>> Site Map >> Forums >> PHP-Nuke Security
Forum module - topics in forum:
PHP-Nuke Security - Been hacked? or have a question about securing your site, here's the place.
rwsRavenNuke76_v2.02.02_FULL Hacked.
lo guys. wondering if you can assist me here.
recently moved from php-nuke platinum 7.6 due to constant hack's nothing in the database, just files in the root directory. but i had enough so moved to Raven's Nuke 7.6 fresh install.
only things i have added are SQuery (latest addition) for showing gameservers in a block
TS2 block for showing members online on Teamspeak
Shoutbox v8.5.2 release from http://www.ourscripts.net
and still im finding files added to my db file
all files and directorys are chmodded to 755 but how the hell are they getting in? i had my suspicions that they where adding code via the submit news mod, but sentilen would notice this and block them? at my whitts end with this. usually inserted files are 2 backdoor trojans and a hack script. doesnt look like the y got much interest in our database, just using the shell to host virus attacks etc.. any help on how to stop this would be greatly appreciated.
nearly forgot to mention.. the website is www.cannon-fodder.org.uk
Change DB user/password.
Change the password on your hosting.
Delete the files.
If they re-appear they may already have gained shell access from a different customer of your hosts' - may be worth telling them.
Have you set all the options in Sentinel correctly?
thanx dare. all settings are set as per readme so i guess it is all correct. will notify host thanx again
managed to track down the perp who was taking advantage of our host. (thanx to your confermation dare) he was using pure ftp
to add some files to orchestrate a phishing scam. allthough it looks like he managed to get hold of the paswords via some hack he used on our last portal (platinun 7.6) here is his ip for your banning pleasures Jul 17 01:51:59 neptune pure-ftpd: (?@201.58.62.26) [INFO] New
connection from 201.58.62.26 Jul 17 01:51:59 neptune pure-ftpd:
(?@201.58.62.26) [INFO] **name** is now logged in Jul 17 02:05:05 neptune
pure-ftpd: (**name**@201.58.62.26) [NOTICE]
/home/**name**//public_html/images/cartao.scr uploaded (503986 bytes,
7.15KB/sec) Jul 17 04:53:33 neptune pure-ftpd: (**name**@201.58.62.26)
[INFO] Logout. Jul 17 04:58:43 neptune pure-ftpd: (?@201.58.62.26)
[INFO] New connection from 201.58.62.26 Jul 17 04:58:44 neptune
pure-ftpd: (?@201.58.62.26) [INFO] **name** is now logged in Jul 17
04:59:05 neptune pure-ftpd: (**name**@201.58.62.26) [NOTICE]
/home/**name**//public_html/sendto2.php uploaded (8579 bytes,
2.01KB/sec) Jul 17 05:37:28 neptune pure-ftpd: (**name**@201.58.62.26)
[INFO] Logout.
just thought i would post this so u can have the ip to ban..
incase u missed it it is 201.58.62.26
this little sh*t nearly got us kicked from our host for the data he was collecting...well.. sql injection finneshed off the site. and too it looks like my clients faith in php nuke.. hanging up my hat guys. love the work you done over the years and will allways promote your site to those who want to learn.
all the best and have fun.
Ghostman signing out of nuke
