Virgin 7.6 Install - Now what should I do to secure it?

Involved Joined: Aug 06, 2005 Posts: 301

Hi everyone,

I use 'Yahoo! Small Business' for my web hosting.

After reading much about PHP-Nuke and how wonderful it is, on the www.phpnuke.org website, I decided to dowload a version and try the 'technology' for myself.

However, while browsing the administration panel of my 'Yahoo! Small Business', I noticed that PHP-Nuke is offered as a free add on to my 'Yahoo! Small Business' account. So at the click of a button I began the installation wizzard and 30 seconds later all the PHP-Nuke files appeared on my server. This seemed fantastic as I did not have to wait 3 hours for all the files to ftp.

After begining to customise the PHP-Nuke software, I then decided that I would have to add a payment system for my subscribes and I swiftly purchased 'NukeRoyal'. It was then I began having problems with the installation of 'NukeRoyal' and when I explained this to 'NukeRoyal', I was asked which version of PHP-Nuke I was running.

After a little investigation, 'Yahoo! Small Business' explained that the version was 6.5. However I noted that the look of the Forums section supplied on the version I had downloaded from 'Yahoo! Small Business' appeared different to that which is supplied on the direct download from the www.PHPNuke.org website. Upon further investigation I learned that 'Yahoo! Small Business' supply version 6.5, but with the older 'Forums system' and this is because they do not want to 'disturbe' service of existing clients of theirs.

Knowing this, I was not happy with proceeding to use version 'Yahoo! Small Business' supply, ultimately because I wanted an installation that is familiar to people who fix patches on sites such as this one, morover that any bug arrising on my site would not have the question mark hangin over it of, 'was it cause by a 'fix' or 'modification' 'Yahoo! Small Business' had interfiere with etc.

Because of all this, I went back to the PHPNuke.org website, downloaded version 7.7 and installed everything 'manually', (i.e. without using the 'Yahoo! Small Business' installation wizzard), I set up the database using 'PHPMyAdmin' and after some initial problems tryin to work out the correct configuration, everything 'kicked in' and the website became live.

I began to check that the installtion was definately succesful by clicking on the modules links on the main menu and then discovered immediately that when I clicked on the 'Forums' and 'Members List' links, a blank page was displayed.

I decided to 'wipe' everything and try to ftp all the files again, but another 3 hours later I discovered that my new installation had the same problems.

It was only then that I began to search the web for a solution, discovered this amasing website and read among other things, all the warnings as to how vunerable PHPNuke version 7.7 is.

So where am I now?

Well, I have just 'wiped' all my files again, installed/ftped PHP-Nuke Version 7.6 files to my server and created a new MySQL database.

I have not gone any further, not even created the administration account for my PHPNuke.

I have noted that the forums link on my menu is working, so I am certain that the blank pages scenario will not reoccure when I do begin to anminister and use the website.

At this point, my ultimate question is what I have to do to secure my website.

I have read some coresopondance from another user on this website, (rose38478), which read, '...I am running Nuke 7.6 patched to 3.0
Sentinel 2.3.2...'.

From this and other text I understand that there is a 3.0 patch that should be used with version 7.6, but I do not know where to locate an authentic/trusted/virus free download of this patch?

Also, I have no clude what Sentinel 2.3.2 or even who 'Sentinel' are or what it is?

I would very much appreciate someone to 'hold my hand' as I work through this (urgent) installation.

Thanking you all in advance and keep up the fantastic work you are all doing to help 'rookies' like me!

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

Welcome to RavenPHPScripts.com. Everything you need is on the front page here.

You can find the latest patch on the front page here or at the source, http://nukefixes.com, and you should install that first. You can find the latest version of NukeSentinel here or at http://nukescripts.net.

