PostNuke Community

Support at your fingertips

My postnuke site hacked  Top

  • jadranko
    jadranko's Avatar
    Helper
    • Rank: Helper
    • Registered: 05.11.03
    • last visit: 31.01.09
    • Posts: 126
    Posted: 25.04.2008, 21:48
    Here's what happened:

    Opened my site and nooticed that my nickname was already logged in. THe users online bolck showed a russian flag next to my nickname, but i'm in Hong Kong. So I log in and after a few clicks, my location flag changed to Germany. Then the next thing I see is my site titled: "OWNED!!!!!" which made me realize that the site is being hacked. I quickly logged into cpanel and password protected my public_html dir.

    Looking at the PN anticracker emails I see the following suspicious output:

    POST * _magic_quotes_gpc_test : \"
    POST * xsitename : OWNED!!!!!
    POST * xsite_logo : http://www.cunningstunt.nildram.co.uk/Forums/owned%20mcd.jpg
    POST * xslogan : Secure your site bitch
    POST * xstartdate :
    POST * xadminmail :
    POST * xfoot1 : Copyright © 2003-2007 All Rights Reserved.document.write(\'\');
    POST * module : Settings
    POST * authid : e8hydfgreg0c816efghe14d9e6ftrhgxf24fa5fgj18f
    POST * xfoot1 : Copyright © 2003-2007 All Rights Reserved.<scri pt="pt" lang="lang" uage="\"JavaScr">docume nt.wri te(\'\');


    Site error_log shows this:

    [25-Apr-2008 12:02:42] PHP Warning: Smarty error: unable to read resource: "table2.htm" in /home/qwerty/public_html/mypnsite/includes/classes/Smarty/Smarty.class.php on line 1088
    [25-Apr-2008 12:08:10] PHP Warning: Smarty error: unable to read resource: "table2.htm" in /home/qwerty/public_html/mypnsite/includes/classes/Smarty/Smarty.class.php on line 1088
    [25-Apr-2008 12:20:14] PHP Warning: Smarty error: unable to read resource: "table2.htm" in /home/qwerty/public_html/mypnsite/includes/classes/Smarty/Smarty.class.php on line 1088
    [25-Apr-2008 12:22:07] PHP Warning: Smarty error: unable to read resource: "table2.htm" in /home/qwerty/public_html/mypnsite/includes/classes/Smarty/Smarty.class.php on line 1088
    [25-Apr-2008 12:22:10] PHP Warning: Smarty error: unable to read resource: "table2.htm" in /home/qwerty/public_html/mypnsite/includes/classes/Smarty/Smarty.class.php on line 1088
    [25-Apr-2008 12:22:26] PHP Warning: Smarty error: unable to read resource: "table2.htm" in /home/qwerty/public_html/mypnsite/includes/classes/Smarty/Smarty.class.php on line 1088
    [25-Apr-2008 12:22:30] PHP Warning: Smarty error: unable to read resource: "table2.htm" in /home/qwerty/public_html/mypnsite/includes/classes/Smarty/Smarty.class.php on line 1088
    [25-Apr-2008 12:22:37] PHP Warning: Smarty error: unable to read resource: "table2.htm" in /home/qwerty/public_html/mypnsite/includes/classes/Smarty/Smarty.class.php on line 1088
    [25-Apr-2008 12:23:15] PHP Warning: Smarty error: unable to read resource: "table2.htm" in /home/qwerty/public_html/mypnsite/includes/classes/Smarty/Smarty.class.php on line 1088

    I can't locate this file myself, seems like the hacker was trying to upload and read it from the server?!!

    Please advise what do I need to do next? Thanks!



    edited by: jadranko, Apr 25, 2008 - 01:56 PM

    --
    "A patriot must be ready to defend his country against his government." - Edward Abbey</scri>
  • AmmoDump
    AmmoDump's Avatar
    Team Member
    • Rank: Team Member
    • Registered: 08.12.03
    • last visit: 28.06.09
    • Posts: 3062
    Posted: 25.04.2008, 22:11
    Sorry to hear.

    PN version?
    PNphpBB2? fully updated?

    Can you check your (phpMyAdmin)mod_vars for footmsg1 (footermsg1) and report the content.



