Site hacked - Trying to determine what type and what steps

Regular Joined: Jan 10, 2006 Posts: 93

OK, my site has been hacked thrice in the last two weeks. The address is www.thesobs.net.
Admins were added, public messages created, footers changed, site title changed.
Seemed like "tagging" mostly. The first hack I got someone put a big DIV tag in the footer which took up the whole page and had a message with the turkish flag.

I am running a version of PHP 7.3 that I modded a bit back about a year ago or so. I spent a bunch of time putting in the latest updates and Raven, I think I used yours or Chatserv's modified script files and replaced variable assignments with specific data type assignments (i.e., data=$id to data='$id') (It was awhile ago so I don't quite remember).

However, people are still getting in. I am concerned because I also run a much larger site which has similar code.

My questions would be:
1. How are they getting in? SQL injection? Union hack (I should have this blocked. Not sure what this means really).

2. What Admin program should I install? I have AdminTap from nukecops implemented as well as some code which is supposed to block union hacks, but I don't know if it works.

3. If (should I?) upgrade to a new version of PHP-Nuke, will my modules still work correctly. I custom made my front-page module and a bunch of others as well. They don't do anything super-complex other than pull things into and out of mySQL databases and access the user name variables, etc.

This seems to happen - I spend a ton of time installing a new version of nuke, remodding my modules and files to work, finding out what bugs to fix for security, then I am good for about 6 months-1 year, get hacked, and repeat.

Thanks for your help.

registered · Posted: Tue Jan 10, 2006 4:07 pm

The only surefire way I know of detecting intrusions is by going through your logs line-by-line. Personally, I do this manually, using a text editor. It's very time consuming, but...

There are some utility proggies out there that will make this task easier, but I haven't tried them.

Example: http://www.splunk.com/

I might also mention... many of these hacks depend on 'globals' being enabled on your server. You might try adding this to your .htaccess file:

Code:

#Offers protection during hacking attempts by NOT displaying error


#messages, server paths, et cetera, and turns off your globals.


php_flag display_errors off


php_flag register_globals off

That's what I run on my site[s]. Every little bit helps... Wink

registered · Posted: Tue Jan 10, 2006 5:21 pm

If its this same Turkish hacker, he is using exploits within phpBB. You should upgrade to the latest Patched files - includes BBToNuke 2.0.17 (probably go ahead and install 2.0.18 and 2.0.19 as well)

Posted: Tue Jan 10, 2006 5:23 pm

Thanks for the suggestions.

I will try modding my htaccess with that.

evad - Hmm, I will check that out. The turkish hacker I had was secretlyx, does that help? Thanks

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

AdminTap is terribly outdated. Get NukeSentinel(tm) installed immediately. That will stop the adding of admins.

Posted: Tue Jan 10, 2006 10:07 pm

Nash wrote:

The turkish hacker I had was secretlyx...

He's a busy little guy, eh what? Rated #44 on Zone-H...

http://www.zone-h.org/en/en/defacements/filter/filter_defacer=SecretlyX/

Posted: Tue Jan 10, 2006 10:35 pm

Yeah had a ton of sites today alone. You'd think he gets paid for it.

Rav-on is Sentinel yours?

Posted: Tue Jan 10, 2006 10:46 pm

Basically mine and Bob's. Others have contributed but we are the main keepers.