The patch contains security enhancements, and NukeSentinel is a security system. After installing NukeSentinel, check the NukeSentinel manual here or at http://64bit.us to find instructions on configuring it. If your site is being hosted on Apache (probably), I highly recommend that you configure HTTP Admin Authentication using NukeSentinel. This forces you to enter an additional password and user (it should be different than your Nuke user and your Nuke admin user) and prevents some types of attacks that don't use the database (which is what NukeSentinel protects).

Finally, search the forums here for any questions or issues - it's very likely that other 'rookies' have asked the same questions. If you can not find an answer, post another question and it will likely be answered very quickly.

Cheers,
Kevin

Posted: Sat Aug 06, 2005 9:30 am

Kevin,

Thanks for your speedy reply.

I do want to get this right first time (particularly as getting to the current stage of uploading the correct version of PHPNuke has taken 3 ftp uploads of circa 3 hours each).

So, I think it is best that this 'rookie' takes the proceedures here one step at a time.

I am using Windows XP and the servers are indeed Apache.

As I previosly mentioned, I have uploaded all PHPNuke version 7.6 files to my server space, (except all .access files, which my server does not accept).

On the http://nukefixes.com which is the correct patch download? Is it the link 'CVS 7.6'?

I note that all links are to a 'batch of directories and files', but how do I include these in my current 'Virgin' PHPNuke 7.6 instalation?

Am I right in assuming that I simply download all the files and then ftp them to my server, where I would then receive a messge explain that the file already exist and then click 'yes' to replace all files?

Thanks again in advance and once I have done this I will probably post here again about the next stage.

Posted: Sat Aug 06, 2005 9:39 am

Kevin,

I think I see that maybe I should be using the 'Nuke 7.6' link under the 'tar' files. Please advise me, although I thought 'tar' files were for Mac users only and I am not sure my pc will unzip this type of file anyway etc.

Please advise.

Posted: Sat Aug 06, 2005 9:58 am

The .htaccess file is necessary for HTTP admin authentication. You can store these files on XP, but can't edit them without giving a name before the period. I haven't tried running NukeSentinel on XP, but you might be able to use NukeSentinel to create the appropriate .staccess and .htaccess files.

CVS stands for Concurrent Version(ing) System - it's used to store and distribute changes. You want the regular Only registered users can see links on this board! Get registered or login!. The patches are cumulative, so as long as you have the most recent version you should be OK.

Most of the patch files replace the standard files that came with the standard version of 7.6 you installed, so yes, you could ftp them to your server and overwrite them.

BUT, patches AND NukeSentinel require modifications to some files - they cannot just be overwritten. These changes are carefully described in the documentation that comes with the download. If you aren't comfortable doing that, you might wish to download a distribution of PHP-Nuke that already includes the current patch and may also include NukeSentinel - though I can't recommend a good place to find that right now. However, that would likely involve another full installation. The most common problem I've seen is that one or more manual changes are missed or done incorrectly, resulting in blank pages being displayed.

Posted: Sat Aug 06, 2005 9:59 am

Most Windows compression utilities can now handle tar, which is actually a Linux / Unix standard. You can also find specific utilities for Windows that extract tar, gz, b2, etc. files.

Posted: Sat Aug 06, 2005 10:12 am

I am using the unzip utility built into windows and I am unable to ope the tar file I have downloaded.

I ususally right lick a zipped file and select 'open with', then select 'compressed (zipped) folders' option. I do not have that option when I right click the tar file.

What am I doing wrong?

Posted: Sat Aug 06, 2005 10:16 am

Using Windows... Very Happy

Try PowerArchiver, WinZip, PicoZip, etc. All have free trials and work beautifully. There is a great open source utility that handles most compression formats called Only registered users can see links on this board! Get registered or login!.

Posted: Sat Aug 06, 2005 10:28 am

I am using the unzip utility built into windows and I am unable to ope the tar file I have downloaded.

I ususally right lick a zipped file and select 'open with', then select 'compressed (zipped) folders' option. I do not have that option when I right click the tar file.

What am I doing wrong?