    --
    David Pahl
    Zikula Support Team
  • jadranko
    jadranko's Avatar
    Helper
    • Rank: Helper
    • Registered: 05.11.03
    • last visit: 31.01.09
    • Posts: 126
    Posted: 25.04.2008, 22:48
    Thanks AmmoDump! I just realized that I posted in the wrong forum, the Postnuke is version 764.

    PNphpBB2 was last updated several months ago, I don't see any new vulnerability or version update.

    Tried to look for the footmsg1 & footermsg1 in nuke_module_vars:
    Search results for "footermsg1" as regular expression: 0 match(es) inside table nuke_module_vars ...same results for both expressions. Did a manual search too, no such variable in pn_name field.

    Does anyone know how to search for a particular filename using cpanel, without having to download the entire site to my PC and do a search that way? I would like to search for this "table2.html" which was reported as unreadable, I believe it might be the culprit, inserted somewhere in one of the hundreds of folders inside the site.




    edited by: jadranko, Apr 25, 2008 - 02:49 PM

    --
    "A patriot must be ready to defend his country against his government." - Edward Abbey
  • nestormateo
    nestormateo's Avatar
    Team Member
    • Rank: Team Member
    • Registered: 07.09.06
    • last visit: 01.07.09
    • Posts: 1910
    Posted: 25.04.2008, 22:49
    Grab the lately logs to study the vulnerable point in your site,
    Try to identify which was the attacked section.

    --
    - Mateo T. -
    Mis principios... son mis fines
  • mikelawson
    mikelawson's Avatar
    Helper
    • Rank: Helper
    • Registered: 05.12.03
    • last visit: 27.06.09
    • Posts: 343
    Posted: 26.04.2008, 18:54
    I got hacked by the same people with tiny pee-pees. Great, now I get to spend my weekend trying to find the hole and fixing it. When will we get another release to Postnuke? Its been a LONG time.

    --
    www.appleproaudio.com
  • jadranko
    jadranko's Avatar
    Helper
    • Rank: Helper
    • Registered: 05.11.03
    • last visit: 31.01.09
    • Posts: 126
    Posted: 26.04.2008, 20:05
    Let us know what you find out, I'm still clueless. -_-

    --
    "A patriot must be ready to defend his country against his government." - Edward Abbey
  • lancets
    lancets's Avatar
    Freshman
    • Rank: Freshman
    • Registered: 12.11.04
    • last visit: 26.04.08
    • Posts: 4
    Posted: 26.04.2008, 20:35
    My site got hacked yesterday too. As I was searching info that was left behind by the script-kiddies, I've discovered that there are many sites currently being hacked in the same way, and all of them appear to have been running Postnuke 0.764. Google had a lot of the hacked sites cached, but now I'm seeing that many of them are currently being reinstalled with new software, such as WordPress or Drupal.

    Here's what I suspect to the the vulnerability:

    http://community.postnuke.com/module-Forum-viewtopic-topic-54332-highlight-vulnerability.htm

    It's unfortunate that so many are leaving Postnuke over this, especially when I noticed that one of the script-kiddies left behind a Joomla logo on one of the victim's site.

    I had noticed a lot of pnSecurity Alerts over the past couple of weeks, so I knew they were trying something, but I wasn't aware of the issue with magic_quotes_gpc, especially since Postnuke warns you in the admin module if you turn it off.

    Hopefully we'll see a patch shortly...




    edited by: lancets, Apr 26, 2008 - 01:12 PM
  • slam
    slam's Avatar
    Helper
    • Rank: Helper
    • Registered: 04.05.04
    • last visit: 28.06.09
    • Posts: 339
    Posted: 26.04.2008, 21:41
    @lancets: Thanks for spreading your undocumented FUD here.
    Welcome to Postnuke, by the way. icon_wink
    Greetings,
    Chris

    --
    Cozi - development is life.

    sidux - an operating system must operate.
  • lancets
    lancets's Avatar
    Freshman
    • Rank: Freshman
    • Registered: 12.11.04
    • last visit: 26.04.08
    • Posts: 4
    Posted: 26.04.2008, 21:56
    Wow, very helpful response.

Users online

This list is based on the users active over the last 60 minutes.