Hacked but cannot find info or figure out how it was done.

Posted: Mon Dec 18, 2006 8:27 am

Hi

I have been visited by a numbnut who has managed to deface a file but I have not got a clue how he did it and also cant find his IP.

File effected: /signature.php

I have Nuke version 7.6 pl31, NukeSentinel v2.5.03

Can anyone help me find out how it was done and his identity?

Regards

Martyn

Sells PC To Pay For Divorce Joined: Posts: 5661

signature of what ?

Posted: Mon Dec 18, 2006 9:28 am

Hi Hitwalker

signature.php is used for my dynamic forum signature.

Regards

Martyn

Posted: Mon Dec 18, 2006 9:30 am

did you changed the permissions (chmod) on that file ?

Posted: Mon Dec 18, 2006 9:33 am

Was at 644

Posted: Mon Dec 18, 2006 9:41 am

so file was empty?

Posted: Mon Dec 18, 2006 9:48 am

bit weird to deface it with no rights...
just upload one ,and latest version....
btw i found a lot of defaced phpbb faq pages as well...

Posted: Mon Dec 18, 2006 9:48 am

Contents replaced with

Code:

hacked sweet_zehir@milli-savunma.org ulusaldarbe.com

Posted: Mon Dec 18, 2006 9:50 am

hitwalker wrote:

btw i found a lot of defaced phpbb faq pages as well...

where?

registered · Posted: Mon Dec 18, 2006 10:09 am

Probably need access logs to see how he got in

I've not found any security reports about the dynamic signatures themselves
I'm not sure if there's a hole in Sentinel. But there are some fixes to Patched in 3.3.

Posted: Mon Dec 18, 2006 11:24 am

Hi evaders

Yes as I suspect there would be some fixes in 3.3. I have already started working on the upgrade.

Regards

Martyn

Posted: Mon Dec 18, 2006 12:03 pm

Hi

My host has responded, when asked if he could tell what had happened, with:

Quote:

From what I can tell they got in because Register Globals is enabled on the server..

This is a glaring security hole..

Make sure that you have this line in your .htaccess file i your root "public_html" folder

php_value register_globals 0

Forgive my ignorance but does it matter if Register Globals is on at the server rather than if it was off and I switched it on in my .htaccess. As I know that HTTPAuth requires Register Globals on.

Regards

Martyn

Posted: Mon Dec 18, 2006 12:24 pm

While register_globals is a security issue, it is not a hole in itself. It allows people to write sloppy code... but simple measures can be taken so that hackers cannot get in.
Your host really needs to go through the access logs to see how they got in.

Note that phpNuke itself does not require register_globals to be on, as it will turn on a workaround called import_request_variables

registered · Posted: Tue Dec 19, 2006 6:35 am

All the same questions: do you have any of the following added to your nuke site: chat, vwar, some type of gallery or any other add-on with file upload capability?

If they mucked with your FAQs, is it the forum FAQs or the nuke module called FAQ? I.e., did they get into your database or just the forum FAQ files?

Posted: Tue Dec 19, 2006 6:44 am

evaders99 wrote:

Note that phpNuke itself does not require register_globals to be on, as it will turn on a workaround called import_request_variables

Yes I know but NukeSentinel does if Admin HTTPAuth is to be used. So is it best to have register_globals off and use CGIAUth instead?

I have since found out that another site on the server was hacked by the same guy before he got to me. Register_globals was turned on at server level so 1 site could test out a piece of software and was forgotten to be switched back off again.

Just seems so pathetic to just tag a site thats he has been there, as no other damage caused......but I am grateful thats all that was done.

Regards

Martyn

Posted: Tue Dec 19, 2006 7:05 am

Hi Montego

Thats why I asked Hitwalker

netgoodies wrote:

hitwalker wrote:

btw i found a lot of defaced phpbb faq pages as well...

where?

Because I cannot find anything defaced in the FAQ module or the forum faq's.

The site has X7 chat but no vwar or gallery. The forums have attachment mod installed but thats about it. No other way of uploading files.

No access was gained into the db.

The only change I can find was the defaced signature.php file.

Regards

Martyn

Posted: Wed Dec 20, 2006 7:45 am

Ok, good thing on the db. That means, though, that they have found a hole through either the forums attachment mod and/or chat. These are common security holes and definitely NOT recommended.

You may want to check through all your directories on your server and make sure they haven't deposited something else there. Looks for files that you do not recognize.

Posted: Wed Dec 20, 2006 12:36 pm

Hi

Well thats the crazy thing, all I can find is the signature.php defaced. I have checked through all my files for anything strange and I have even opened all files edited that day to see if there was anything in them but there was'nt.

Re-forums attachment there is no access to it unless you are a member and the chat, all be it a different one, was what was hacked on the other site on the same server. So maybe your right that the chat was his way in.

Regards

Martyn

PS Still waiting for a reply from Hitwalker. Bit worried about what you said about the FAQ's .... Maybe I am misunderstanding you.

Posted: Wed Dec 20, 2006 2:31 pm

well i couldnt find any hard evidence of existing hacks towards the signature but i did found a lot of defaced faq pages of phpbb,but most of it effected the whole forum as well.

Posted: Wed Dec 20, 2006 2:35 pm

Oh I thought you was talking about my site... Phew. lol