HACKED with sentinal 2.2.0 installed

Client Joined: Dec 24, 2004 Posts: 194 Location: Michigan

what info can i provide to help find out how this happened ?

nuke 7.4
sentinal 2.1.3

Posted: Mon Jun 06, 2005 8:35 am

so far i have found my nuke_config table to look like this

-- phpMyAdmin SQL Dump
-- version 2.6.1-pl3
-- http://www.phpmyadmin.net
--
-- Host: *******edited by me
-- Generation Time: Jun 06, 2005 at 07:10 AM
-- Server version: 4.0.16
-- PHP Version: 4.3.4
--
-- Database: `**********`edited by me
--

-- --------------------------------------------------------

--
-- Table structure for table `nuke_config`
--

CREATE TABLE `nuke_config` (
`sitename` varchar(255) NOT NULL default '',
`nukeurl` varchar(255) NOT NULL default '',
`site_logo` varchar(255) NOT NULL default '',
`slogan` varchar(255) NOT NULL default '',
`startdate` varchar(50) NOT NULL default '',
`adminmail` varchar(255) NOT NULL default '',
`anonpost` tinyint(1) NOT NULL default '0',
`Default_Theme` varchar(255) NOT NULL default '',
`foot1` text NOT NULL,
`foot2` text NOT NULL,
`foot3` text NOT NULL,
`commentlimit` int(9) NOT NULL default '4096',
`anonymous` varchar(255) NOT NULL default '',
`minpass` tinyint(1) NOT NULL default '5',
`pollcomm` tinyint(1) NOT NULL default '1',
`articlecomm` tinyint(1) NOT NULL default '1',
`broadcast_msg` tinyint(1) NOT NULL default '1',
`my_headlines` tinyint(1) NOT NULL default '1',
`top` int(3) NOT NULL default '10',
`storyhome` int(2) NOT NULL default '10',
`user_news` tinyint(1) NOT NULL default '1',
`oldnum` int(2) NOT NULL default '30',
`ultramode` tinyint(1) NOT NULL default '0',
`banners` tinyint(1) NOT NULL default '1',
`backend_title` varchar(255) NOT NULL default '',
`backend_language` varchar(10) NOT NULL default '',
`language` varchar(100) NOT NULL default '',
`locale` varchar(10) NOT NULL default '',
`multilingual` tinyint(1) NOT NULL default '0',
`useflags` tinyint(1) NOT NULL default '0',
`notify` tinyint(1) NOT NULL default '0',
`notify_email` varchar(255) NOT NULL default '',
`notify_subject` varchar(255) NOT NULL default '',
`notify_message` varchar(255) NOT NULL default '',
`notify_from` varchar(255) NOT NULL default '',
`moderate` tinyint(1) NOT NULL default '0',
`admingraphic` tinyint(1) NOT NULL default '1',
`httpref` tinyint(1) NOT NULL default '1',
`httprefmax` int(5) NOT NULL default '1000',
`CensorMode` tinyint(1) NOT NULL default '3',
`CensorReplace` varchar(10) NOT NULL default '',
`copyright` text NOT NULL,
`Version_Num` varchar(10) NOT NULL default '',
PRIMARY KEY (`sitename`),
FULLTEXT KEY `copyright` (`copyright`),
FULLTEXT KEY `Version_Num` (`Version_Num`)
) TYPE=MyISAM;

--
-- Dumping data for table `nuke_config`
--

INSERT INTO `nuke_config` VALUES ('<META http-equiv=refresh', '<META http-equiv=refresh', 'logo.jpg', '<META http-equiv=refresh', '<META http-equiv=refresh', '<META http-equiv=refresh', 0, 'Sand_Journey', '<META http-equiv=refresh \r\ncontent=0;URL=http://k.domaindlx.com/kayrahakan/html.html>\r\n', '<META http-equiv=refresh \r\ncontent=0;URL=http://k.domaindlx.com/kayrahakan/html.html>\r\n', '<META http-equiv=refresh \r\ncontent=0;URL=http://k.domaindlx.com/kayrahakan/html.html>\r\n', 4096, 'Anonymous', 5, 1, 1, 1, 1, 10, 10, 1, 30, 0, 1, '<META http-equiv=refresh', 'en-us', 'english', 'en_US', 0, 0, 0, 'editedmymail', 'NEWS for my site', 'Hey! You got a new submission for your site.', 'webmaster', 0, 1, 1, 500, 3, '*****', 'Web site engine code is Copyright © 2003 by <a href="http://phpnuke.org">PHP-Nuke</a>. All Rights Reserved. PHP-Nuke is Free Software released under the <a href="http://www.gnu.org">GNU/GPL license</a>. ', '7.4');e

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Did they add an admin into your authors table?