Posted: Sat Aug 06, 2005 10:42 am

Hi Kevin,

So where are we at now?

Well, I have now sucessfully used 7zip to unzip the 7.6 patched files.

I then ftped all the files to the server and after being notified that these files already exist on the server, I chose the option to write over any files with the same name. I assume that they have done in which case I assume that this is part 1 of the process complete? Please confirm this.

Earlier you wrote, '...BUT, patches AND NukeSentinel require modifications to some files - they cannot just be overwritten. These changes are carefully described in the documentation that comes with the download...'

I assume from this that I was correct to upload the patch first, but when I come to the next step, (of intergrating NukeSentinel), I will then have to manually adjust the code in certain files that are now already on my server. is this correct?

Also, I am still not sure what 'Sentinel' or 'NukeSentinel' is? I mean, is 'Sentinel' a company or the name of a security patch or what?

I hope to revceive your further response and guidance very shortly.

As ever, thanks in advance.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Just saw the thread and I'll add in now Smile

A simple way to do the install:
- d/l the pre-patched 7.6 from here
- unpack and install
- d/l Nukesentinel v2.3.2 and install according to the instructions
- You do NOT need .htaccess nor .staccess to use the standard HTTPAuth in NukeSentinel

All should be working. Everything runs just fine under XP as long as you are using Apache Wink

Posted: Sat Aug 06, 2005 10:59 am

Raven,

Now I am confused!

I am now still at the stage of my posting above marked 2:42 am.

To confirm, I have now sucessfully used 7zip to unzip the 7.6 patched files.

I then ftped all the files to the server and after being notified that these files already exist on the server, I chose the option to write over any files with the same name. I assume that they have done in which case I assume that this is part 1 of the process complete? Please confirm this.

Earlier Kevin wrote, '...BUT, patches AND NukeSentinel require modifications to some files - they cannot just be overwritten. These changes are carefully described in the documentation that comes with the download...'

I assume from this that I was correct to upload the patch first, but when I come to the next step, (of intergrating NukeSentinel), I will then have to manually adjust the code in certain files that are now already on my server. is this correct?

Also, I am still not sure what 'Sentinel' or 'NukeSentinel' is? I mean, is 'Sentinel' a company or the name of a security patch or what?

I hope to receive your further response and guidance very shortly.

As ever, thanks in advance.

Posted: Sat Aug 06, 2005 11:05 am

I know this will be a pain, but I suggest you wipe everything and start over. It's the safest. When installing NukeSentinel, you first upload all the files. It will not overlay any core files. Then you install the NukeSentinel tables. Then you make 3 or 4 modifications to some core files. Then, if the moon is in the seventh house and Jupiter aligns with Mars, you offer a blood sacrifice to the 'gods' and all should be well ROTFL

Posted: Sat Aug 06, 2005 11:30 am

Raven,

Now I am COMPLETELY confused!

What IS NukeSentinel?

Should I not install PHPNuke Version 7.6 before I do anything else?

Posted: Sat Aug 06, 2005 11:33 am

Download the v7.6Patched from my site. It is prepatched. NukeSentinel is the best protection for your site for hack prevention. You do not need it to run nuke, but you need it to keep from being hacked.

Posted: Sat Aug 06, 2005 11:40 am

Raven,

Appologies for now appearing to be really stupid, but you have confused the issue with statements such as 'Download the v7.6Patched from my site'. I mean, should I understand this to mean that you have another site or that I should download version 7.6 from this site here.

I think it best if you would provide me with the URL of the page this download you are refering to is located.

I still do not understand what NukeSentinel is? Is it another peice of software that runs along side PHPNUke?

Finally, I just want to confirm that I understand all this correctly and how i should now be proceeding. I have already uploaded version 7.6 from the phpnuke.org website to my server and I have subsequently uploaded all the patch files to the server and told the server to delete any files that have the same name as any in the patch and replace them.

