Dizkus

We are told "PHP Nuke is very insecure"

The New Year '08 is not starting out good for us! We are running the latest version 0.764 and made already two upgrades up to that, since start using PHP Nuke in 2004. )(And BTW, everytime we make an updgrade we loose some previous great tools, never restored).

Lately we got attacked and shut down, yet again. Now we are running on borrowed time. As our very professional host writes us:

"PHP Nuke against the attacks. Please be advised to use an alternate CMS in the future - PHP Nuke is very insecure."

Please help! How can we determine if this is reality or just more IT hype. Can anybody help please. Looking for an exper to give us review.

paularen@gmail.com



edited by: Tango1, Jan 04, 2008 - 02:54 AM

Tango1, I've got no idea why you would even post this here, this is PostNuke NOT PHP Nuke. If you care to read up on the code changes over the last several years you would realise that there is almost nothing left of PHP Nuke in the core. The next stable version will even be renamed because the last vestiges of PHP Nuke will have been removed completely.

You mention 0.764, that is the latest stable version and is quite secure. Again, if you read through the posts in this forum relating to security you'll find that 0.764 is 99% of the time spoilt by hackable third party scripts (forums and old modules) i.e nothing to do with the PostNuke Core.

I've been using PostNuke on and off since the original split from PHP Nuke and out of dozens of sites only once have I had a site hacked. Guess what, it was a third party script I was using that let them in.

Security is a big thing and it takes some work. I've always noticed that the people around here(larsneo)have been very helpful to people who have had their sites hacked but they need more information than you have given here.



edited by: denisrf, Jan 04, 2008 - 12:57 PM

Sorry, and thanks immensily for this answer.
I quoted our host, and in the haste did not realize he was off on saying PHP. Clearly we are running PostNuke! Still they are saying we are getting attacked, as we were at our previous host, Hostnuke.com. I did the correct upgrade to 0.764 with a seasoned pro. here last summer.
So far he said: your site "is repeatedly being attacked. They were severe enough to bring the server close to a halt".

At this point I am asking our host the details of the attack.

I would also be most interested in establishing a new relationship with a pro at this which could take a look at our site and give an evaluation. As I as well am most surprised at this and don't want to change to another CMS.

Thanks again & Regards,
paularen@gmail

Hehe the title of this thread is great... evena s a mis-quote.

So you're saying that HostNuke is saying that you're getting attacked because of your phpNuke site even though you're running a latest stable PostNuke 0.764 site?

First be sure you don't have some test install of phpNuke buried in your site some where. If not then make them aware of their error so that you can get down to the real cause of the problem.

--
Under Construction!

What does "attack" mean? I mean: You can't do anything against people who try to hack your site (and fail). Your hoster should help you identify the weak spot in your system.

Which modules do you use? What other scripts do you have on that server (maybe forgotten installations of something else?)

--
best regards from Kiel, sailing city

Steffen Voss

Member of the PostNuke Steering Committee
Read The Zikulan's Blog

well - i don't want to start a discussion about a single provider - but keep in mind that there are various things on the serverside that might help you to improve the security of your site. the baseline analyzer in .764 tells you the basic stuff (register_globals etc), more advanced info can be grabbed via phpsecinfo.
professional providers should have no problem with most tests


please forward those information to larsneo@postnuke.com - running an attack on any website is quite easy (just think of a simple ddos scenario) but at least /me is not aware of any security related issue in .764

--
regards from germany
..::[Zikula Application Framework]::.. ..::[SEO-Blog]::.. ..::[CMS Sicherheit]::..

Paul, if memory serves me right, the problem at HostNuke was in DreamAccount, not PostNuke itself, we did away with that and went, I belive, with Subscription, Did we move you from PNphpBB2 to pnForum, do you recall? If not, it's possible that's where the problem is. As I recall, there was quite a bit of extra stuff in the site, that wasn't actually PostNuke related. I see that they haven't taken the site down as of yet, that's good, but since I didn't handle the move to the new server, I don't have any access to anything.