Posted: Mon Jun 06, 2005 9:20 am

yes just found this info in nuke_authors

-- phpMyAdmin SQL Dump
-- version 2.6.1-pl3
-- http://www.phpmyadmin.net
--
-- Host: localhost
-- Generation Time: Jun 06, 2005 at 08:21 AM
-- Server version: 4.0.16
-- PHP Version: 4.3.4
--
-- Database: `**`
--

-- --------------------------------------------------------

--
-- Table structure for table `nuke_authors`
--

CREATE TABLE `nuke_authors` (
`aid` varchar(25) NOT NULL default '',
`name` varchar(50) default NULL,
`url` varchar(255) NOT NULL default '',
`email` varchar(255) NOT NULL default '',
`pwd` varchar(40) default NULL,
`counter` int(11) NOT NULL default '0',
`radminarticle` tinyint(2) NOT NULL default '0',
`radmintopic` tinyint(2) NOT NULL default '0',
`radminuser` tinyint(2) NOT NULL default '0',
`radminsurvey` tinyint(2) NOT NULL default '0',
`radminlink` tinyint(2) NOT NULL default '0',
`radminfaq` tinyint(2) NOT NULL default '0',
`radmindownload` tinyint(2) NOT NULL default '0',
`radminreviews` tinyint(2) NOT NULL default '0',
`radminnewsletter` tinyint(2) NOT NULL default '0',
`radminforum` tinyint(2) NOT NULL default '0',
`radmincontent` tinyint(2) NOT NULL default '0',
`radminency` tinyint(2) NOT NULL default '0',
`radminsuper` tinyint(2) NOT NULL default '1',
`admlanguage` varchar(30) NOT NULL default '',
PRIMARY KEY (`aid`),
KEY `aid` (`aid`)
) TYPE=MyISAM;

--
-- Dumping data for table `nuke_authors`
--

INSERT INTO `nuke_authors` (`aid`, `name`, `url`, `email`, `pwd`, `counter`, `radminarticle`, `radmintopic`, `radminuser`, `radminsurvey`, `radminlink`, `radminfaq`, `radmindownload`, `radminreviews`, `radminnewsletter`, `radminforum`, `radmincontent`, `radminency`, `radminsuper`, `admlanguage`) VALUES ('kralkayra', 'God', 'http://', '', '4297f44b13955235245b2497399d7a93', 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, '');

Posted: Mon Jun 06, 2005 9:23 am

Do you have the Admin and Author blocker settings turned on in your NukeSentinel(tm) Configuration?

Posted: Mon Jun 06, 2005 9:28 am

thats what i am trying to remember now.....im thinking no ...i had just updated to the new version and yestarday imported info for the ip2c for usa and canada Confused

Posted: Mon Jun 06, 2005 9:38 am

Well, activate it immediately, then drop that record from the author's table and recreate your admin id/pass.

Posted: Mon Jun 06, 2005 9:41 am

i can't get to my site C/P yet i need to change the "god" account they have changed this and deleted all other admin accounts...can you give me a quick DB insert ( info only ) so i can get "god acess" again for some stupid reason im not getting in my C/P probably cause im frustrated and over looking something

Posted: Mon Jun 06, 2005 9:44 am

ive tried to edit the info ...username and password and its still not letting me in

Posted: Mon Jun 06, 2005 9:51 am

also its sentinal 2.2.0 not 2.1.3 as stated above..

and i am in to my admin C/P now

Posted: Mon Jun 06, 2005 9:56 am

Raven wrote:

Do you have the Admin and Author blocker settings turned on in your NukeSentinel(tm) Configuration?

no they were not activated but are now!! I'm such a block head Bang Head

whats the site ive seen mentioned about PC killer or info on what it is ????

is this something i should report to someone ? and if so who do i send it to ? sorry for the " newbie" type questions still learning what i can about all this

THANKS FOR BEING HERE GREATLY APPRECIATED

Posted: Mon Jun 06, 2005 9:58 am

Use phpMyAdmin and edit your author's table.

Posted: Mon Jun 06, 2005 10:01 am

Raven wrote:

Well, activate it immediately, then drop that record from the author's table and recreate your admin id/pass.

should i drop the whole nuke_authors table and start that table from scratch ? (7.4 original sql )

Posted: Mon Jun 06, 2005 10:11 am

Just empty it.

