<< Previous Topic | Next Topic >>Return to Index  

What happened to HIDPlanet?

December 20 2004 at 6:17 PM
Steve  (Login SComp23)

 
Did someone hack HID Planet? This is getting to be outrageous, I mean can't people find other sites to mess with other than HID forums?

 
 Respond to this message   
AuthorReply

(Login brwong)

Re: What happened to HIDPlanet?

December 20 2004, 8:34 PM 

its working for me....

 
 Respond to this message   
Steve
(Login SComp23)

Re: What happened to HIDPlanet?

December 20 2004, 8:38 PM 

Yeah ok it is back up, it was hacked by some sort of worm earlier.

 
 Respond to this message   

(Login soccer3303)

Re: What happened to HIDPlanet?

December 20 2004, 9:07 PM 

We were hacked. Everything is restored to three days prior. Sorry for any lost posts but this kind of bull**** happens.

 
 Respond to this message   

(Login brwong)

Re: What happened to HIDPlanet?

December 20 2004, 9:51 PM 

seriously... these people that create all these viruses and crap have way too much time on their hands. i mean... what a waste of talented minds! o_O

 
 Respond to this message   
Steve
(Login SComp23)

Re: What happened to HIDPlanet?

December 20 2004, 11:31 PM 

But seriously, an HID forum? Thats such a waste of time seriously.

 
 Respond to this message   
SorryOciffer
(Login sorryociffer)

Re: What happened to HIDPlanet?

December 21 2004, 3:54 AM 

It's back down AGAIN.

S.O.

 
 Respond to this message   

(Login haknslash2003)

We are still hacked

December 21 2004, 9:02 AM 

We are hacked again!!! We installed the latest patches last night but I think there is still a loop hole obviousley!

HIDPLANET Admin-

I found this info....I need to get in touch with the owner of the site and give him this info i think....

PHP-NUKE Vulnerability

Most standard installations of PHP-Nuke are vulnerable to remote hack attacks. Hackers and script kiddies are able to gain control of the installation by means of a remotely exploitable SQL injection bug. In the default installation of most PHP-Nuke sites, multiple modules are vulnerable to SQL injection. This is because the underlying code does not sanitize the user-supplied variables after it is decoded for use as an SQL query. This allows attackers to craft query strings that allow them to run SQL commands, which otherwise should not be permitted by the script.

Using this method, the attacker can steal or overwrite the administrator’s password hash. Once the password hash has been compromised, the attacker heads over to the admin module and takes full control of the PHP-Nuke installation.

I’m hacked - now what?

The first thing to do when you realize that your site has been the target of a hack attack, would be to check if you’ve still got administrative control of the site. If the attacker has not yet changed your administrative password, you can still retain control of the site. More often than not, the attacker would immediately change the admin password and take full control of your site. In this case, you should immediately bring down your site, and block access to the administrative module before the attacker destroys your content.

How do I bring down the site?

Since the attackers have gained full administrative permissions on your site, the first thing to do is to disable the site and the admin functions. To do this, we'll need to block access to three main files: index.php, modules.php and admin.php. These files reside in the root folder of your PHP-Nuke installation. Head over to your site using ftp and download the files index.php, modules.php and admin.php to your system and store them in a backup folder. We may need these files later when we reopen the site to the public. Now create a blank file or a file with the message “This site is down for maintenance” and save the file as index.php. Copy the same contents to the new files modules.php and admin.php. Upload these three newly created files to the root directory of the server and overwrite the older files. This should effectively shut down the site and prevent the attackers from further exploiting your site.


Regaining Control of a Hacked PHP-Nuke Site - Regain your Site
( Page 3 of 4 )




To regain control of your admin account, you’ll have to reset your password in two authors table in your database, the author’s table is nuke_authors. The table name prefix 'nuke' is the standard prefix if you haven't made any changes to it when you installed PHP-Nuke. If you have changed the standard prefix, use your custom prefix instead. If your custom prefix is 'mysite', your table name will be mysite_authors.

You’ll find that your admin user name comes in the aid (admin id) column. You can do this using the mysql command (if you have telnet access or remote access) or with PHPMyAdmin (web based administration of MySQL).

Here’s a sample of what you would see in the nuke_author’s table.


AID

Name

URL

EMAIL

PWD

nickGODhttp://www.site.comyour@email.com dc647eb65e6711e155375218212b39 64

PHP-Nuke uses the name GOD to signify that the user is a super-administrator who has access to all sections of the site. Edit the password field for the ‘GOD’ account and change it to dc647eb65e6711e155375218212b39 64. This will reset the password for the super-admin user as Password. If you see any other admin users that you haven’t created, delete them immediately. The attacker could have created those admin users. To be on the safe side, delete all other administrator accounts other than your ‘GOD’ account. You can always create the additional admin accounts later, once you patch up and reopen your site.

Patch up

Before you can bring your site back online, you should apply the latest patches for your version of PHP-Nuke. These patches should secure all variables passed to PHP-Nuke and sanitize their contents before they are passed over to MySQL. This will prevent any SQL-Injection attacks on your site. The zipped patch files for all versions of PHP-Nuke are available at: http://phpnuke.org/modules.php?name=News&file=article&sid=6679. If you haven’t modified the core files of PHP-Nuke, you should be able to just copy all the files and folders in the zip to the server, overwriting the older files.

