Regaining Control of a Hacked PHP-Nuke Site

PHP-Nuke is spreading over the Internet as a popular CMS system. If you have a PHP-Nuke installation which has been hacked into, read on to find out how to regain control of your site. If your site hasn’t been hacked, read on to learn how to secure your installation.

Introduction

PHP-Nuke is widely used, open source content management system (CMS) using PHP and MySQL. PHP-Nuke allows you to add and edit content on to your site without having to play around with HTML files. The whole content system runs off a database. Apart from MySQL, this CMS also supports SQL Server, Oracle, Access and Postgres databases. This allows PHP-Nuke to run on most platforms.

PHP-Nuke allows you to integrate extra functionality to the site, by adding them as modules. This modular concept of CMS allows webmasters to customize the functionality of the CMS system to their requirement. PHP-Nuke has various built-in modules like user registration, downloads, news, article sections, FAQ and web links. Apart from the built in modules, there are a variety of third-party modules which add in a lot more functionality to this CMS.

I’ve been running PHP-Nuke to manage content on my site since 2003. A lot of people have posted their views online stating that this system was quite insecure. I didn’t pay much heed to these warnings, since this is one of the more popular CMS systems on the Internet. I had thought that since a lot of people were working on the system, all the bugs would be fixed up soon. I was in for a shock recently when my PHP-Nuke installation was hacked. In this article I have outlined how to overcome an attack on your Nuke installation and patch up the system to prevent further attacks. Even if your installation has not been hacked into yet, read on to learn how patch up your site to prevent such attacks on your site.

{mospagebreak title=Bugs and How}

PHP-NUKE Vulnerability

Most standard installations of PHP-Nuke are vulnerable to remote hack attacks. Hackers and script kiddies are able to gain control of the installation by means of a remotely exploitable SQL injection bug. In the default installation of most PHP-Nuke sites, multiple modules are vulnerable to SQL injection. This is because the underlying code does not sanitize the user-supplied variables after it is decoded for use as an SQL query. This allows attackers to craft query strings that allow them to run SQL commands, which otherwise should not be permitted by the script.

Using this method, the attacker can steal or overwrite the administrator’s password hash. Once the password hash has been compromised, the attacker heads over to the admin module and takes full control of the PHP-Nuke installation.

I’m hacked – now what?

The first thing to do when you realize that your site has been the target of a hack attack, would be to check if you’ve still got administrative control of the site. If the attacker has not yet changed your administrative password, you can still retain control of the site. More often than not, the attacker would immediately change the admin password and take full control of your site. In this case, you should immediately bring down your site, and block access to the administrative module before the attacker destroys your content.

How do I bring down the site?

Since the attackers have gained full administrative permissions on your site, the first thing to do is to disable the site and the admin functions. To do this, we’ll need to block access to three main files: index.php, modules.php and admin.php. These files reside in the root folder of your PHP-Nuke installation. Head over to your site using ftp and download the files index.php, modules.php and admin.php to your system and store them in a backup folder. We may need these files later when we reopen the site to the public. Now create a blank file or a file with the message “This site is down for maintenance” and save the file as index.php. Copy the same contents to the new files modules.php and admin.php. Upload these three newly created files to the root directory of the server and overwrite the older files. This should effectively shut down the site and prevent the attackers from further exploiting your site.

{mospagebreak title=Regain your Site}

To regain control of your admin account, you’ll have to reset your password in two authors table in your database, the author’s table is nuke_authors. The table name prefix ‘nuke’ is the standard prefix if you haven’t made any changes to it when you installed PHP-Nuke. If you have changed the standard prefix, use your custom prefix instead. If your custom prefix is ‘mysite’, your table name will be mysite_authors.

You’ll find that your admin user name comes in the aid (admin id) column. You can do this using the mysql command (if you have telnet access or remote access) or with PHPMyAdmin (web based administration of MySQL).

Here’s a sample of what you would see in the nuke_author’s table.

AID

Name

URL

EMAIL

PWD

nick GOD http://www.site.com your@email.com  dc647eb65e6711e155375218212b3964

PHP-Nuke uses the name GOD to signify that the user is a super-administrator who has access to all sections of the site. Edit the password field for the ‘GOD’ account and change it to dc647eb65e6711e155375218212b3964. This will reset the password for the super-admin user as Password. If you see any other admin users that you haven’t created, delete them immediately. The attacker could have created those admin users. To be on the safe side, delete all other administrator accounts other than your ‘GOD’ account. You can always create the additional admin accounts later, once you patch up and reopen your site.

Patch up

Before you can bring your site back online, you should apply the latest patches for your version of PHP-Nuke. These patches should secure all variables passed to PHP-Nuke and sanitize their contents before they are passed over to MySQL. This will prevent any SQL-Injection attacks on your site. The zipped patch files for all versions of PHP-Nuke are available at: http://phpnuke.org/modules.php?name=News&file=article&sid=6679. If you haven’t modified the core files of PHP-Nuke, you should be able to just copy all the files and folders in the zip to the server, overwriting the older files.

If you have made changes to the core files, you’ll have to redo the changes in the newly patched files before you upload them to the server. Make sure that your custom code doesn’t open up the security holes that were previously present.

Since the patches contain the full version of the files index.php, admin.php and modules.php, once your patched files are uploaded to the server, your site should be operational again. Now head over to the admin module, (http://yoursite.com/admin.php), log in using your admin user name and ‘Password’ as the password. Once you’re logged in as the administrator, head over to the Edit Admins option in the administrative menu. You can change the password for your admin account there.

{mospagebreak title=Cleaning up}

Cleaning up After the Attack

Now that you have regained control of your installation, you can go ahead and clear up the mess that the attackers have made. The first place to head over to is the Preferences section. The attackers usually modify this section to place their signature. The options Site Name, Site URL and Site Slogan are where they head over to first to add their hack signature. Changes to these options will make their signature appear on all pages of your PHP-Nuke site. Change the values of these options to what you had running previously. Make sure the other options on this page are set to your requirements.

If you have any file upload modules active, head over to the upload directory and make sure that they haven’t uploaded any unwanted files or scripts to your server. Delete any suspicious looking files from your server.

Protector System for PHP-Nuke

To further protect your site from further attacks, Marcus & Graeme have come up with a module called The Protector System for PHP-Nuke. This module is compatible with PHP-Nuke versions 6.5 to 7.2. Their system claims to protect your PHP-Nuke installation from all types of SQL-Injection Attacks, Get/Post Attacks and Hammer Attacks. It also automatically blocks or bans users by username or IP address when they try attacking your site using these known methods.

Get/Post attacks use your submission scripts to add or edit your site’s content from a remote location. Using this method, attackers can change or add content to your site from a remote location. Hammer Attacks are brute force attacks on the site to either bring the site down, or they can be caused with a password attack program, which hits the server with all permutations of passwords from a dictionary.

This system also logs visitor details. The system logs the user’s IP address, country, username, the pages or URLs they’ve tried to access and their User Agent. This will allow you to track their activity on your site. Since their system is continuously evolving, I would suggest that you keep updating the Protector System each time they come out with a stable version of the module.

More information on The Protector System go over to: http://protector.warcenter.se

[gp-comments width="770" linklove="off" ]
antalya escort bayan antalya escort bayan