My site just turned into an email bomb.

Regular Joined: Nov 27, 2005 Posts: 58

Currently, it's suspended until I can coordinate with my webhost to be available to disable the site through Sentinel and find the problem.

This is a fully patched 7.6 version of nuke, with Raven Sentinel installed, and Forums are current up through .18

My webhost just emailed me to let me know that it had to be suspended because a script had been used to make phpnuke send out over 25,000 emails in the last 24 hours.

Do you know what could cause this ? What should I look for when my site is activated again ?

I would ask how to prevent this in the future, but not knowing exactly what was done, I guess I will have to wait.

-----

On a side not, maybe related, maybe not. My gt-nextgen suddenly stopped working about 2 weeks ago with no site changes. Also, I have a story database that allows users to upload text stories (Fictioneer module) which has not been acting properly either. Uses can submit the first chapter, but not subsequent chapters. As an admin, I can add any.

Also, there was a folder in the stories folder, which contains usernames folders with the chapters they uploaded, that I could not delete. The user folders were something like 1234567890 and ___________________

I don't know if thats even related to the latest issues, but thats all the info I have at this time.
******
EDIT: I just found out my site was upgraded from PHP 4.3.11 to 4.4.1, so that may possibly be the cause of the latter. If so, I am clueless whats changed and how to rework.

registered · Posted: Tue Jan 03, 2006 12:29 am

giantmidget wrote:

Currently, it's suspended until I can coordinate with my webhost to be available to disable the site through Sentinel and find the problem.

This is a fully patched 7.6 version of nuke, with Raven Sentinel installed, and Forums are current up through .18

My webhost just emailed me to let me know that it had to be suspended because a script had been used to make phpnuke send out over 25,000 emails in the last 24 hours.

Do you know what could cause this ? What should I look for when my site is activated again ?

I would ask how to prevent this in the future, but not knowing exactly what was done, I guess I will have to wait.

You might want to investigate this thread... Wink

http://www.ravenphpscripts.com/postx7750-0-0.html

Posted: Tue Jan 03, 2006 2:07 pm

Do you have a working update ? I currently use Ravens php 7.6 package.

How would I find out whether the exploit was indeed done through the feedback, recommend us module ?

--------------

I just accessed my site and found one blocked IP for script abuse. They uploaded something supposedly as a story, but it had script. It had a lot of red and green commands. This site would not let me repost it or PM it.

Would anyone care to have at look at the abuse email I got ? Also, is it possible the script hack happened, blocked the IP, but the damage was done and allowed emails to go out ?

Posted: Tue Jan 03, 2006 3:24 pm

In my modules folder, I found the following and deleted them:

dark.php

drk.php

inc.php

mmm-dont.php (script title: Spammer r3l04d3d by cyb3rc0d3r )

All seemd to be bad files.

I run SPChat on the site, and also, the primary thing on my site is a fanfiction database which allows users to upload stories as text files with minimal html like <center>

Any ideas on what to do ? or how this happened ?

Also, I have a folder in my stories folder named: 12345678910111213

I cannot delete this folder for some reason. This stories folder contains site users folders who upload stories, and their text for each chapter.

Also, are any passwords compromised, and if so, what do I need to do to secure ?

registered · Posted: Tue Jan 03, 2006 6:15 pm

SPChat has a hole in that allows remote files to be uploaded. Thats where you got attacked. I would suggest turning it off and change all your admin passwords, and your db password.

Posted: Wed Jan 04, 2006 2:38 pm

What about Fictioneer ? Is that a possible hole ?

What it does is take general info like title, username, summary, and also saves a .txt file in that users folder. Could this be a possible way for this to happen ?

If so, my popular site is in major trouble, as the fanfiction database is the only reason anyone goes to it.

Referring to my database password, do you mean the one listed in my config.php ?

Theme Guru Joined: Nov 01, 2003 Posts: 1006

giantmidget wrote:

Referring to my database password, do you mean the one listed in my config.php ?

Yes, that is what he meant. Please change that in your cpanel and then in your config file and anywhere else that you might have put it.

Posted: Wed Jan 04, 2006 3:30 pm

giantmidget wrote:

What about Fictioneer ? Is that a possible hole ?

What it does is take general info like title, username, summary, and also saves a .txt file in that users folder. Could this be a possible way for this to happen ?
If so, my popular site is in major trouble, as the fanfiction database is the only reason anyone goes to it.

It is certainly possible as a quick check of the files reveals there is no real checking of what is submitted but I'm only aware there was a problem with V1.0 - I cannot remember what the exact issue was with it.

Posted: Wed Jan 04, 2006 4:32 pm

I recieved one abuse report, but I am not sure it was a script hack, but possibly someone trying to put up a flashy story title.

The script was:
Script created by Lefteris Haritou
(lef@the.forthnet.gr)
Permission granted to Dynamicdrive.com to feature the script
For more DHTML scripts, visit Dynamicdrive.com

and the messages put in the script were title, summary, etc.

ow, with the spchat exploit, would that get by Sentinel ?

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

As stated many times, NukeSentinel(tm) cannot and does not police third party scripts.