more vulnerable than it should be.
I believe the hacker used an SQL injection attack to drop the authors table, or empty it rather although I can't be sure. I don't believe the hacker had file access, as again nothing seems to be altered. Therefore I of course assume that the problem must be in the database, not the files of course I could be wrong.
Any ideas as to what can be done to fix these errors? I certianly appreciate any ideas any of you may have. Thanks in advance. I will be messing around with it myself, so if anything changes I'll let you know.
TheLoneInventor
EDIT: I forgot to mention that after regainging control of the site I posted a news submission that had been sitting there for a few days by anonymous. Now the link to anonymous is clickable, and again is pointed to my empty profile... This user was not the hacker, I have recieved submissions before from them about the same subjects, no malicious code detected in it. It's the anonymous user being clickable... Is there an anonymous user account? Should it be deleted if there is? Thanks. |
_________________
Invention Makes the World Go Around in New and Better Ways! Visit me at www.loneinventor.com |
|
 
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Mon Jun 06, 2005 5:52 pm |
|
|
|
|
|
TheLoneInventor
|
| Posted:
Mon Jun 06, 2005 6:40 pm |
|
Thanks very much Raven. I read through that thread. I was able to get into the admin C/P after recreating the authors table, as it appeared to have been emptied. I deleted the user account for this hacker etc.
I now have checked my news module files to look for any added code, haven't found any yet though... Could be something like that though. I'll keep checking. Out of curiosity there isn't anything else in the DB that says an admin is author, author is admin, user is author or admin is there?
Thanks very much |
| |
|
|
|
|
Raven
|
| Posted:
Mon Jun 06, 2005 10:34 pm |
|
No, but they usually create a user record also. |
| |
|
|
|
|
TheLoneInventor
|
| Posted:
Tue Jun 07, 2005 8:41 pm |
|
Right, the hacker did create a user account which I deleted as well. Again, the only problem I have at this point is that the news stories seem to come up strangely which leads me to believe there is still something very wrong. They say "admin writes"..." etc.etc. not to the admin that writes them, but to everyone else.
The user profiles within the nuke are all messed up as well. They all come up with half of my information. The username at the top is mine, the avatar is that of the user, the edit user link works to edit the user, but they also come up with my points, and what not...
I have looked through all the files, the Your_Account module files, the news module files, replaced them and so on, all the same, leading me to believe a problem in the db, however I can't find one. I did change the user_level field in the nuke_users table to '2' for both the admin account, which they weren't before. Mine was on '3' which is moderator, and the wife's was '1' which is user... Still can't figure it out though.
I am probably going to either try uploading all the nuke files again, or exporting, reparing and inserting all the db tables one at a time, good grief. Not looking forward to that one, as I have made many modification to the scripts... 
Anyway though, let me know if you can think of anything else that might be causing such a weird deal. I know it has to have something to do with the hack, because all was fine before, and I have changed nothing, so it's got to be something simple...
Again, I tend to suspect an 'authority' or level issue which is cascading down through the CMS, but I don't know enough about the intricate workings of the script to figure out which files, or fields (probably the latter) it might be coming from.
Thanks very much |
| |
|
|
|
|
Raven
|
| Posted:
Tue Jun 07, 2005 11:11 pm |
|
Make sure that your admin user_id is the same as what is in the stories informant column |
| |
|
|
|
|
TheLoneInventor
|
| Posted:
Thu Jun 09, 2005 2:11 am |
|
Perhaps I'm misunderstanding, the user_id field in the nuke_users table is a number. 3 for me, and 2 for the other admin account. The aid in the nuke_authors for me is TheLoneInventor, the name is God.
The informant column in the stories table is TheLoneInventor for me, which I believe is correct.
Am I missing something? Also just notice the counter field in the nuke authors table for me is set at 2, and 0 for the other admin... what does that mean? All other fields are set to 0 except for radminsuper which is set to 1 for both accounts.
Thanks Raven very much |
| |
|
|
|
|
onnig
Hangin' Around
Joined: Jun 15, 2006
Posts: 36
|
| Posted:
Tue Feb 10, 2009 4:35 pm |
|
|
|
|
|
Raven
|
| Posted:
Tue Feb 10, 2009 6:08 pm |
|
Onnig,
The thread you posted to is almost 4 years old. Are you saying you are using phpnuke v7.3? If so, what patch level are you using? |
| |
|
|
|
|
Raven
|
| Posted:
Tue Feb 10, 2009 6:10 pm |
|
I just saw that you double posted the same issue elsewhere so I am locking this thread. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
