| Author |
Message |
superflash
Hangin' Around
Joined: Dec 06, 2004
Posts: 46
|
 Posted:
Mon Sep 04, 2006 1:07 pm |
|
I have a nuke 7.6 installation with Nuke Sentinel 2.4.2pl9 (that it might not be installed properly) and someone put a long text in the footer section of my site just before the "Page generated in 3.92 Seconds" and below the last "center block".
My question is, how did he got in and what to look for?
Thanks in advance 
Regards. |
| |
|
|
|
gregexp
The Mouse Is Extension Of Arm
Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol
|
| Posted:
Mon Sep 04, 2006 1:20 pm |
|
hmm, Thats actually hard coded. I believe he uploaded a script and was able to manipulate the file contents, does anyone have ftp accounts other then you, does your server allow anonymous ftp, and do you have any other form of upload on your account? That means anywhere below the public_html. |
_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! |
|
   
  |
|
superflash
|
| Posted:
Mon Sep 04, 2006 2:29 pm |
|
Thank you darklord. I suppose that I'm the only one who knows my ftp user/password, unless someone had been able to guess it, but I don't think so. I do have an image upload script that can be viewed if you are an administrator, and I have 4 other administrators and at least two of them said they use public PCs to access and publish their stuff. Since you said that may be hard coded, I'm guessing that there might be the fault, altough the uploader checks for image file extension and puts the image in a specific folder and I couldn't find any extraneous file there. How else could the intruder got in? Thank you again for your time and help. |
| |
|
|
|
|
superflash
|
| Posted:
Mon Sep 04, 2006 2:33 pm |
|
Update:
Ok, I found the intrusion in a database table: nuke_config
The intruder gain access to (at least) this table and change the fields for: foot1, foot2, foot3, and Copyright.
He also put himself as Administrator God
How did he do that?
Thanks in advance.
Another Update:
I had a "html.php" file in the root directory to handle some text, I just deleted it, could that be the fault? |
| |
|
|
|
|
fkelly
Former Moderator in Good Standing
Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY
|
| Posted:
Mon Sep 04, 2006 3:03 pm |
|
I'd suggest that you read thru your server logs. If you can narrow down the time frame when this happened that will help. If you can determine the IP address (perhaps of the new God Administrator) you can search on that in the logs too. He may have found a way to take advantage of your html.php file, especially if you had database access codes in there or something like that.
Sentinel can protect against intrusions thru PHPnuke but it can't really do much if they can get into your site thru other means and change tables. You do want to make sure that Sentinel is installed correctly though.
In terms of looking at logs, I've found it really helps if you download the logs for suspicious days into a text file that you can keep and look at using your favorite editor. |
| |
|
|
|
|
superflash
|
| Posted:
Mon Sep 04, 2006 5:51 pm |
|
Thank you fkelly, I checked with my web hosting and they said that the server logs are shared and they are out of bounds from us users. It seems there isn't much I can do to locate the perpetrator. I really need to find out if sentinel is working or not, I might have something installed wrongly because I have done many patching over and over. Thank you for taking the time to look into this. |
| |
|
|
|
|
fkelly
|
| Posted:
Mon Sep 04, 2006 6:42 pm |
|
You really might consider another web host. I don't say that lightly as I know what a pain it can be but if you can't see your logs then you really are at a loss. There's many things in them that can help with diagnosing problems aside from just hacking attempts. Like if a file is missing for instance you will see messages there.
You said at the top of the thread that you have a Nuke 7.6 installation. I don't know if that means Ravennuke or not but you might consider Ravennuke if you haven't already. If you just have Nuke 7.6 you may not have all the patches you need in addition to Sentinel and in fact, if I'm not mistaken you need the patches to correctly install Sentinel.
If you install the current version of Ravennuke 2.02 you will be a little behind on Sentinel updates since 2.02 was released but the upgrade path is fairly straightforward. The upcoming release of RN (2.10) will also update Sentinel though specifics are not yet official (I don't think).
Just a second thought on the web host. They are really giving you a lot of hooey. For my production site I use Ipowerweb and they are about as brain dead as you are going to find yet you still have access to your own logs. For testing I use Ravenwebhosting and of course there you also have access to your logs. Both of these are "shared" servers running a number of sites. |
| |
|
|
|
|
superflash
|
| Posted:
Mon Sep 04, 2006 7:57 pm |
|
Thank you fkelly. I also host on webmasters.com, I'm very comfortable with them and I have my business site there (www.deandastudios.com), but I haven't moved my other site precisely for the reason you said: all the pain it would be to do it. Besides, they have been very nice regarding their techical support. But as I see it I really need the log thing access.
I have Raven Nuke 2.02.02 with sentinel patch up to version 2.4.2pl9, but all this is installed over several copies of old nuke installations since September 2002, that's why I usually have problems.
Best regards,
Eduardo. |
| |
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Tue Sep 05, 2006 6:23 am |
|
I would place my bets on a Forums exploit (if you have not protected your modules/Forums/admin directory per several threads here) or your uploader script. Just because something is only accessible to admin, if it is not written to stop direct access of the scripts, exploits of individual scripts may still happen.
PHP-Nuke, or any other system, is only as good as its "weakest link".  |
_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
superflash
|
| Posted:
Tue Sep 05, 2006 9:57 am |
|
|
|
|
|
montego
|
| Posted:
Tue Sep 05, 2006 8:13 pm |
|
BTW, regarding your host, if they are not going to give you the tools that you need to figure out how your site was exploited, then they need to do the work to figure out how. They are only opening themselves up for one hack to infiltrate other sites on the same server... Keep records of your correspondence with them, especially if they refuse to assist you. You may need that later... trust me... |
| |
|
|
|
|
superflash
|
| Posted:
Thu Sep 07, 2006 10:02 am |
|
Great advise, I didn't think about that matter. I hope it doesn't get to that, but is better to be prepared. Thank you. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