Are you now saying that your own version 7.6 of PHP-Nuke, (which I hope you will forward the URL of), already has all the up to date patch 3 files intergrated with it and that I should simply use this version?

Posted: Sat Aug 06, 2005 12:10 pm

This is my site.

Yes, the files here have already been patched.

See the NukeSentinel Forums for more on NukeSentinel. See also http://www.ravenphpscripts.com/nukesentinelmanual.html

Posted: Sat Aug 06, 2005 12:25 pm

Raven,

This is the current state of play.

My server has now had all files removed from it.

I visited the downloads section of http://www.ravenphpscripts.com and have downloaded and unzipped all the files from the 'PHPNuke v7.6 Patch Level v3.0b' link/zipped file to my local drive.

I am now uploading/ftping all those files to my server, as I did with the unpatched
PHPNuke v7.6 files that I originally downloaded from the www.phpnuke.org website.

Please confirm that everything sounds as though it should be in order so far and that I am 'doing well'.

If this is all correct so far, what should I do once all the files have uploaded?

Posted: Sat Aug 06, 2005 12:29 pm

Tangoman,

NukeSentinel, formerly referred to as Sentinel, is a security enhancement for PHP-Nuke that protects against all sorts of attacks against your website and gives you configurable options on how to deal with those attacks. For example, you can permanently or temporarily ban an IP (or a range of IPs) when someone attempts to access your administrators password in the authors table using an SQL union attack. You can also redirect harvesters (a software program that reads an entire website to harvest email addresses for spamming or other illegitimate purposes) to a warning message or to another website (e.g. the FBI).

Raven has posted a Only registered users can see links on this board! Get registered or login! - that is, a version that includes everything you have already uploaded but also has the manual modifications described in the documentation. You should not need to make any modifications to your database with this version, but simply upload it and overwrite the files and you did before.

Then, download Only registered users can see links on this board! Get registered or login! , extract the files, and upload the HTML directory to your server.

Read the documentation carefully - you will need to make simple modifications to your mainfile.php and upload the updated mainfile.php to your server before proceeding.

Finally, configure NukeSentinel (see the Only registered users can see links on this board! Get registered or login! for detailed instructions).

Posted: Sat Aug 06, 2005 1:10 pm

Raven or Kevin,

I forgot to mention that the PHPNuke version 7.6 files that I downloaded from www.phpnuke.org website, totaled circa 11MB in size, while the version I downloaded from your site totaled only circa 4.6MB in size.

Have I missed something? If so what and if not, then why is your version much smaller in size?

Posted: Sat Aug 06, 2005 2:32 pm

Are you looking at the packed or the unpacked sizes?

Posted: Sat Aug 06, 2005 8:31 pm

Raven,

To confirm, I am comparing the total size of all the files once they are unpacked/unzipped on my (windows XP) PC.

The files from the www.phpnuke.org website total 11.5MB (or 17.8MB size on disk)

The files from the download on your website total 3.59MB (or 4.60MB size on disk)

So why is there such a difference?

Posted: Sat Aug 06, 2005 8:37 pm

- FB screwed up! His file is an uncompressed tar file instead of a compressed tar.gz file. Mine is a correctly compressed RAR file. Uncompressed, mine is 12.993 meg. That's why I asked you if you were comparing compressed or uncompressed.

Posted: Sat Aug 06, 2005 8:45 pm

Raven,

Your reply does not make sence.

To confirm, I am comparing the total size of all the files once they are unpacked/unzipped on my (windows XP) PC.

The files from the www.phpnuke.org website total 11.5MB (or 17.8MB size on disk) when they are unpacked/unzipped.

The files from the download on your website total 3.59MB (or 4.60MB size on disk) unpacked/unzipped.

So why is there such a difference?

Posted: Sat Aug 06, 2005 8:50 pm

I just unpacked my download and it totals 12.993 meg, UNPACKED, so I don't know what you're doing, but the 3.59mb is the PACKED