its happened finally...

Sorry to hear that Jonathan. But it sounds like you responded quickly. Make sure you check the server for any file that you didn't put there too.

...like 40mins+ of Nuke?
fat chance; just gonna wipe it all 2morrow

Should have the new design by then

Yeah checking a big site can be a pain which is why I automated the operation. I should put up a generic script for that but need to rewrite it. It's part of my current CMS at the moment. It's not unusal for crackers to leave backdoors though.

Months ago I did find some odds Linux files on the Dathorn server. Never did hear back from support about those?

What IP address did the hackers use, BTW. I'm always looking for new ones to add to my deny list. I know it's not a perfect mechanism, but it will help with some automated attacks from defined hosts.

BTW security of web apps is (much) more than choosing a strong password for your admin area(s).

not sure sam; how would I check the logs to find out??
Also I deleted every single file and uploaded new site

In the log file, look for admin pages that were accessed you should be able to spot your IP and the cracker's IP. If that doesn't work then you have to look for strange URL like those containing SQL statements. If that doesn't work it may have been a POST request that was used to get in in which case someone may of accessed the same form several times. Hope that helps?

not even one minute into looking:

200.177.162.127 - this IP was adding a user called 'krieger'
(one of two user plants I found on my PHP-Nuke admin area)

Whats scary, this happened on the 6th!!!
and I know my friend/biz partner would never add any admins...

81.215.248.145 - This IP was adding a user called 'warex5'
(a 'god' one that took several minutes in PHPMyAdmin to delete) on the 26th.

Whats scary is these IPs seemed to have been stalking my
site since bout the 3rd or so of this month; damn, I hate these people!


<EDIT>Btw sam, would you mind sharing your list? I'd like
to make sure I got as many known or attempted hackers blocked </EDIT>

Good security starts with accepting the fact that you can trust no one but yourself. Give no one more access than they need.

I've known the guy I'm hosting here for more than 20 plus years but I don't trust him. That may sound cold but it's a matter of security and friendship doesn't play a part.

but ~ he's a business partner...
He pays for half the business,
does half the work, and splits half the revenue.... (not much)

<EDIT>Hmm; now that I think bout it, he was the one who first
suggested we used PHP Nuke, and he was the one to inform me
about the site being hacked (he asked what was that on front page)....</EDIT>

Looking regularly at your logs, raw or otherwise, is always a good idea, even if nothing appears to be going wrong. Lots of strange things are always going on there...

My list of banned IP's is only a very small one, and relates people mostly from Brazil specifically targetting the particular CMS I am using for one of my sites, which isn't Nuke. So it probably wouldn't be of much use to you. But if you want it, PM me and I'll send it across.

Blocking IP addresses is also, to tell the truth, not really very effective, since it is very easy to get around (unless you block whole IP address ranges, but that is very clumsy, and can be a problem too, esp for example if the Googlebots actually live within that address space ).

A word of advice: even if you have now zapped your old site and done a clean install, both of the files and the user and system databases, I think now is a good time to just audit how you have installed Nuke.

I'd do things like, for example:

- setup Nuke on a MySQL database that operates on a specific user account, not your root account, and give it a good non obvious user name and PWD;

- check that you have the very latest version of the code (Nuke has had a spate of recent vulns reported, which I think have been patched), and sign up for the Secunia or other vuln reports services to stay on top of future ones;

- check your file system permissions to make sure that every file and folder has the right, strict permissions set (eg 644 for PHP files), and that nothing is readable or writeable by the whole world, for example (it happens, even using some automated installers),

- using cPanel or your .htaccess file, password protect some of the core back-end directories of Nuke that visitors or guests don't need access to (this may take some experimenting to get it to the point where registered users or site visitors aren't presented with a password prompt, but it is worth it :-) ;

- ideally ensure that there is only 1 user with super-user or admin rights in Nuke (you), and to the account the site is hosted under, and tune down the user delegations of eveyone you let into the Nuke part of the site to only the minimum they need to do their job

- strip out or un-install out of your Nuke install all the add-ons etc you don't need or aren't using. In general, the less code floating around, the better.

Etc.

I'm sure, given the size of the Nuke community, that if you googled a term like 'securing PHP Nuke guide', something useful will turn up.

I'd also seriously check out the good Nuke Security forums at:

Excellent post Samsam!

made it into a FAQ http://forums.dathorn.com/showthread.php?t=516

Also ~ I think thats why;

1) Nuke was named site initials
2) Nuke was an older 6.9 I believe
3) Nuke used an theme we found on the net

This is a well-known phpNuke hack that's been going around for the last month or so. Just remove the offending 'God' account with phpMyAdmin and then peruse the forums at NukeFixes.com for several patches to close that particular security hole.

Cheers!
Ron