# Keep me safe..



## cnelson04 (Dec 29, 2003)

My site got hacked.. visionstudios.be its fine now. I run PHPNUKE not the newest version but not extremly old either, i have 7.6 or 7.7 i THINK. I got hacked by some turkish hacker group. I'd like to know how to keep my site safe. What holes i need to patch up and stuff. And will limiting the IP adress that can acess admin.php work without doing anything else? If it can what do i have to do? Thanks. -cnelson.


----------



## covert215 (Apr 22, 2006)

What was hacked?

There are people who look around for specific CMSs and try to hack them. Was it an SQL Injection?


----------



## thecoalman (Mar 6, 2006)

I'm not familiar with phpnuke but the first place to start is to password protect the admin folders with htaccess. At the very least you'll prevent anyone from accessing the admin files directly.


----------



## haswalt (Nov 22, 2004)

what i would suggest is not using phpnuke. not sure about the altest version but all i ever see about phpnuke on help sites is "I got hacked". Nuke seems to me to quite easy to hack.

Try using stronger password, htaccess directories as before and get a good coder to add some script breaking functions to you nuke code to prevent sql injections and code being entered in forms. Any stuff the phpnuke does in this regard does not seem to be powerful enough.

Thanks,

Harry


----------



## cnelson04 (Dec 29, 2003)

Well i'd like to stay with phpnuke since i like it, but if i have to switch i guess i have to.. How would i use htaccess to protect the admin folder? and also how can i got about adding the script breaking part? thanks. -cnelson.


----------



## haswalt (Nov 22, 2004)

well to htaccess protect you'll have to look up htaccess on google you'll get a good selection of tutorials since i can't remember the code off the top of my head and am at work so have no reference.

to prevent the injections and such use some simple addslashes($variable); to you form data. another way is to actually chekc all data for content that is harmful.

I suggest doign a search on codewalkers.com or on google for sql injection + php.

Thanks,

Harry


----------



## cnelson04 (Dec 29, 2003)

Well nuke already checks all forms for HTML, i think someone used some vbscript though IE and the way IE interprets it is it lets the user type any commmand, or maybe they stole my cookie?


----------



## covert215 (Apr 22, 2006)

Your cookie would have nothing to do with it. What exactly was done to the page? What modules were affected?


----------



## thecoalman (Mar 6, 2006)

covert215 said:


> Your cookie would have nothing to do with it.


That's possible, there was a few issues with phpbb not so long ago where a hacker was able to obtain an admin cookie. I even know one very large site nearly as big as this one where it happened because the board wasn't updated. If you're familiar with phpbb that is one reason you now have to relogin to gain access to the admin panel


----------



## haswalt (Nov 22, 2004)

i know that form data is checked for html, but not for some php commands. i know this for a fact because i did some work on a nuke site for a freind who got hacked via this method. phpnuke will clean out most hmtl, and some command php code, but does not do enough to prevent sql injections properly or php code, most persistant hackers can get into uke quite easily.

Cookies is a reasonable idea for the attack cause but how to fix it? disallow cookies is the singular way i can think of but it's annoying, or modify the admin section so no admin cookies are saved?

Thanks,

Harry


----------



## cnelson04 (Dec 29, 2003)

It seems only if someone logged in as a admin, or by some outside way, posted a message with images of the hackers name and website and such and also changed some site info like the title, and copyright info. So i changed it back, changed my admin password and now i'm not sure what to do? I did read somewhere that it is possible to type vbscript in IE and call the cookies from a site. And if my site cookies are set to alomst infiante. This is the default nuke setting, it won't be hard for the hacker to do this right? The artcle is here; http://phpnuke.org/modules.php?name=PHP-Nuke_HOWTO&page=hacked-now-what.html
what one should i do, or all?


