| Author |
Message |
arclight
New Member
Joined: Jun 26, 2006
Posts: 7
|
 Posted:
Mon Jun 26, 2006 8:24 pm |
|
My phpnuke 7.7 site was recently exploited, I fixed a few things and they arent getting in anymore as far as I know. However I have not figured out what is causing the last remnant of their intrusion. I get a forward to the hackers page whenever viewing the main site, or trying to use the Forums module.
On all other modules the site works like normal, however it is the main page and Forums that are affected. If you hit ESC as the main page or forums load you can go to the other modules and see that they are operational.
The site is www.txmma.com
What would be causing this problem that would be common to the main page and Forums? Also the main page is formatted different than normal, it does not show the Forums on it normally, just the last 10 news stories.
I've already dumped and re-uploaded a backup of my themes, of all the files in the modules/forums directory, my blocks, and all of my web root files like index.php and mainfile.php. Chatserv 3.2 fixes have been applied.
Is this a file issue or database issue? Thanks. |
| |
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Mon Jun 26, 2006 9:06 pm |
|
|
|
|
|
kguske
Site Admin
Joined: Jun 04, 2004
Posts: 6437
|
| Posted:
Mon Jun 26, 2006 9:08 pm |
|
Check your blocks - there is probably a header / refresh in one of them. You may have to do that by manually editing your blocks table via phpMyAdmin, since it's likely to be a left block and you won't be able to enter your admin without refreshing.
Not sure why it would only affect the index and forums. Do you have a forums block on the index page? Ah...just noticed that your forum is no longer showing the forums block...maybe you can edit your blocks in the admin page. Check the forums block (disable or replace it). Then check your forums messages, and check for changes in any files on your server, especially in your modules/Forums directory and subdirectories and also in your root directory. |
_________________
I search, therefore I exist...
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
arclight
|
| Posted:
Mon Jun 26, 2006 9:11 pm |
|
Hmm, okay, any ideas on where to look for the offending code? I havent figured out what has been changed yet ... all the Forums module files have been refreshed from backup, should I dump my all my nuke_bb forum entries in the db and reload with a backup? What is causing the hack screen to appear on the main page? Sorry to ask so many questions, I have spent the whole day trying to find a way to remove the defacing. Thanks.
Paul |
| |
|
|
|
|
kguske
|
| Posted:
Mon Jun 26, 2006 9:13 pm |
|
Also, check for changes in your includes subdirectory. |
| |
|
|
|
|
arclight
|
| Posted:
Mon Jun 26, 2006 10:00 pm |
|
Ok, found a few things that survived my initial problems.. to recap
-the stuff i cleaned out yesterday-
1. Using myegallery exploits they replaced lots of php files.Closing some of the holes and chmodding files to 444 and dirs to 555 stopped that. Cant replace MEG so that's out of the question unfortunately.
2. They were using injection to replace me as god user, changing the nuke_authors table.
- What I found now related to this thread-
1. a refer to the offending URL (http://www.hack-labs.org/indexler/index.html) was found inserted into the database appended onto a shoutbox entry, also inserted as a nuke banner code.
So for now it's fixed, I am still in process of updating NukeSentinel but via NukePatched 3.2 I have already replaced mainfile.php, index.php... .what would still cause my index layout to be screwed up? I has to be something obvious that I'm missing.
Normally the index has left and right columns the combo center block with news and forum posts, and then 10 latest news items below. Now it has the forum and no right blocks? Would this have to be something they changed in the theme directories somewhere?
Almost fixed, thanks for any info... |
| |
|
|
|
|
arclight
|
| Posted:
Tue Jun 27, 2006 12:31 am |
|
Ok, have completely replaced everything in the includes directory with a verified pre-hack backup.
Still getting forums on main page, no news, and missing right blocks. Mainfile.php has also been replaced with the one from chatserv's latest nukepatched.
Changing themes from admin using Preferences and from the Your Account settings has the same result. The theme changes but the main page layout remains screwed up. I am using Autotheme and I have already replaced all of the Autotheme files with a verified backup.
I checked the nuke_blocks table and it looks the same as before. Any suggestions anyone? Thanks. |
| |
|
|
|
|
arclight
|
| Posted:
Tue Jun 27, 2006 1:10 am |
|
Never mind. I am retarded. Here's what these guys also did:
Put offending code in nuke_bbconfig so that any page displaying the forums title would do a forward to the hack site.
Then made the forums the active homepage module so that it would cause the main page to forward to the hack site.
So I changed the home module back to news and things are back to normal-ish. Now on to completing the nukesentinel upgrade... Thanks for the tips guys.
Paul |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
