Hi everyone!

This is my first post ^.^ .

I signed up with histony on Friday 20/08/04 and my account was activated
on Saturday.

On Sunday, I installed phpnuke and wanted to created a website for my
warcraft 3 clan.

Early on Monday morning, when I go to the page, I got a message saying
T H T. W A S. H E R E.
renegadealien & ir2 & decameron
greetz: HolyOne, Jerusalem, Stormy
tahribat.com | tahrip.com

It was supposed to display my page. The title is hacked by THT.

What does that mean? Is it that the phpnuke security is bad?
And how did they find my site? It was there not even for 6 hrs online.

The site address is www.pinkiong.com/clanvic/

I'm a beginner in web hosting. I'm doing sites as a hobby... (still a uni student).

Regards,
Pin Kiong

Phpnuke has horrible security. Youll have to apply a lot of patches. Get fortress and uh...well there are 2 other ones to get too. You were just unlucky and they found it somehow.

My website (www.vaccords.com/InvisionBoard) got a very similar hacked page today... mine says "Hacked by Tahribat.Com" in the title, in the main page there is a photo that says:

TAHRIBAT.COM
Dalimizi Kiranin
Agacini kokunden Sokeriz

and the lettering:


Hacked By Renegadealien, ir2, Decameron, HolyOne

www.tahribat.com |www.tahrip.com


I have had my site running for about nine months and never had an issue like this before. I am using IPB not PHP Nuke, my PHP Nuke site (www.vaccords.com/phpnuke... just installed it a few days ago to play with) is still fully intact.

Strange really.

Not sure if this goes along it, but, I had all my users, posts, most visited count and other statistics wiped from my forum.

I recounted them in IPB administrator thingy and got my stats back.

Just putting my input.

They advertise which websites they have hacked at the following address:
http://www.zone-h.org/en/defacements/filte...r_defacer=T+H+T

I found that out when I went to latest visitors in the cpanel, got referer in
one of the visitor.

Are they saying who hacked others sites or that "they themselves" hacked the sites?

Post nuke installation requires full permissions on config files.

But some customer forget to revert permissions back after installation. So anybody can write to conf files. So somebody rewrited your config.php file and added some text here. I've moved this file. To restore php nuke generate a new config file or reinstall php nuke completely.

One more security issue with php nuke is using the different themes. Try to use one only theme for your portal and don't allow your users to change their themes from your site. Be careful with your site and nobody will hack it

In my case the modified file was conf_global.php, but then I'm using Invision Board not PHP Nuke.

Sorry, I was mistaken. But I guess you understood me

This statement isn't quite fair. I installed the Invision Board from CPanel's Scripts Library. I just installed another copy in another directory to double check, and at no point during the installation was I warned that the config file was world writable and to change the permissions after I had configured the MB. Nor were there any warnings when I started using the Message Board.

If an automated install is provided, then at the very least there should be a warning during the install that the user must make some changes to the file permissions once the product has been installed.

David

Depends. 1st, I have to ask. How are you installing it? Are you installing the one through the Cpanel? I haven't tried that before, and it's version 1.2...

If you are doing it manually, then conf_global.php has to be changed to 777. By default, I see it as 666. Acutally, it's the last 7. Public needs to write to it. As for reverting... If you revert back, then anytime you use the AdminCP to change anything, you will get an error that it can't write to conf_global.php.

That about all I know. I don't know how your site would have been hacked, but now it's got me worried too.



woops, I see your post now. I would install 1.3. Fixes many bugs, and there are more mods out for it...

That site http://www.zone-h.org/ is a security site I think. It's not the site members who hacks the websites. The site reports hacks submitted to it.

I installed it using the fantastico installer, yes that's right, the one in the Cpanel.

I'm new to php so I don't know what the numbers you are talking about. What is 777 and 666? How can I change that?

I tried to go to the admin.php but I got the error fail to open config.php.

I didn't have a backup for the site. So I'm going to start a brand new phpnuke
installation. I realise now it's important to have a backup for sites. I didn't
expect my site to be hacked or anything.

I think that fantastico installer should by default make the site secure. There are
many like myself who are beginners in websites and don't know how to increase security of php sites. I will learn that gradually.

those are file permissions. Go to file manager in cpanel and locate that file, then click the file name, in the upper right corner of your screen you will see some choices, one of which is file permissions. Click that to change the permissions on the file you need to modify. 777 is full access for everyone. the lower the numbers, the more restrictive the permissions.

you can google linux permissions and find all the info you need on permissions and the settings.

I was working a bit on my sites yesterday and went to a IPB forum I had installed a while back but never used (it was for a test). I had a similar "Hacked by.." page instead of the IPB index, it seems they have overwritten the conf_global.php to display their message..

Now, I checked the other two sites posted in this thread, and they are on the same server (server23) as mine. My IPB forum was never used nor the link posted anywhere so they probably went to that IP, checked with whois all the sites hosted on it, and tried /forums for all domains.. In fact, I had also installed a test IPB in another directory (/somedirectory/forums) and that one was intact. But I deleted both now..

So, I guess I won't install IPB anymore, as it seems to be insecure (my phpBB forum was not hacked), and I guess installing in different directories would be a good idea for the future. I haven't looked at the logs yet but I'm curious to see how the attack shows up.

To the admins: Maybe you could do a "cd /; grep -irl hacked conf_global.php" and warn the others on that server who might have had their forums defaced. I suspect there will be a few more..

Thats some spooky stuff. I never had problems, and I am a big fan of IPB. Really, it's not IPB thats not secure, it's your permissions. Set it to 755 you should be fine. The only thing is that it will be a pain in the a$$ if you change any configuration because you have to remember to change it back to 777, then back again to 755.

I don't know nuke, but if it has a config file, the story will be the same. If that file is set to 777, then the hackers can over write that also.




If you did extensive configruation on it... then it won't be hard to restore that. For one, hostony admins can restore that file for you from backups. Other way will be to copy that file from the original install files. The only thing in it is the database name and password. I'm sure you didn't do any modifications yet, so most of your configured data will be in the database.

If you need help shoot me a pm.