Regaining Control of a Hacked PHP-Nuke Site - Regain your Site
(Page 3 of 4 )
To regain control of your admin account, you’ll have to reset your password in two authors table in your database, the author’s table is nuke_authors. The table name prefix 'nuke' is the standard prefix if you haven't made any changes to it when you installed PHP-Nuke. If you have changed the standard prefix, use your custom prefix instead. If your custom prefix is 'mysite', your table name will be mysite_authors.
You’ll find that your admin user name comes in the aid (admin id) column. You can do this using the mysql command (if you have telnet access or remote access) or with PHPMyAdmin (web based administration of MySQL).
Here’s a sample of what you would see in the nuke_author’s table.
AID | Name | URL | EMAIL | PWD |
| nick | GOD | http://www.site.com | your@email.com | dc647eb65e6711e155375218212b3964 |
PHP-Nuke uses the name GOD to signify that the user is a super-administrator who has access to all sections of the site. Edit the password field for the ‘GOD’ account and change it to dc647eb65e6711e155375218212b3964. This will reset the password for the super-admin user as Password. If you see any other admin users that you haven’t created, delete them immediately. The attacker could have created those admin users. To be on the safe side, delete all other administrator accounts other than your ‘GOD’ account. You can always create the additional admin accounts later, once you patch up and reopen your site.
Patch up
Before you can bring your site back online, you should apply the latest patches for your version of PHP-Nuke. These patches should secure all variables passed to PHP-Nuke and sanitize their contents before they are passed over to MySQL. This will prevent any SQL-Injection attacks on your site. The zipped patch files for all versions of PHP-Nuke are available at: http://phpnuke.org/modules.php?name=News&file=article&sid=6679. If you haven’t modified the core files of PHP-Nuke, you should be able to just copy all the files and folders in the zip to the server, overwriting the older files.
If you have made changes to the core files, you’ll have to redo the changes in the newly patched files before you upload them to the server. Make sure that your custom code doesn’t open up the security holes that were previously present.
Since the patches contain the full version of the files index.php, admin.php and modules.php, once your patched files are uploaded to the server, your site should be operational again. Now head over to the admin module, (http://yoursite.com/admin.php), log in using your admin user name and ‘Password’ as the password. Once you’re logged in as the administrator, head over to the Edit Admins option in the administrative menu. You can change the password for your admin account there.
Next: Cleaning up >>
More Security Articles
More By Vinu Thomas
/ 35 