----------



## haswalt (Nov 22, 2004)

wel do the first one, it's always worth checking.


you have done the second one.

no point doing the second one because nobody will listen, trust me tried before.

the apache one can be very helpful and is pretty secure. some servers already use admin use so be careful and if you are on shared hosting you most likely don't have that kind of access.

ip range is no good unless you and the other admin/moderators have fixed ips otherwise you will forever be changing the ip setting.

no idea whether the protector module is any good.

worth checking for weaknesses in any modules you have.

what was the reason for sticking to solidly to php-nuke?

Harry


----------



## cnelson04 (Dec 29, 2003)

Well i already have a good amount of content on my nuke site. This is the main reason. And its only me acessing the admin area and i believe i have a static IP since i connect though cable? So could i limit only my ip to login to the admin area? Thanks. -cnelson.


----------



## haswalt (Nov 22, 2004)

yes, if you have access to the filewall setting only allow your ip access to that area.

you could also use .htaccess to block all ips but yours,

same as with the apache settings or jsut add some simple php checks to find you ip and check it's really you.

Thanks

Harry


----------



## cnelson04 (Dec 29, 2003)

What would be the easiest way, some php code i figure? But what would be the code? And how secure is this way?


----------



## haswalt (Nov 22, 2004)

well bearing in mind unless your whole server is compromised no-one else is going to have access to the code so here is some that may help:

i suggest storing you ip somewhere secure in a file no-one else can find

say ip.txt which you have hiddena dn denied access to contains you ip:

192.168.100.38

then our php code does this:


```
<?php

//make sure that people aren't trying to send data through globals.
//jsut to make sure
if(isset($myIP)){
     //clear it
     unset($myIP);
}

//get ip from file we saved
$myIP = file_get_contents("path/to/ip.txt");

//if our ip doesn't match the one recorded before then redirect to inde
if($myIP != $_SERVER['REMOTE_ADDR']){
     header("Location: ../index.php");
}

?>
```
This must go at the very top of you page not anywhere else otherwise the redirect won't work.

TYhis is a reall basic and porbably not that secure method. either someone here will have a better one or you can google now i have given you an idea.

You could always use htaccess on the admin directory tho probabhgly easier and safer.

Create a new file int eh admin folder called .htaccess and in it put the following:


```
order allow, deny
allow from xxx.xx.x.x
deny from all
```
where xxx.xx.x.x is your ip address. you can allow multiple users by duplicating the allow from xxx.xx.x.x line and changing the ip there. Also you can allow domain names aswell, so if you have a dynamic ip address you coudl use a no-ip.org dns to detect yourself.

hope that helped if you dno't understand don't hesitate to complain. :up:

Thanks,

Harry


----------



## cnelson04 (Dec 29, 2003)

Ok, how do i creat the htaccess file? just .htaccess with the stuff inside it? and will this mess up any other part of my site? And this will only allow me to acess the admin folder correct?


----------



## covert215 (Apr 22, 2006)

you need to place you .htaccess in the proper location.

do you have cPanel? if so, you can do this automatically through it.


----------



## thecoalman (Mar 6, 2006)

cnelson04 said:


> Ok, how do i creat the htaccess file?


Open up notepad and paste the code in it. Save as .htaccess and upload that to the folder you want to protect. The emphasis here is is it's .htaccess not htaccess.txt.



> and will this mess up any other part of my site?


The htaccess file will affect any directory or sub directory that it's placed in. If you upload it to www.yoursite.com/ it will affect every folder on your site. If you upload it to www.yoursite.com/admin/ it will only affect that directory and any sub directories like www.yoursite.com/admin/something/



> And this will only allow me to acess the admin folder correct?


Correct, have someone on another computer test it to make sure it's working properly.


----------



## cnelson04 (Dec 29, 2003)

I do have cpanel, how can i do it automaticly?


----------



## covert215 (Apr 22, 2006)

Click the password protected folders icon. Set up passwords for specific folders and it will create the .htaccess for you.


----------



## cnelson04 (Dec 29, 2003)

But will people be able to hack the .htaccess file for the password? i mean i can jyst creat one with my ip right?


----------



## covert215 (Apr 22, 2006)

There is no way to hack the .htaccess file unless the person can somehow obtain admin access to the server. In that case, your site is ****** anyways.


