Hacked need help

Regular Joined: Sep 11, 2004 Posts: 84

Somebody hacked my site today and somehow changed the title of every side block and news block. It has also changed the articles and stories heading too.

Only registered users can see links on this board! Get registered or login! to see what has happened.

Where would this be called up from?

Thanks in advance

Posted: Mon May 01, 2006 11:05 am

I think but I am not sure, but nuke sentinel has been screwed with......

In my php admin the table nuke_nsnst_tracked_ips has an error.

Quote:

Error

SQL query: Edit

SHOW INDEX FROM `nuke_nsnst_tracked_ips` ;

MySQL said: Documentation
#1016 - Can't open file: 'nuke_nsnst_tracked_ips.MYI' (errno: 145)

It looks like my problem is here........

Posted: Mon May 01, 2006 11:30 am

In my php admin the table nuke_nsnst_tracked_ips

Does not exist and it sez that the table has crashed.

Any suggestions??

Posted: Mon May 01, 2006 12:00 pm

Check server logs to see if you can determine what happened and what IP it came from. If you can and you can isolate it to an IP then ban that one in .htaccess immediately.

Restore the tables from the recent backup that you have. Probably should dump the current tables out to a sql file that you can look at later.

It would be helpful if you'd post Nuke Version, patch level and Sentinel level.

Posted: Mon May 01, 2006 12:16 pm

I am using 76v2.02.....

As for the patch level (havent installed one) and nuke sentinel (came with the pkg)

I fixed the table for Sentinel.

So you think I should restore my tables with my most recent backup?

Posted: Mon May 01, 2006 2:19 pm

My admin block and waiting content block are uneffected by the hack if that helps.......

Posted: Mon May 01, 2006 3:10 pm

Sorry, been out but was thinking. To help out with some questions that others may have maybe you could post a description of what you did to load RN 2.02. I ask because it's obvious that you have somehow incorporated content from your old web page and I think folks would be interested in how you accomplished that and whether any of the tables from the Ravennuke install have been "compromised". For instance, did you run the installSQL.php program and go thru all the steps in it? Then do the setup.php step and customize Sentinel. And after that did you restore any/all of your old tables on top?

Also, assuming your host supports it, you might want to download recent log files onto your home pc so you have them available for "forensics" whenever you have time to go into it. Sometimes log files disappear from a host after a while and you might need to look at these over time. I know one thing I've done after I find a suspicious IP address is to use the find command in Firefox to step thru the logs (or in an editor if I've downloaded them) and sort of trace what that IP address was doing on the system. Sometimes you can reconstruct what they did.

You might also want to just check your authors table to make sure that didn't get compromised.

Posted: Mon May 01, 2006 3:26 pm

fkelly wrote:

Sorry, been out but was thinking. To help out with some questions that others may have maybe you could post a description of what you did to load RN 2.02. I ask because it's obvious that you have somehow incorporated content from your old web page and I think folks would be interested in how you accomplished that and whether any of the tables from the Ravennuke install have been "compromised".

Not sure what you meant here: I did transfer over my members from a pn nuke site, if that is what you mean?

fkelly wrote:

For instance, did you run the installSQL.php program and go thru all the steps in it? Then do the setup.php step and customize Sentinel. And after that did you restore any/all of your old tables on top?

I followed all the instructions in the doc files when I installed this.

fkelly wrote:

You might also want to just check your authors table to make sure that didn't get compromised.

What would I be checking for, gotta tell ya I'm kinda green with phpnuke so bear with me..........

Posted: Mon May 01, 2006 4:25 pm

FYI

I am now having the same issue when lookin with myphpadmin, and I have made no changes recently. Can you please PM me the IP if you have one or post it here so we can compare notes?

Thanks,
Stang

Posted: Mon May 01, 2006 4:30 pm

I just noticed that I posted this in the wrong place........

I posted another one here:
http://www.ravenphpscripts.com/postt9512.html

We should probably delete this one (Raven?) and compare notes on that thread Stang5_0?

What is the url of your site?

Posted: Mon May 01, 2006 4:43 pm

Um....
Isn't that the url of this thread?

Posted: Mon May 01, 2006 4:46 pm

Your right, sorry.....

As you can see it has been a very long and trying day.

Here is the right one
http://www.ravenphpscripts.com/postt9516.html

registered · Posted: Mon May 01, 2006 5:46 pm

You could try to repair the table

Code:




REPAIR TABLE `nuke_nsnst_tracked_ips` ;

They probably did this to remove the traces of the attack. In which case, you will need to go to your server access logs

Posted: Mon May 01, 2006 6:07 pm

I did repair the table and it is still there......

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

Sorry to jump in - since this thread is in the WYSIWYG forum - was that intentional?

Ooops - I saw the post in the other thread. Should we close this one?