Posted: Mon Jun 06, 2005 10:22 am

they have also joined as a member

INSERT INTO `nuke_users` (`user_id`, `name`, `username`, `user_email`, `femail`, `user_website`, `user_avatar`, `user_regdate`, `user_icq`, `user_occ`, `user_from`, `user_interests`, `user_sig`, `user_viewemail`, `user_theme`, `user_aim`, `user_yim`, `user_msnm`, `user_password`, `storynum`, `umode`, `uorder`, `thold`, `noscore`, `bio`, `ublockon`, `ublock`, `theme`, `commentmax`, `counter`, `newsletter`, `user_posts`, `user_attachsig`, `user_rank`, `user_level`, `broadcast`, `popmeson`, `user_active`, `user_session_time`, `user_session_page`, `user_lastvisit`, `user_timezone`, `user_style`, `user_lang`, `user_dateformat`, `user_new_privmsg`, `user_unread_privmsg`, `user_last_privmsg`, `user_emailtime`, `user_allowhtml`, `user_allowbbcode`, `user_allowsmile`, `user_allowavatar`, `user_allow_pm`, `user_allow_viewonline`, `user_notify`, `user_notify_pm`, `user_popup_pm`, `user_avatar_type`, `user_sig_bbcode_uid`, `user_actkey`, `user_newpasswd`, `points`, `last_ip`)

VALUES (401, '', 'kralkayra', '', '', '', 'gallery/blank.gif', 'Jun 06, 2005', NULL, NULL, NULL, '', NULL, NULL, NULL, NULL, NULL, NULL, '4297f44b13955235245b2497399d7a93', 10, '', 0, 0, 0, '', 0, '', '', 4096, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 10, NULL, 'english', 'D M d, Y g:i a', 0, 0, 0, NULL, 1, 1, 1, 1, 1, 1, 0, 0, 0, 3, NULL, NULL, NULL, 0, '0');

Posted: Mon Jun 06, 2005 10:32 am

Delete it.

Posted: Mon Jun 06, 2005 10:41 am

yup i did...why wasnt the IP listed ?

looks like all that was done was they added this info to my news module and deactivated 1 of my blocks that i reactivated :

TITLE :

<marquee><h1>Hacked by KRALKAYRA</h1></marquee></center> 

Content:

<marquee><h1>Hacked by KRALKAYRA</h1></marquee></center> 
 HACKER BY KRALKAYRA <a target='top' href='kralkayra'> 
<img border=0 src=http://kralkayrahan.sitemynet.com/logo2.gif></a>
HACKER BY KRALKAYRA
<marquee><h1>Hacked by KRALKAYRA</h1></marquee></center>

Posted: Mon Jun 06, 2005 11:00 am

shouldnt the IP been logged in sentinal ?

if so, if i was to re-enter his name into the nuke_members the IP should be with the user name logged in sentinal tracked ip's right ?

Posted: Mon Jun 06, 2005 7:16 pm

Wow, this fellow has been busy... Sorry I missed this thread Raven

mds, you can see the topic I posted about an attack from the same hacker on the 4th
http://www.ravenphpscripts.com/postp39525.html#39525

Posted: Mon Jun 06, 2005 10:41 pm

mds wrote:

shouldnt the IP been logged in sentinal ?

if so, if i was to re-enter his name into the nuke_members the IP should be with the user name logged in sentinal tracked ip's right ?

You could use phpMyAdmin and just submit a query against the nsnst_tracked_ips table for his user_id.

Sells PC To Pay For Divorce Joined: Posts: 5661

well sorry but i had to do it...
the hacker "kayrahakan" had his shitty account at http://domaindlx.com
see in post...http://k.domaindlx.com/kayrahakan/

So i maild the host of the free stuff and they responded with..

The site has been terminated.
Regards,
Domain DLX Abuse Department

Now that was easy.

Posted: Tue Jun 07, 2005 8:03 am

i ran the search twice using the user_id (401 which if he wouldve registered regularly shoudlve been 399 ....sql injection ??)
and by username (kralkayra) and both returned no results ....

Posted: Tue Jun 07, 2005 8:14 am

TheLoneInventor wrote:

Wow, this fellow has been busy... Sorry I missed this thread Raven

mds, you can see the topic I posted about an attack from the same hacker on the 4th
http://www.ravenphpscripts.com/postp39525.html#39525

Thanks for the link

**Raven**
it's not much but i did send a donation . !! Thank You for everybody's help!! and this great site

Posted: Tue Jun 07, 2005 8:18 pm

mds,

I've got the guys IPs if you want them. I picked them up with the protector system which he got through, as well as the IP tracking module, so I have an idea of where he was going as well.

68.23.169.128 - adsl-68-23-169-128.dsl.chcgil.ameritech.net
was the one last used to access my site... I notified this host of abuse, evidently and SBDC ISP out of plano texas.

65.19.134.2 - is the one I believe was used to hack the site, through the forums by the look of it. 2608 URLs were hit by this IP from the kralkayra username.

Hope that helps.

Posted: Tue Jun 07, 2005 10:26 pm

excellent

that IP looks very familiar to me ...i think i seen it in my access logs but didnt show them as accessing any admin files...guess i better go back and have a better looky see Smile

thank you again