If you have made changes to the core files, you’ll have to redo the changes in the newly patched files before you upload them to the server. Make sure that your custom code doesn’t open up the security holes that were previously present.

Since the patches contain the full version of the files index.php, admin.php and modules.php, once your patched files are uploaded to the server, your site should be operational again. Now head over to the admin module, (http://yoursite.com/admin.php), log in using your admin user name and ‘Password’ as the password. Once you’re logged in as the administrator, head over to the Edit Admins option in the administrative menu. You can change the password for your admin account there.




Regaining Control of a Hacked PHP-Nuke Site - Cleaning up
( Page 4 of 4 )



Cleaning up After the Attack

Now that you have regained control of your installation, you can go ahead and clear up the mess that the attackers have made. The first place to head over to is the Preferences section. The attackers usually modify this section to place their signature. The options Site Name, Site URL and Site Slogan are where they head over to first to add their hack signature. Changes to these options will make their signature appear on all pages of your PHP-Nuke site. Change the values of these options to what you had running previously. Make sure the other options on this page are set to your requirements.

If you have any file upload modules active, head over to the upload directory and make sure that they haven’t uploaded any unwanted files or scripts to your server. Delete any suspicious looking files from your server.

Protector System for PHP-Nuke

To further protect your site from further attacks, Marcus & Graeme have come up with a module called The Protector System for PHP-Nuke. This module is compatible with PHP-Nuke versions 6.5 to 7.2. Their system claims to protect your PHP-Nuke installation from all types of SQL-Injection Attacks, Get/Post Attacks and Hammer Attacks. It also automatically blocks or bans users by username or IP address when they try attacking your site using these known methods.

Get/Post attacks use your submission scripts to add or edit your site's content from a remote location. Using this method, attackers can change or add content to your site from a remote location. Hammer Attacks are brute force attacks on the site to either bring the site down, or they can be caused with a password attack program, which hits the server with all permutations of passwords from a dictionary.

This system also logs visitor details. The system logs the user's IP address, country, username, the pages or URLs they've tried to access and their User Agent. This will allow you to track their activity on your site. Since their system is continuously evolving, I would suggest that you keep updating the Protector System each time they come out with a stable version of the module.

More information on The Protector System go over to: http://protector.warcenter.se

 
 Respond to this message   
Anonymous
(Login JaYB024)

Re: What happened to HIDPlanet?

December 21 2004, 9:41 AM 

For some reason my virus scanner is picking up viruses aswell

so, i suggest using any programs you have to check that out

guess ill be checking out this forum again

 
 Respond to this message   
Steve
(Login SComp23)

Re: What happened to HIDPlanet?

December 21 2004, 11:54 AM 

Whoever is doing this is out of control, it's an HID forum, go find something else to mess up.

 
 Respond to this message   
hak
(Login haknslash2003)

Re: What happened to HIDPlanet?

December 21 2004, 12:14 PM 

It wasn't targeted directly towards us (hidplanet), it was a worm implemented to affect thousands of php based sites out on the web. See here and click on any link and you'll see its widespread http://www.auburnextremeracing.com/ . Not sure when we will be up and running again. i'm trying to establish contact with admin.

 
 Respond to this message   
Byron
(Login brwong)

Re: What happened to HIDPlanet?

December 21 2004, 12:16 PM 

as justice, i say we all band together and find out who this hacker is. take all our hid lights and blind the living crap of him/her PERMANENTLY! that way, they will have NO WAY of doing such useless deeds anymore! god i hate these people... >

 
 Respond to this message   
Steve
(Login SComp23)

Re: What happened to HIDPlanet?

December 21 2004, 12:26 PM 

Better yet why don't we hook all of our ballasts up to his balls and fire 'em up. ha thats funny. Anyways, if it is widespread throughout the system, the patch won't really be doing much then would it?

 
 Respond to this message   
Hak
(Login haknslash2003)

Re: What happened to HIDPlanet?

December 21 2004, 2:11 PM 

WE ARE BACK NOW!!!!! For how long?.....hopefully for good.......

 
 Respond to this message   
Steve
(Login SComp23)

Re: What happened to HIDPlanet?

December 21 2004, 3:10 PM 

The answer to your question,Hak, is approximately 59 minutes. This sucks.

 
 Respond to this message   

(Login SickE46)

Re: What happened to HIDPlanet?

December 21 2004, 3:24 PM 

its down again:(

 
 Respond to this message   

(Login haknslash2003)

hak

December 21 2004, 3:26 PM 

yup, we are down again. HIDPLANET told me this would happen for a while, a few days even, until he gets everything worked out. He is trying his best, believe me!

 
 Respond to this message   
SidekickChuck
(Login SidekickChuck)

Re: hak

December 22 2004, 12:14 AM 

Its back up. Version was ipdated and hopefully it will stay up.

www.HIDForum.com

 
 Respond to this message   

Josch
(Login JustHitADeereWithHID)
moderators

Re: hak

December 24 2004, 6:24 AM 

Hey SideKick,
I think you meant to paste this link:
http://www.hidplanet.com/forums/

 
 Respond to this message   
NEON
(Login NEON_)

Re: hak

December 29 2004, 4:21 AM 

They go to the same place.. ;-}

 
 Respond to this message   
Current Topic - What happened to HIDPlanet?
  << Previous Topic | Next Topic >>Return to Index  
 Copyright © 1999-2014 Network54. All rights reserved.   Terms of Use   Privacy Statement  
Direct link to FAQ