----------



## cnelson04 (Dec 29, 2003)

Ok, i will do this then, will this also prevent direct acess to the file like if some script kiddie called it like.. "vb script expolt here" "admin.php=op.message%post&new&id=1:message here" "end of vb scipt" cause i heard that if you pass vb though IE, it will process it due to its poor codeing.. thanks. -cnelson.


----------



## covert215 (Apr 22, 2006)

correct, you will need to enter a password to access anything within the folder


----------



## cnelson04 (Dec 29, 2003)

Ok, great. -cnelson.


----------



## covert215 (Apr 22, 2006)

have you tested it out yet?

also, which module was compromised?


----------



## cnelson04 (Dec 29, 2003)

I ahven't tested it yet my host is changing servers and my site is down, but it seems like they posted a message, and changed the title and some other options within PHPNUKE so i don't know if they just hacked the password or used a script?

btw; the password was very easy. its much harder now.


----------



## cnelson04 (Dec 29, 2003)

I did .htaccess then admin.php wouldn't load at all. so i toke it off and it still won't load.. any ideas? thanks.. i need to get this fixed. i also tried to upload admin.php and it still won't load. just shows the very top of the box that says admin menu then nothing else loads..


----------



## cnelson04 (Dec 29, 2003)

Is there anyway in cpanel to resort back to a later date? =\


----------



## covert215 (Apr 22, 2006)

delete your cookie then try to log in again


----------



## cnelson04 (Dec 29, 2003)

ok, but i also tried to login on another computer and still got the same problum.


----------



## covert215 (Apr 22, 2006)

Then something else is corrupted. Try to re-upload user.php


----------



## cnelson04 (Dec 29, 2003)

I did try to upload admin.php a couple times now, doesn't seem to work, but i found these errors;
Warning: dir() has been disabled for security reasons in /home/cnelson/public_html/admin.php on line 227

Fatal error: Call to a member function on a non-object in /home/cnelson/public_html/admin.php on line 228

here are lines 220-235


```
$row = $db->sql_fetchrow($db->sql_query("SELECT radminsuper FROM ".$prefix."_authors WHERE aid='$aid'"));
	$radminsuper = intval($row['radminsuper']);
	if ($radminsuper == 1) {
		OpenTable();
		echo "<center><a href=\"".$admin_file.".php\"><font class='title'>"._ADMINMENU."</font></a>";
		echo "<br><br>";
		echo"<table border=\"0\" width=\"100%\" cellspacing=\"1\"><tr>";
		(LINE 227) [B]$linksdir = dir("admin/links");[/B]
		(LINE 228) [B]while($func=$linksdir->read()) {[/B]
			if(substr($func, 0, 6) == "links.") {
				$menulist .= "$func ";
			}
		}
		closedir($linksdir->handle);
		$menulist = explode(" ", $menulist);
		sort($menulist);
```
please someone help..


----------



## covert215 (Apr 22, 2006)

hmmm...

i guess that you can't make file calls into protected files....i wonder if there is a loophole


----------



## cnelson04 (Dec 29, 2003)

Well right now all i want to do is get the page to show up again any ideas how? Like how to enable the securtiy? Because nothing except those errors is showing up.. can i code around useing (dir) ?


----------



## covert215 (Apr 22, 2006)

get rid of that security and it should work again


----------



## cnelson04 (Dec 29, 2003)

I don't know how, or how it got it there? i didn't change anything. my host just switched server is it possible they havn't fully comfigured php yet, or are running it in safe mode? I belive right now my site is on a temp. sever.


----------



## covert215 (Apr 22, 2006)

oh...you never did the password protected folders?

you probably need to change the permissions on your files. use CHMOD to adjust the necessary folders to 777


----------



## cnelson04 (Dec 29, 2003)

its fixed. my host had deisbale a couple fuctions in PHP for secutiry but has not changed them back.


----------



## covert215 (Apr 22, 2006)

Oh. Create a file name php.ini and you can override them


----------

