Configuration Exploit?

Posted: Sun Mar 26, 2006 5:24 pm

Hi,

One of my sites running an older version of php-nuke (not sure of version anymore maybe 7.6 standard) with a few of the fixes added to the mainfile.php file for common auth exploits. But I've hard coded most of that stuff to never be a worry.

But this recent night my configuration details were 'hacked' and my settings all deleted and the title of the site via the configuration was changed. They couldn't create or delete the authors so couldn't change anything.

My questions is (I've done a rough search) does anyone know of this exploit/hack and how do I fix against it. My many modifications don't readily allow for a simple patch copy over files, so a type of code fix would be ideal.

But any help or knowledge of where to look, as I don't know how they did it.

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

Are you saying that your preferences table was changed? If so, that sounds like a union attack. If you're not running NukeSentinel there, you should since it stops most of those types of attacks (and most other, too). The caveat is that all the modules have to use standard Nuke database access methods. So, if you use something unusual, NukeSentinel may not protect in that area.

Or, did a file (not a database table) get changed on your server? If so, something is allowing inappropriate access. Maybe the file settings were incorrect, or maybe there was a script that allowed access through a backdoor. Were you running a chat or photo gallery module?

Did you check your logs to see what was happening?

Posted: Mon Mar 27, 2006 1:31 am

Yes the nuke_config table appears to be the one they changed.

Can I intergrate NukeSentinel into 7.2 with ease?

registered · Posted: Mon Mar 27, 2006 10:29 am

I see this alot with sites that run coppermine or SPChat. Would you happen to be using either?

Posted: Mon Mar 27, 2006 6:42 pm

No I don't run coppermine or SPChat, we I don't know what they are so I assume I don't run 'em Smile

I have 4 php-nuke sites and only one was 'defaced'. Tho the later two are running 7.6 patched and RavenNuke so I doubt they'll be defacable.

Posted: Mon Mar 27, 2006 8:42 pm

Was the defaced site running NukeSentinel or any other security addon?

Posted: Tue Mar 28, 2006 6:20 pm

No it wasn't. Hence my later question of the possibility or ease of intergrating it into a 7.2 version of php-nuke. Also the same question for a 6.5 version of php-nuke.

Due to the restrictions on the character set allowed in user accounts I can't update earlier php-nukes.

Posted: Tue Mar 28, 2006 8:28 pm

I'm pretty sure it's being used with 7.2, and I think VinDSL might be using with his heavily modified 6.5 version. I guess it depends on how much you want to take on with modifying the code. It might not be hard, but you can get the latest patches for 6.5...

Posted: Wed Mar 29, 2006 5:32 pm

I'll have to give it a look and see.

I know that later patched versions of php-nuke have serious issues with account like Rümßäär (which I have used on my 6.5 install for years now) and other 'fancy' or foreign language usernames so I'm unsure to what level I can patch 6.5 and not break it for my real users.

Not sure if 7.2 will have the same issue with user accounts.

It's funny how for a multi-langauge 'support' system like php-nuke no longer allows even the most basic foreign characters from say the German character set Smile

Look's like I have some serious investigation and work to do, which is most likely way beyond my skill level.

Thx anyways.